Responsible business practices

Through our enterprise risk management (ERM) program, we aim to create an ongoing, risk-aware culture that empowers our leadership team to make data-driven business decisions. We integrate sustainability risks into our ERM program. 

We present significant enterprise risks, including sustainability risks, to our Executive Risk Forum, which comprises senior leaders from across our business. In partnership with risk owners, the ERM team and the Executive Risk Forum monitor exposures and evaluate whether efficient and effective risk-management strategies or acceptance and notification criteria are in place. The forum meets on a regular basis and is chaired by the leader of Zillow’s Risk and Internal Audit organization. The risk dashboard is distributed to an expanded list of senior leaders and our Audit Committee.

Business continuity

Business continuity and disaster-recovery planning aim to ensure that our business functions continue to operate during and after a disaster, catastrophic event or other emergency.

Our Business Continuity Planning program includes an organization-wide plan, as well as plans for each of our key regulated entities. Zillow’s internal auditors review compliance with our requirements and objectives. We also conduct regular tabletop training exercises to better understand whether our controls and processes are operating effectively. Leaders and key contributors to the Business Continuity program receive annual training on their duties and obligations.

We are committed to promoting high standards of ethical business conduct and aligning with laws, rules and regulations applicable to our U.S. and international business operations. We maintain a broad set of policies that establish our expectations for our employees, leadership, board of directors, suppliers, contractors and external partners. This includes our Foreign Anti-Corruption Policy, which is available to all Zillow staff, and we proactively train relevant employees when needed.

Reporting violations

We want people to feel comfortable expressing compliance and ethics concerns, and we give them the tools to guide them in making ethical decisions. This includes our Code of Conduct, which requires employees and contractors to report actual or suspected misconduct. 

We also maintain different reporting mechanisms, including our 24-hour online whistleblower communication platform, which is hosted by a third party to protect anonymity. We prohibit retaliation against anyone who reports a violation in good faith, and we investigate good-faith concerns in a discreet, professional and timely manner.

As a lender, broker and facilitator of real estate transactions, Zillow is trusted with personal and financial data. We take our responsibility to protect such sensitive information seriously. Our Information Security Risk Committee meets quarterly to review risk policies, practices and the results of internal and external audits. Our data protection and privacy policies are reviewed at least once a year.

Security & privacy

Zillow’s Data & IT Compliance team identifies systems in scope and assesses compliance control frameworks for various regulatory and compliance requirements. Our Internal Audit team assesses the performance of the Data & IT Compliance team by using third-party auditors to perform independent testing of all systems in scope for Zillow’s regulatory and customer-driven compliance obligations. We also periodically perform third-party risk assessments, vulnerability testing, National Institute of Standards and Technology (NIST) assessments and security assessments of our IT infrastructure and information systems. We have received ISO 27001 certification for our cybersecurity defense program. 

To assist in regulatory compliance, we issue an annual questionnaire to relevant business teams to give us insight into which regulations may be applicable to their work. 

Zillow has a robust internal Privacy Policy and privacy program that embeds principles of privacy by design into our product development process. For operations subject to specific privacy requirements, we fashion privacy controls to address those obligations. 

Our Privacy Compliance team supports Zillow’s responsible and appropriate collection and use of any personal information that Zillow obtains. We use privacy impact assessments to assess the privacy risk of all new and significantly revised initiatives that involve personal data.

We also have a comprehensive enterprise cybersecurity incident response plan to protect the integrity, availability and confidentiality of information and to help prevent loss of service. To promote the effectiveness of our approach and systems, we conduct risk-based internal audits of our information security policies and systems annually.

Our privacy portal allows customers to learn more about the information we collect, how we use it and how we share it. The portal also allows users to exercise control over their data, including giving users the right of access, rectification and deletion of their data. 

To help prevent and respond to cybersecurity-related incidents, and to keep data and devices safe, we train our employees in privacy and security measures.