Skip to main content

I have a zap that passes information between two secure/compliant applications.  The data being passed may contain DOB, Drivers License, SSN.  It does not contain any healthcare data (PHI).  It is ok to use Zapier in this use case?   I saw the updated Terms of Use and immediately saw the following information.  I entered a support ticket in Zapier but the reply was not clear at all and refered to the EU GDPR.  I am in the U.S.  I thought i would post the question here.

 

(d) No Prohibited Sensitive Personal Data: In addition you may not access or use the Service to post, upload or transmit, or incorporate any data that is subject to heightened privacy and security requirements by law or regulations or applicable Third Party Services terms, including, without limitation, any financial or medical information of any nature, any sensitive personal information (e.g., government issued numbers, driver’s license numbers, birth dates, personal bank account numbers, passport or visa numbers, credit card numbers, passwords and security credentials), or any special categories of personal data under GDPR.

Personally, I wouldn’t, even if it were OK under the ToS. Not that Zapier isn’t secure, but things like SSNs can really open you up to liability. You might not fall under GDPR (though it does apply to EU citizens regardless of their current location), but strict control of anything that sensitive is always a best practice. Plus you have heightened controls of data for California citizens, with more states likely coming down the pike.


We had a similar case in Europe, you can create a trigger and just pass the data over a code module from API to API make sure you don't return or safe any data. In these cases take in mind this is no consultation and you act on your own risk. Feel free to chat with us how we did it :)