Zapier is not HIPAA compliant. Zapier does not sign a Business Associate Agreement (BAA) on any plan, including Enterprise, and explicitly advises customers not to transmit Protected Health Information (PHI) through its platform. This applies as of June 2026. Any workflow routing PHI through Zapier creates regulatory exposure under HIPAA.
For related reading, see Zapier vs Power Automate: Full Enterprise Comparison with Workato and UiPath.
Is Zapier HIPAA Compliant?
No. Zapier is not HIPAA compliant. Under HIPAA, any vendor that creates, receives, maintains, or transmits PHI must operate under an executed Business Associate Agreement. Zapier does not offer a BAA and has confirmed in its official Data Privacy documentation that PHI should not be transmitted through the platform. This position has not changed on any pricing tier, including Enterprise.
A community forum post from May 2025 confirms that Zapier had still not introduced BAA support following user requests raised 2 years prior. Zapier directed affected users to submit formal requests through its support system.
Why Does Zapier Not Sign a BAA?
Zapier has not issued a public explanation, but the structural reason is clear. Zapier connects over 9,000 third-party applications. Becoming HIPAA compliant would require Zapier to remove apps that do not meet HIPAA rules and sign BAAs with every vendor capable of touching PHI. This would fundamentally reduce the platform's breadth and flexibility.
What Counts as PHI in a Zapier Workflow?
PHI is any individually identifiable health information. It is not limited to medical records. In a Zapier context, 5 data types constitute PHI when linked to a named individual:
- Patient names paired with appointment details, diagnoses, or treatment data
- Email addresses or phone numbers attached to healthcare scheduling workflows
- Insurance member IDs or billing codes
- Prescription details or lab results passed through trigger payloads
- Any demographic data combined with health status information
Even seemingly minor workflows can capture identifiers in trigger payloads, Zap run history, retry logs, error emails, or support interactions. If PHI touches Zapier at any of these points, the covered entity assumes full regulatory exposure.
What Security Certifications Does Zapier Hold?
Zapier holds 6 independently verified security certifications:
| Certification | Scope | Audit Frequency |
|---|---|---|
| SOC 2 Type II | Security, availability, confidentiality controls | Annual |
| SOC 3 | Public-facing summary of SOC 2 findings | Annual |
| ISO 27001 | Information security management (infrastructure providers) | Ongoing |
| GDPR | European data privacy compliance | Ongoing |
| CCPA | California consumer privacy compliance | Ongoing |
| PCI DSS | Payment card data handling | Ongoing |
Zapier's SOC 2 Type II audit is conducted annually by an AICPA-accredited third-party auditor. Updated reports are published in the Zapier Trust Center after each audit cycle. Security documents not publicly facing require signing an NDA through the Trust Center's self-service process before download.
Zapier is also listed as FedRAMP compliant and CSA STAR Level 1 certified by Nudge Security's independent SaaS profile database.
What Encryption Does Zapier Use?
Zapier uses AES-256 encryption at rest and TLS encryption in transit. The platform applies tokenization for credential storage and enforces strict access controls with full audit logging. Infrastructure is hosted on Amazon Web Services (AWS) in the United States with multi-region redundancy, real-time threat detection, and automated fault tolerance.
What Was the Zapier Security Incident in 2025?
On February 27, 2025 at 09:38 UTC, Zapier detected that an unauthorized user had accessed certain internal code repositories. The cause was a 2FA misconfiguration on a single employee's account. Zapier disclosed the incident by email to affected customers on March 1, 2025.
The following 4 facts were confirmed in Zapier's official notification, signed by Head of Security Zeeshan Khadim:
- The breach affected internal code repositories only, not production systems, databases, authentication systems, or payment infrastructure.
- Some customer data had been inadvertently copied to the repositories for debugging purposes, in violation of Zapier's own internal guidelines.
- Zapier immediately secured the repositories and invalidated the unauthorized user's access upon detection.
- Affected customers were provided a secure link to review exactly what data had been exposed in their specific case.
The incident did not affect Zap or app authentication tokens. No core customer workflows, credentials, or payment data were compromised. Zapier pledged to audit internal processes and prevent recurrence.
What Should Zapier Users Do Following the 2025 Breach?
Zapier's official recommended actions following the incident were:
- Rotate any valid plain-text authentication tokens used in webhook step configurations or code steps.
- Enable two-factor authentication on the Zapier account if not already active.
- Review the security settings of the account, particularly authentication methods.
- Use the secure link provided by Zapier to review any personally exposed data.
Users who did not receive an email notification from Zapier regarding the February 2025 incident were not affected.
Is Zapier Safe for Non-Healthcare Businesses?
Zapier is safe for non-sensitive business workflows outside regulated data categories. The platform's SOC 2 Type II certification, AES-256 encryption, annual penetration testing, and enterprise governance controls make it suitable for the majority of business automation use cases.
The February 2025 incident, while significant, was contained, disclosed promptly, and involved no breach of production systems. It stemmed from a process failure (customer data being used in debugging repositories) rather than a structural weakness in Zapier's core security architecture.
Is Zapier Legit?
Zapier is a legitimate business founded in 2011 and projected to generate approximately $400 million in annual revenue in 2025. It is used by companies including Shopify, Meta, Slack, and Dropbox. It holds SOC 2 Type II, SOC 3, ISO 27001, GDPR, and CCPA certifications and is subject to annual independent security audits. There is no credible basis for characterising Zapier as fraudulent or unreliable as a platform.
