Is Zapier GDPR Compliant? DPA, EU Data Residency & Guide

Can German companies use Zapier under GDPR?

Zapier is GDPR-compliant in Germany with a signed DPA, per-workflow data category assessment, EU data residency verification, and DPIA/works council review where required. Low-risk automations are manageable; sensitive data workflows need stricter review.

• Assess each workflow individually — triggers, actions, connected apps, data categories, and logs all matter.
• Sign the Zapier DPA and verify SCCs, subprocessors, and whether data still moves to the United States.
• High-risk workflows with employee monitoring, health data, or customer profiling require DPIA and possibly works council review.

Zapier is GDPR compliant — with conditions. Zapier processes data in the United States but offers a Data Processing Agreement (DPA, required under GDPR Article 28) and EU Data Residency on paid plans. For German companies, a signed DPA is mandatory before any automation workflow handling personal data goes live. Whether a specific deployment is fully GDPR-compliant depends on per-workflow data category assessment, the international transfer basis under Standard Contractual Clauses (SCCs), and any DPIA or works council review required. For a broader survey of automation and workflow tools reviewed for the German market, see the AI tools guide.

Is Zapier GDPR Compliant? Direct Answer

Direct answer

Zapier can be used GDPR-compliantly in Germany. The conditions are:

• Sign the Zapier DPA and verify it covers your actual workflows.
• Confirm the transfer basis (SCCs) and assess residual risk for your data categories.
• Run workflow-level risk classification — not a one-time platform check.
• For employee-related, health, or high-volume customer data, evaluate DPIA and works council obligations before rollout.

This page provides general legal information, not legal advice for a specific deployment. For related guidance, see AI customer service compliance, Zendesk, HubSpot, Make.com, and Notion AI.

GDPR Requirements for Zapier in Germany

The question is not whether Zapier as a platform is GDPR-compliant in the abstract. The question is whether your specific Zapier deployment is compliant. Under the GDPR, that requires:

• a clear legal basis under Article 6 GDPR (and Article 9 for special categories)
• a processor contract under Article 28 GDPR — the signed DPA
• a valid international transfer mechanism under Chapter V GDPR — typically SCCs
• technical and organizational measures appropriate to the risk under Article 32 GDPR
• a DPIA where required under Article 35 GDPR

For German companies in particular, the local regulatory environment adds:

• §87(1) no. 6 BetrVG (Works Constitution Act) for employee-related automations that touch monitoring
• BDSG requirements on top of GDPR for employment data processing
• Enforcement patterns from German data protection authorities including the Baden-Württemberg, Hamburg, and Berlin DPAs, which have shown a focus on processor contracts and US transfer risk

The practical outcome for most businesses is that low-risk internal automations are manageable, customer-data automations need careful design, and employee, health, and finance workflows need a formal legal review before rollout.

Zapier DPA: What It Says and What to Watch

Zapier offers a Data Processing Addendum as part of its legal documentation. Accepting it is the first required step, but reviewing its substance matters more than its existence.

Processor vs. Controller Distinction

Under most Zapier deployments, your company is the controller and Zapier is the processor. This means Zapier must act only on your instructions, and you remain responsible for the lawfulness of the underlying processing purpose.

However, that allocation is not always clean. Zapier collects operational telemetry about workflow runs, may use certain aggregated data for product improvement, and shares data with subprocessors under its own contract terms. Review the DPA to confirm which parts of the data flow are genuinely on controller-processor terms and which fall outside that boundary.

Subprocessor List and Risk

Zapier publishes a list of subprocessors. Key practical steps:

• Download or bookmark the current list at the time of your assessment.
• Note which subprocessors receive which categories of data from your workflows.
• Confirm whether any subprocessors are located in third countries without an adequacy decision, and whether SCCs or binding corporate rules cover that transfer.
• Check the change notification procedure — Zapier must notify you of new subprocessors, and you should have a process for reviewing those notifications and objecting where necessary.

Deletion Commitments

The DPA should specify what happens to data when the relationship ends: when task histories are deleted, whether logs are purged, and within what timeframe. Zapier task histories can contain personal data that outlives the use case they were created for. Verify that the deletion terms match your own retention policy and that downstream copies in connected systems are addressed.

Zapier Data Transfers: Is US Processing Still Happening?

For German companies assessing zapier data processing agreement gdpr or zapier schrems ii questions, the short answer is: yes, Zapier can process data in the United States, and you need to assess whether that is acceptable for your specific workflows.

