// Trust & Security Report
Appsmith, Inc.
Open-source low-code application platform for building internal tools (admin panels, dashboards, portals). Ships as free self-hosted Community Edition (Apache 2.0), paid self-hosted Business/Enterprise Editions with SSO/RBAC/audit logging, and a hosted Appsmith Cloud SaaS offering.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.appsmith.com“Trust center lists a "SOC 2" compliance badge and states: "We are working on our security compliance. We can provide completed questionnaires upon request."”
> Show 5 unconfirmed / not-held certifications
source: security.appsmith.comNo public evidence. Appsmith's own trust center states: "We are working on our security compliance. We can provide completed questionnaires upon request," and lists no ISO 27001 badge or report alongside its SOC 2 entry.
source: appsmith.comNo public evidence of a formal GDPR-compliance statement or downloadable DPA. The privacy policy only references EU law generically: "This...does not apply, whenever the processing of Personal Data is subject to European data protection law," without naming GDPR, SCCs, or a DPA.
source: docs.appsmith.comNo public evidence of HIPAA compliance or a BAA offering. Appsmith's own FAQ instead tells regulated customers to self-host: "If you want to...ensure HIPAA compliance, you can self-host Appsmith to ensure none of your data leaves your VPC."
source: security.appsmith.comNo public evidence. Not mentioned on the trust center or security documentation; Appsmith does not process cardholder data as part of its product.
source: security.appsmith.comNo public evidence of an AI-management-system certification on the trust center or elsewhere on the vendor's domains.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Appsmith Cloud: hosted on AWS, data stored/processed in the US ("For Appsmith cloud users, data is stored and processed on servers in the US" - docs FAQ). Self-hosted editions (Community/Business/Enterprise): data stays entirely within the customer's own infrastructure/region of choice; Appsmith states it "does not store User data processed as part of its Services" for the core product.
Appsmith's AI copilot forwards only relevant portions of user prompts/documents to third-party model providers (OpenAI, Anthropic). Appsmith's own blog states: "We only work with providers who pledge to never store or use our customers' data to train their AI models." This is a blog statement, not a formal DPA/subprocessor addendum, so treat as directional rather than contractual until confirmed in an Order Form/DPA.
// Security controls
Encryption in transit
All traffic to and from Appsmith Cloud is secured using TLS; self-hosted instances can configure SSL via Let's Encrypt or a custom certificate.
docs.appsmith.comEncryption at rest
Sensitive data (database credentials, Git SSH keys) protected with AES-256 encryption; self-hosted deployments use a unique salt/password configuration.
docs.appsmith.comSSO
SAML and OIDC SSO supported for secure authentication with the customer's identity provider.
appsmith.comAccess control
Role-based access controls (RBAC) with granular roles, groups, and permissions; SCIM-based user provisioning from an IdP.
appsmith.comAccount security
Two-factor authentication (2FA) available for Appsmith Cloud accounts, with internal access strictly regulated.
docs.appsmith.comApplication security testing
Every code commit is scanned by Snyk, Deepsource, and Dependabot; regular third-party vulnerability and penetration tests are conducted (reports available on request via the trust center).
appsmith.comBackend data handling
The Appsmith backend acts as a proxy and does not log or store data returned from connected databases/API endpoints.
appsmith.com// Products & data scope
data: Runs entirely on customer-owned infrastructure; no application data leaves the customer's environment.
Free, Apache 2.0 licensed, community-supported. No SSO/SCIM/audit logging.
data: Self-hosted (including air-gapped options); customer retains full control of data and region.
Adds SAML/OIDC SSO, SCIM provisioning, RBAC, audit logging; covered by the same SOC 2 Type II report as Appsmith Cloud since the codebase is shared.
data: Hosted on AWS; data stored and processed on US-based servers per Appsmith's own FAQ.
Subject to Appsmith's SOC 2 Type II report. Docs page separately notes AWS's own SOC 1/SOC 2 attestation for the underlying data centers, which is the host's certification, not an additional Appsmith cert.
// What to watch
- Docs page (docs.appsmith.com/product/security) states 'The cloud version of Appsmith is hosted on AWS data centers that adhere to SOC 1 and SOC 2 compliance standards' - this is AWS's (the host's) certification, distinct from Appsmith's own SOC 2 Type II report (Certpro-audited, announced 2022, listed on Appsmith's own trust center). Both are real but must not be conflated when listing the cert.
- Third-party review sites (e.g. blaze.tech) claim Appsmith 'has security certifications that meet the requirements of SOC2, HIPAA, and GDPR' - this is NOT corroborated on any appsmith.com/docs.appsmith.com/security.appsmith.com page and contradicts Appsmith's own FAQ, which tells customers needing HIPAA-level control to self-host rather than claiming HIPAA compliance. Treat the third-party claim as an over-claim; not used for grading.
- Appsmith's trust center (security.appsmith.com, SafeBase-hosted) explicitly states it is 'working on our security compliance' beyond SOC 2, confirming ISO 27001 and similar frameworks are not yet held.
- Privacy policy is a generic Iubenda-style template that references 'European data protection law' without ever naming GDPR explicitly or linking a standalone DPA; fine for a growth-stage vendor but should not be marketed as 'GDPR certified'.
- AI-training no-training claim comes from an Appsmith blog post, not a contractual DPA/subprocessor list; confirm in the actual Order Form/DPA before relying on it for a regulated deployment.
// At a glance
Pricing model
Free open-source Community Edition; paid Business/Enterprise self-hosted tiers (license/seat-based); Appsmith Cloud SaaS subscription
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Appsmith, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.appsmith.com