Zapflow's GDPR commitment

This article provides an overview of the data-related roles and responsibilities when you have chosen Zapflow as your deal management platform and will explain our efforts to live up to the values and requirements of the GDPR.

May 25th, 2018 marked the start of enforcement of the European Union’s General Data Protection Regulation. This new piece of legislation has had a great impact on anyone whose business involves handling the personal data of EU residents or of individuals within the EU. This also applies to information that Zapflow users gather from target companies and their stakeholders.

Zapflow as the data processor

The people you store in Zapflow as Contacts are your data subjects, and you are considered the data controller for this personal data.

Using Zapflow to manage your customers means that you have engaged Zapflow as a data processor to carry out certain processing activities on your behalf. According to Article 28 of the GDPR, the relationship between the controller and the processor needs to be made in writing (electronic form is acceptable under subsection (9) of the same Article).

This is where our Terms of Service and Privacy Policy come in. These two documents also serve as your data processing contract, setting out the instructions you are giving to Zapflow regarding processing the personal data you control and establishing the rights and responsibilities of both parties. Zapflow will only process your data based on your instructions as the data controller.

Data transfers

Zapflow uses sub-processors such as Amazon Web Services, which the Zapflow platform runs on. This means you’re the data may be transferred to a trusted 3rd party for sub-processing like any other modern cloud-based system.

We keep an up-to-date list of sub-processors in our Terms of Service to be transparent about these transfers. We also make sure our third-party service providers are certified under the EU-U.S. Data Privacy Framework. 

Zapflow as the data controller

Zapflow also acts as the data controller for the personal data we collect about you - the user of our web app, mobile apps, and website.

First, we process data that is necessary for us to perform our contract with you (GDPR Article 6(1)(b)).

Secondly, we process data to meet our obligations under the law (GDPR Article 6(1)(c)).

Thirdly, we process your personal data for our legitimate interests in line with GDPR Article 6(1)(f). By “legitimate interests”, as defined in the law, we mean our ability to

  • Improve the app to help you get even more value out of Zapflow
  • Ensure your data and Zapflow’s systems are safe and secure.
  • Market our product & features responsibly

As the controller for your personal data, Zapflow is committed to respect all your rights under the GDPR. If you have any questions or feedback, please reach out to

Security and data transfers

Any access to the Client Data that we process on your behalf is strictly limited. Our internal procedures and logs make sure that we meet the GDPR accountability requirements in this regard.

We make sure that third-parties meet the high expectations that Zapflow and its customers have when it comes to privacy and security.

Readiness to comply with subject access requests

Data subjects’ ownership of their personal data is at the very core of the GDPR. We have created tools for you to handle requests related to data subjects. Of course, we are also happy to comply with your requests related to Zapflow.


Our Terms of Service and Privacy Policy are constantly being revised to increase transparency and to make sure the documents meet GDPR requirements.

Ready to steramline your
investment workflows?