Standard Contractual Clauses Review

Zapier relies on the EU Standard Contractual Clauses (SCCs) adopted by the European Commission in June 2021 for transfers of EEA personal data to the United States and other third countries. Post-Schrems II, SCCs alone are not sufficient — they must be supplemented by a Transfer Impact Assessment (TIA) that evaluates the legal access risk in the destination country.

For most US-based SaaS providers, the relevant risk factors are:

• US surveillance law, including FISA Section 702 and Executive Order 14086 safeguards
• Whether Zapier employees with US access can reach unencrypted personal data
• The likelihood that your specific data categories would be of intelligence interest

For routine business automation of non-sensitive data, most TIAs conclude that the residual risk is acceptable with appropriate supplementary measures. For workflows involving large-scale customer databases, financial data, or any data with government-adjacent sensitivity, the TIA requires closer analysis.

Zapier’s EU Data Residency Offering

Zapier has introduced EU data residency options for business and higher plans. This means that certain task data and workflow execution data is stored in EU-based infrastructure rather than the United States. However, EU data residency is not equivalent to EU-only processing:

• Support access may still originate from outside the EEA
• Some infrastructure components and subprocessors may still process data in the US
• Metadata and telemetry data may not be covered by residency settings
• The coverage may differ by plan tier

Before relying on Zapier’s EU data residency as a compliance argument, verify which data categories it actually covers in your plan, which subprocessors it does not neutralize, and whether your DPA reflects the residency configuration.

Post-Schrems II Analysis

The CJEU Schrems II judgment of July 2020 invalidated the Privacy Shield and required supplementary measures for US transfers. The EU-US Data Privacy Framework (DPF) adopted in 2023 partially addresses this for certified US companies, but it remains subject to legal challenge and does not eliminate the need for a documented transfer assessment. Zapier participates in the DPF. Even so, German companies should:

1. Document the transfer basis (DPF certification, SCCs, or both).
2. Complete a TIA that addresses US surveillance law risk for your data categories.
3. Confirm that supplementary measures (encryption, access controls, minimization) are implemented and documented.
4. Set a review cadence, since the DPF legal landscape continues to evolve.

Workflow-Level GDPR Risk Assessment

This is the most operationally valuable analysis. Rather than assessing Zapier as a platform, assess each category of workflow by the data it processes.

Low-Risk: Internal Tool Integrations

These workflows generally process limited personal data, often limited to internal identifiers or metadata. Examples:

• Notion to Slack notifications for project status changes (non-sensitive metadata)
• CRM deduplication workflows operating on company email domains
• Calendar and scheduling syncs for internal meetings
• Supply chain notifications based on inventory or logistics triggers — see AI supply chain management compliance
• Automated reminders for contract or task deadlines with no personal data in the payload

These are typically justifiable under Article 6(1)(f) GDPR (legitimate interest) with standard security controls, data minimization, and a completed DPA.

Medium-Risk: Customer Data Automations

These workflows touch personal data belonging to customers or leads, which raises the stakes for data minimization, retention, and transfer risk. Examples:

• Form submission routing to CRM (name, email, business context)
• Support ticket categorization and routing (may include customer message content)
• Email marketing workflow triggers (behavioral signals)
• Lead scoring automations that combine data from multiple sources

For medium-risk workflows, specific steps matter: strip free-text content where possible, pass identifiers rather than full records, set short retention on Zapier task history, and confirm that connected app DPAs are aligned. Review HubSpot GDPR compliance and Zendesk GDPR compliance alongside Zapier for integrated customer data stacks.

High-Risk: Employee Data, Health Data, Financial Data, and Broad Customer Profiling

These categories require a stricter pre-deployment review:

Data Type	Why High-Risk	Key Requirements
Employee data	§87(1) no. 6 BetrVG, BDSG §26, monitoring risk	Works council review, explicit legal basis, minimization
Health / biometric data	Article 9 GDPR special categories	Explicit consent or other Art. 9(2) basis, DPIA likely required
Financial data	Confidentiality obligations, banking secrecy	Segregation of access, restricted log visibility, formal vendor assessment
Broad customer profiling	Profiling rules under Article 22 GDPR, transparency	Layered privacy notice, right to object, potential DPIA

For any of these, a general “Zapier is GDPR-compliant” statement is not sufficient as a compliance foundation.

DPIA: When Does Zapier Use Require a Data Protection Impact Assessment?