What Are Zapier's SSO and Authentication Methods?
Zapier supports SAML-based Single Sign-On (SSO) for identity federation, along with SCIM provisioning and domain capture for centralised user lifecycle management. SSO is available on higher-tier and Enterprise plans.
Zapier's full authentication method support includes:
| Method | Available On |
|---|---|
| Username and password | All plans |
| Login with Google (OAuth) | All plans |
| Login with Microsoft (OAuth) | All plans |
| Two-factor authentication via SMS | All plans |
| Two-factor authentication via email | All plans |
| Two-factor authentication via TOTP app | All plans |
| Two-factor authentication via hardware key (U2F) | All plans |
| SAML-based SSO (Okta, Azure AD, others) | Team and Enterprise |
| SCIM provisioning | Enterprise |
| Domain capture | Enterprise |
| IP allow-listing | Enterprise |
Okta integration supports SAML and SWA modes, plus create, update, deactivate, sync password, and event hooks. Azure AD is supported through both OAuth and SAML-based SSO flows.
Which Zapier Plans Include SSO?
SSO is available on Team and Enterprise plans. It is not available on the Free or Professional plans. Enterprise plans additionally include SCIM provisioning, domain capture, and IP allow-listing for full identity governance. Organisations requiring SSO as a procurement condition need at minimum the Team plan at $103.50 per month (annual billing).
Is the Zapier Free Plan Safe to Use?
The free plan is safe for non-sensitive, non-regulated workflows. Zapier's core security infrastructure, including AES-256 encryption, TLS, and access controls, applies across all plans. The free plan is not limited in security protections relative to paid plans.
However, 4 categories of data should not be processed through Zapier on any plan:
- Protected Health Information (PHI) under HIPAA
- Payment Card data beyond what Zapier itself processes under PCI DSS scope
- Personally identifiable financial data subject to GLBA (Gramm-Leach-Bliley Act) in fintech contexts
- EU personal data where the data controller's legal basis requires processing only by GDPR Article 28-compliant processors with explicit DPA terms
Enterprise customers are automatically opted out of data training for AI features. Customers on other plans, including Free, can opt out by completing the opt-out form available on Zapier's privacy settings page.
What Are HIPAA-Compliant Alternatives to Zapier?
There are 4 automation platforms that sign BAAs and support HIPAA-compliant workflows:
| Platform | BAA Available | Best For |
|---|---|---|
| Microsoft Power Automate | Yes (via Microsoft's standard BAA) | Microsoft 365 and Azure environments, hybrid on-premises |
| Workato | Yes | Enterprise IT teams managing SAP, Oracle, Workday integrations |
| Blaze.tech | Yes | No-code healthcare app and workflow building, EHR-adjacent tools |
| Make (formerly Integromat) | Yes (on eligible plans) | Mid-market teams needing Zapier-like simplicity with BAA coverage |
How Do Workato and Power Automate Handle HIPAA?
Workato signs BAAs and supports the access controls regulated industries require. It is designed for IT teams managing complex, governed integrations. Workato helps teams design workflows that protect health data from initial architecture through execution.
Power Automate is HIPAA eligible through Microsoft's standard BAA, which covers all Microsoft Online Services. For healthcare organisations already using Microsoft 365 or Azure, Power Automate provides HIPAA-compliant automation without a separate vendor relationship. Microsoft's BAA covers Teams, SharePoint, Dynamics 365, and other Microsoft services in the same agreement, simplifying compliance administration.
Can Healthcare Organisations Use Zapier for Any Workflows?
Healthcare organisations can use Zapier for workflows that do not involve PHI. A covered entity can use Zapier to automate internal operations such as marketing campaign triggers, staff scheduling in non-patient systems, social media publishing, or financial reporting tools, provided none of these workflows route identifiable patient data.
Zapier can also be used when data has been de-identified to HIPAA's Safe Harbor standard, which requires the removal of 18 specific identifiers including names, geographic data below state level, dates other than year, phone numbers, and email addresses. Expert Determination de-identification, conducted by a qualified statistician, is the second accepted method under HIPAA Safe Harbor.
When PHI is not in the workflow, the automation platform is a utility rather than a business associate. The covered entity bears responsibility for ensuring no PHI enters Zapier-connected workflows, not Zapier itself.
Olaitan Oladipo holds a BSc in Sociology from Olabisi Onabanjo University. He is a self-taught automation builder who has spent years inside n8n doing the work that most tutorials skip: debugging OAuth errors at 2am, migrating client automations from Make.com mid-project, fighting reverse proxy misconfigurations on AWS EC2, and figuring out through trial and error what actually holds up in production versus what only looks clean in a demo.
He is not a developer by training and not a SaaS founder. He is the person in the Discord server who actually answers the question instead of linking to the docs.
His writing on n8n Automation Tutorial covers self-hosting, AI agent workflows, tool comparisons, and the security vulnerabilities the automation industry would rather not discuss. He has built AI-assisted invoice approval flows using OpenAI function calling, connected Claude via HTTP Request nodes, and holds considered opinions about Zapier, Make.com, LangChain, and CrewAI that their marketing teams would not appreciate.
He writes for people who are technical enough to follow a tutorial but experienced enough to want the honest version.
