No-code platforms like Zapier and Airtable have made it easy for promo businesses to build their own systems – moving order data, syncing customer info, automating approvals, and more. It’s been huge for small teams who need to move fast without a full-time developer.
But here's the tradeoff: when you build your own tools, you also take on some of the responsibility for keeping them secure. The platforms provide the building blocks, but it’s up to you to use them wisely.
This is called shared responsibility. The platform handles the infrastructure – servers, encryption, and so on. But how you build, what you connect, and who has access? That’s on you.
The folks at OWASP, a nonprofit focused on software security, recently published their Low-Code/No-Code Top 10. It’s not bedtime reading, but it is a clear warning: even drag-and-drop apps can open the door to serious problems if you're not paying attention. Let’s break down what matters, in plain English, and what you can do to protect your data, your customers, and your business.
1. It Might Look Like You, But It’s Not You
When you build an automation, it often runs under your account – even when someone else triggers it. That means if something goes wrong, logs and records point back to you, not the real user. Worse, if someone finds a way to misuse the automation, they can act with your level of access.
How to fix it:
- Use separate service or “system” accounts for business-critical connections.
- Avoid embedding your personal login into any automation, unless necessary.
- Look for platforms that let you audit actions by user – not just by workflow.
2. Too Much Access, Too Easily Shared
Many automation tools make it easy to “just connect” things. But that simplicity can mask sloppy access controls. You might accidentally give full access to data that only a few people should see—or worse, allow someone to take actions they shouldn’t be able to.
How to fix it:
- Review permissions regularly. Who can do what?
- Don’t share logins. Share access roles, if the platform allows it.
- Stick to the principle of least privilege: give people only the access they need, and nothing more.
3. Where Did That Data Go?
One automation sends a file to a shared drive. Another moves lead info to a spreadsheet. A third notifies someone via email. Before long, your customer data is scattered, and you may not even realize it.
How to fix it:
- Document where your data flows – especially anything with personal, financial, or client information.
- Use private folders and restricted shares. Public-by-default isn’t safe.
- Watch for “chain reactions” where one trigger kicks off another that you forgot about.
4. Weak Connections Let Hackers In
Not all connections are created equal. Some automations and the apps they work within use outdated protocols or store passwords in ways that aren’t secure. Even if the app looks encrypted, the back-end connections might not be.
How to fix it:
- Use apps that support OAuth, encryption, and modern security standards.
- Don’t use your admin account to build automations – create dedicated, limited-access users.
- Involve IT (or a security-savvy partner) for anything customer-facing or payment-related.
5. Security Misconfiguration: Default Settings Are a Trap
Most tools come with default settings meant to get you started quickly. That often means open webhooks, weak password rules, or access controls that are too loose.
How to fix it:
- Take time to go through each setting. If you’re not sure what something does, look it up or ask.
- Disable anonymous access unless there’s a strong reason not to.
- Add secrets to webhooks, and use passwords that follow your company policy, even in test apps.
6. Be Careful What You Let People Type In
If your form lets someone type anything – like a product note, a name, or a custom message – you’ve opened a door. Most users will type in exactly what they should. But someone with bad intentions might try to sneak in commands that confuse your system or break something behind the scenes.
How to fix it:
- If triggering from a form, make sure that only the right people have access to it. Many form tools provide access controls.
- If triggering from an email, verify that the sender is trusted and that inputs are as expected.
- Consider adding a review step before automatically pushing data into another system.
7. What’s Inside That “Free” Widget?
Adding a connector from a third-party marketplace can be a great shortcut. But not all components are secure, or even trustworthy. Some come with outdated code, bugs, or default passwords.
How to fix it:
- Use only well-known or officially supported plugins and widgets.
- Delete components you’re not actively using.
- Before adding anything new, check when it was last updated, and read the reviews.
8. Passwords Shouldn’t Be in Plain Sight
It’s easy to hard-code an API key or login into your automation. But anyone with access to that workflow can now see, and potentially misuse it. Worse, that key might be included in logs or browser-visible code.
How to fix it:
- Use environment variables or secure vaults if the platform supports them.
- Never paste API keys into visible steps or comments. Don't add API keys to code steps in Zapier.
- Rotate keys and passwords regularly, and revoke access when people leave the team.
9. Forgotten Apps Can Still Bite You
You built a workflow last year. It still runs, but no one really owns it anymore. That’s a problem. Old automations can keep accessing data, sending emails, or posting orders long after they’ve outlived their purpose.
How to fix it:
- Keep a running list of every live automation and who’s responsible for it.
- Disable anything that’s not in active use.
- Build an offboarding checklist so nothing breaks (or leaks) when someone leaves the team.
10. You Can’t Investigate What You Don’t Log
When something breaks – or worse, when something is misused, you need logs to trace what happened. But some no-code tools either log too little or log too much in the wrong places.
How to fix it:
- Make sure your platforms are capturing logs, and that you know where they go.
- Check if logs include sensitive data like emails, API keys, or passwords. If so, that’s a risk.
- Use alerts and daily summaries to catch issues early, especially for order or customer data flows.
Use the Tools. Just Don’t Lose Control.
No-code platforms are here to stay, and they’re a huge win for small teams like those in the promo industry. But if you’re not careful, a simple Zap could end up sharing data it shouldn’t, impersonating the wrong person, or giving the wrong person too much power.
Security doesn’t have to be complicated. It just has to be intentional.