Under Article 35 GDPR, a Data Protection Impact Assessment is required before processing that is likely to result in high risk to individuals’ rights and freedoms. German DPA guidance indicates that the following Zapier workflow patterns likely trigger this requirement:

• Systematic monitoring of employees — any workflow that consolidates employee behavior data across systems, generates productivity metrics, or creates alerts about individual staff activity
• Large-scale processing of special category data — health, biometric, or union-membership data moving through automated workflows
• Automated decision-making with legal or significant effects — workflows that trigger automated outcomes for individuals without human review
• Large-scale customer profiling — combining behavioral, transactional, and communication data to build profiles used for targeting, segmentation, or credit/insurance-adjacent purposes

The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address them. It should be completed before the workflow goes live, not after.

If your Zapier deployment spans multiple of these risk factors, the DPIA scope expands accordingly.

Works Council Considerations for German Companies

German businesses are subject to the Betriebsverfassungsgesetz (BetrVG). Section 87(1) no. 6 specifically grants the works council (Betriebsrat) co-determination rights over the introduction and use of technical devices designed to monitor employees’ conduct or performance.

Zapier workflows can trigger §87 BetrVG even when monitoring is not the stated purpose. The test is whether the tool enables monitoring, not whether it is intended to monitor. Typical triggers:

• Automations that log employee response times (e.g., time from ticket assignment to first reply)
• Workflows that consolidate activity data from Slack, email, or CRM into a management dashboard
• Alerting logic based on individual employee inactivity or SLA breach
• Integration with HR tools that tracks attendance, shift changes, or absence patterns

Where §87(1) no. 6 BetrVG applies, the works council must be consulted and its agreement reached before the system is introduced. Operating without this consent exposes the employer to injunctions, potential prohibition orders, and labor law liability.

The practical recommendation: involve HR, legal, and the works council early in the design phase, before a workflow is built or deployed.

Zapier in Specific Industries

Certain industries face heightened standards regardless of the general workflow risk tier.

Healthcare and Medical Services

Workflows touching patient data, appointment records, referral information, or any health-related content fall under Article 9 GDPR (special categories) and, in some contexts, additional German health data law. Standard no-code automation through a US-linked SaaS provider is generally not the default-acceptable approach here. At minimum: explicit consent or a statutory basis under Article 9(2), a DPIA, and a security review covering encrypted payloads, restricted log access, and limited subprocessor exposure.

HR and Recruiting

German employment data law under §26 BDSG imposes strict requirements on processing employee or applicant data. Automating recruiting workflows, onboarding steps, or performance data through Zapier requires a documented legal basis for each data element, minimization to only what is genuinely necessary, and works council involvement where applicable. Retention must be actively managed — applicant data that flows through Zapier and into connected systems needs defined deletion timelines.

Legal and Professional Services

Law firms and professional services firms have additional confidentiality obligations. Routing client matter information, contract content, or case-related data through third-party automation creates data governance questions beyond GDPR. Check bar association rules, professional secrecy obligations, and whether client consent or matter-specific data handling agreements are needed before using Zapier for client-facing data.

Zapier Alternatives with Better EU Compliance Profiles

If the US transfer risk, subprocessor footprint, or EU data residency limitations are blockers for your use case, the following alternatives offer different compliance profiles:

Tool	Key compliance advantage	Trade-offs
Make.com	EU-headquartered (Czech Republic), EU data center options	Smaller template library, steeper learning curve
n8n	Self-hosted option, full data control, open source	Requires technical setup and ongoing maintenance
Pipedream	Source-available, self-hosting available	Less mature enterprise documentation
Zapier EU Data Residency	Keeps task data in EU infrastructure	Does not eliminate all US subprocessor exposure

None of these alternatives eliminates the need for a DPA, transfer assessment, or workflow risk review. The advantage is that EU-headquartered or self-hosted tools reduce the transfer risk surface area, which can simplify the TIA and reduce DPIA scope.

Checklist: Zapier GDPR Readiness for German Companies

Use this before enabling any production Zapier workflow that processes personal data.

Contract and legal basis:

• Zapier DPA signed or accepted
• Legal basis under Article 6 GDPR identified and documented for each workflow
• Article 9 GDPR basis documented if special categories are involved
• Transfer mechanism confirmed (SCCs, DPF certification, or both)
• Transfer Impact Assessment completed for US-transferred data

Workflow design:

• Workflow mapped end to end: triggers, actions, apps, fields, logs, retention
• Data minimization applied — only necessary fields transferred
• Free-text content stripped or suppressed where possible
• Task history retention set and deletion tested
• Downstream app DPAs reviewed for alignment

Risk assessment:

• Workflow categorized as low, medium, or high risk
• DPIA completed if high-risk indicators are present
• Works council review initiated if employee data or monitoring potential exists
• Industry-specific requirements checked (healthcare, HR, legal)

Documentation:

• Approved use case recorded in records of processing activities (Art. 30 GDPR)
• Restrictions, data categories, legal basis, and review date documented
• Subprocessor list reviewed and added to vendor register

FAQ

Is Zapier GDPR compliant?

