// Trust & Security Report

    Appsmith, Inc. logo

    Appsmith, Inc.

    Open-source low-code application platform for building internal tools (admin panels, dashboards, portals). Ships as free self-hosted Community Edition (Apache 2.0), paid self-hosted Business/Enterprise Editions with SSO/RBAC/audit logging, and a hosted Appsmith Cloud SaaS offering.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II Proven security processes and controls.

    Verify on appsmith.com
    SOC 2 Type II (trust center corroboration)
    HELD

    Trust center lists a "SOC 2" compliance badge and states: "We are working on our security compliance. We can provide completed questionnaires upon request."

    Verify on security.appsmith.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Appsmith's own trust center states: "We are working on our security compliance. We can provide completed questionnaires upon request," and lists no ISO 27001 badge or report alongside its SOC 2 entry.

    source: security.appsmith.com
    GDPR (posture)
    NOT CONFIRMED

    No public evidence of a formal GDPR-compliance statement or downloadable DPA. The privacy policy only references EU law generically: "This...does not apply, whenever the processing of Personal Data is subject to European data protection law," without naming GDPR, SCCs, or a DPA.

    source: appsmith.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or a BAA offering. Appsmith's own FAQ instead tells regulated customers to self-host: "If you want to...ensure HIPAA compliance, you can self-host Appsmith to ensure none of your data leaves your VPC."

    source: docs.appsmith.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not mentioned on the trust center or security documentation; Appsmith does not process cardholder data as part of its product.

    source: security.appsmith.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of an AI-management-system certification on the trust center or elsewhere on the vendor's domains.

    source: security.appsmith.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Appsmith Cloud: hosted on AWS, data stored/processed in the US ("For Appsmith cloud users, data is stored and processed on servers in the US" - docs FAQ). Self-hosted editions (Community/Business/Enterprise): data stays entirely within the customer's own infrastructure/region of choice; Appsmith states it "does not store User data processed as part of its Services" for the core product.

    Appsmith's AI copilot forwards only relevant portions of user prompts/documents to third-party model providers (OpenAI, Anthropic). Appsmith's own blog states: "We only work with providers who pledge to never store or use our customers' data to train their AI models." This is a blog statement, not a formal DPA/subprocessor addendum, so treat as directional rather than contractual until confirmed in an Order Form/DPA.

    // Security controls

    Encryption in transit

    All traffic to and from Appsmith Cloud is secured using TLS; self-hosted instances can configure SSL via Let's Encrypt or a custom certificate.

    docs.appsmith.com

    Encryption at rest

    Sensitive data (database credentials, Git SSH keys) protected with AES-256 encryption; self-hosted deployments use a unique salt/password configuration.

    docs.appsmith.com

    SSO

    SAML and OIDC SSO supported for secure authentication with the customer's identity provider.

    appsmith.com

    Access control

    Role-based access controls (RBAC) with granular roles, groups, and permissions; SCIM-based user provisioning from an IdP.

    appsmith.com

    Audit logging

    Audit logs to track organizational use and support incident remediation.

    appsmith.com

    Account security

    Two-factor authentication (2FA) available for Appsmith Cloud accounts, with internal access strictly regulated.

    docs.appsmith.com

    Application security testing

    Every code commit is scanned by Snyk, Deepsource, and Dependabot; regular third-party vulnerability and penetration tests are conducted (reports available on request via the trust center).

    appsmith.com

    Backend data handling

    The Appsmith backend acts as a proxy and does not log or store data returned from connected databases/API endpoints.

    appsmith.com

    // Products & data scope

    Appsmith Community EditionSelf-hosted, open-source low-code platform

    data: Runs entirely on customer-owned infrastructure; no application data leaves the customer's environment.

    Free, Apache 2.0 licensed, community-supported. No SSO/SCIM/audit logging.

    Appsmith Business / Enterprise EditionSelf-hosted low-code platform with enterprise controls

    data: Self-hosted (including air-gapped options); customer retains full control of data and region.

    Adds SAML/OIDC SSO, SCIM provisioning, RBAC, audit logging; covered by the same SOC 2 Type II report as Appsmith Cloud since the codebase is shared.

    Appsmith CloudHosted SaaS (managed low-code platform)

    data: Hosted on AWS; data stored and processed on US-based servers per Appsmith's own FAQ.

    Subject to Appsmith's SOC 2 Type II report. Docs page separately notes AWS's own SOC 1/SOC 2 attestation for the underlying data centers, which is the host's certification, not an additional Appsmith cert.

    // What to watch

    • Docs page (docs.appsmith.com/product/security) states 'The cloud version of Appsmith is hosted on AWS data centers that adhere to SOC 1 and SOC 2 compliance standards' - this is AWS's (the host's) certification, distinct from Appsmith's own SOC 2 Type II report (Certpro-audited, announced 2022, listed on Appsmith's own trust center). Both are real but must not be conflated when listing the cert.
    • Third-party review sites (e.g. blaze.tech) claim Appsmith 'has security certifications that meet the requirements of SOC2, HIPAA, and GDPR' - this is NOT corroborated on any appsmith.com/docs.appsmith.com/security.appsmith.com page and contradicts Appsmith's own FAQ, which tells customers needing HIPAA-level control to self-host rather than claiming HIPAA compliance. Treat the third-party claim as an over-claim; not used for grading.
    • Appsmith's trust center (security.appsmith.com, SafeBase-hosted) explicitly states it is 'working on our security compliance' beyond SOC 2, confirming ISO 27001 and similar frameworks are not yet held.
    • Privacy policy is a generic Iubenda-style template that references 'European data protection law' without ever naming GDPR explicitly or linking a standalone DPA; fine for a growth-stage vendor but should not be marketed as 'GDPR certified'.
    • AI-training no-training claim comes from an Appsmith blog post, not a contractual DPA/subprocessor list; confirm in the actual Order Form/DPA before relying on it for a regulated deployment.

    // At a glance

    Pricing model

    Free open-source Community Edition; paid Business/Enterprise self-hosted tiers (license/seat-based); Appsmith Cloud SaaS subscription

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Appsmith, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.appsmith.com

    > Browse all vendor trust reports