Yes, with conditions. Zapier processes data in the United States but offers a DPA as required by GDPR Article 28 and EU Data Residency on paid plans. For German companies, GDPR compliance means: signing the DPA, documenting the transfer mechanism (SCCs, DPF certification), assessing each workflow by data category, and conducting a DPIA or works council review where required.

Does Zapier have a DPA (Data Processing Agreement)?

Yes. Zapier publicly offers a Data Processing Addendum that satisfies the processor contract requirement under GDPR Article 28. Review it for role allocation, subprocessor terms, deletion commitments, and transfer clauses — confirming its existence is the first step, not the last.

Does Zapier store data in the EU?

Zapier offers EU data residency on paid plans for task data and certain execution data. EU data residency does not mean all processing stays within the EU — support access, subprocessors, and metadata may still involve processing outside the EEA. Verify exactly which data types your plan covers before relying on this as a compliance argument.

Is Zapier secure for customer data?

Zapier encrypts data in transit and at rest, supports role-based access controls, and publishes a subprocessor list and security documentation. Technical security and GDPR lawfulness are two separate requirements — a workflow can be technically secure but still unlawful without a valid legal basis, a signed DPA, and proper data minimization. Both conditions must be met.

What is Zapier GDPR compliance for German companies?

It is the legal assessment of whether a specific Zapier workflow can be operated lawfully under the GDPR in Germany. This covers the legal basis, the signed DPA, international transfer mechanism, subprocessors, data minimization, retention, security, and — for German-specific workflows — works council and BDSG considerations.

Does Zapier have a data processing agreement for GDPR purposes?

Yes. Zapier publicly offers a Data Processing Addendum (DPA). German companies should review it for role allocation, subprocessor terms, deletion commitments, transfer language, and whether it covers the actual data flows created by their specific automations — not just confirm its existence.

Does Zapier transfer data outside the EU?

Yes. Zapier service-related data can be processed in the United States. Zapier relies on Standard Contractual Clauses and participates in the EU-US Data Privacy Framework. Companies still need a documented Transfer Impact Assessment for their specific data categories. EU data residency options reduce but do not eliminate this exposure.

When is a DPIA required for using Zapier?

A DPIA is required under Article 35 GDPR when a Zapier workflow systematically monitors employees, processes special category data at scale, enables automated decisions with legal effects, or involves large-scale customer profiling. Germany’s DPAs indicate that monitoring-adjacent automations trigger DPIA requirements even without an explicit monitoring label.

Can German companies use Zapier for employee data?

Sometimes, but employee data automation in Germany requires special care. §26 BDSG governs employment data processing. §87(1) no. 6 BetrVG may require works council agreement before deploying workflows that could monitor employee behavior. Even unintentional monitoring effects matter legally. Always involve HR and legal counsel before deploying employee-related Zapier workflows.

How secure is Zapier with customer information?

Zapier encrypts data in transit and at rest, supports role-based access controls, and publishes a subprocessor list and security documentation. For customer data, technical security and GDPR lawfulness are two separate requirements. A workflow can be technically secure but still unlawful without a valid legal basis, a signed DPA, and proper data minimization. Both conditions must be satisfied.

Is Zapier suitable for GDPR-compliant automation in healthcare or HR?

Healthcare and HR workflows face heightened requirements. Health data is a special category under Article 9 GDPR, requiring a specific legal basis, a DPIA, and significantly stricter controls. HR workflows fall under §26 BDSG and may require works council involvement. Standard SaaS automation is not a safe default for either context without a formal legal and privacy review.

What are the best EU-compliant alternatives to Zapier?

Make.com (EU-headquartered), n8n (open-source, self-hostable), and Pipedream (self-host available) offer different risk profiles. The main advantage is reducing US transfer exposure. None eliminate the need for a DPA, transfer assessment, or workflow review. See Make.com GDPR compliance for a parallel analysis.

---

This page provides general legal information for German companies evaluating Zapier. It is not legal advice for a specific deployment. Compound Law advises businesses and founders in Germany on GDPR, commercial contracts, employment law, and AI-related compliance. If you want to review a Zapier deployment, a DPA, or a sensitive automation workflow, contact us.