// Trust & Security Report

    Domo, Inc. logo

    Domo, Inc.

    Business Intelligence, Data Analytics, and AI Platform

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1
    HELD

    Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.

    Verify on domo.com
    SOC 2 Type II
    HELD

    We are compliant with all applicable data protection regulations such as GDPR, CCPA, etc., and your data is handled with the highest standards of care as per the leading security frameworks and standards such as SOC 2 Type II, ISO 27001, ISO 27018, HITRUST, NIST CSF, and HIPAA.

    Verify on web-assets.domo.com
    ISO 27001
    HELD

    Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.

    Verify on domo.com
    ISO 27018
    HELD

    Yes, our SDLC process, which includes development practices for AI, have been audited by external third parties as part of our SOC 2, ISO 27001, ISO 27018, and HITRUST certifications.

    Verify on web-assets.domo.com
    HIPAA
    HELD

    Domo meets security, compliance, and privacy requirements for regulated industries including financial services, healthcare, life sciences, government, and energy. Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.

    Verify on domo.com
    HITRUST (Risk-based, 2-year)
    HELD

    Domo Achieves HITRUST Risk-based, 2-year Certification. Domo's cloud-based platform running on Amazon Web Services (AWS) has earned Certified status for information security by HITRUST.

    Verify on domo.com
    GDPR
    HELD

    Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA. Our data privacy policies are designed to meet or exceed the requirements of all relevant data protection regulations, such as the GDPR and CCPA.

    Verify on domo.com
    CCPA
    HELD

    Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.

    Verify on domo.com
    NIST CSF
    HELD

    Data is handled with the highest standards of care as per the leading security frameworks and standards such as SOC 2 Type II, ISO 27001, ISO 27018, HITRUST, NIST CSF, and HIPAA.

    Verify on web-assets.domo.com
    > Show 2 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP found on any Domo trust, security, or compliance page.

    source: domo.com
    PCI DSS
    NOT CONFIRMED

    No mention of PCI DSS found on any Domo trust, security, or compliance page.

    source: domo.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: AWS US-East-1, US-West-2, EU-West-1, EU-West-2, CA-Central-1, AP-Northeast-1 (Tokyo), AP-South-1, AP-Southeast-2; Azure East US; GCP US-East4; OCI US-Ashburn-1. Region selection confirmed via trust.domo.com service health dashboard.

    Explicit no-training commitment confirmed in official FAQ (July 2024): 'Is customer data used to train AI models? No, our current AI offerings do not use customer data to train AI models.' The default DomoGPT feature (powered by Amazon Bedrock) keeps all data inside Domo's private cloud. AWS does not log or store prompts. When OpenAI is used as a fallback, customer data is sent to OpenAI under a Domo enterprise agreement where OpenAI does not train on the data, and inputs/outputs are retained for up to 30 days for abuse detection only. Privacy policy explicitly states: 'Domo does not use Google Workspace APIs to develop, improve, or train generalized/non-personalized AI and/or ML models.'

    // Security controls

    Encryption in Transit

    Transport layer encryption (TLS). Confirmed: 'Transport layer encryption and encryption at rest' listed in Domo's security framework.

    domo.com

    Encryption at Rest

    Encryption at rest confirmed. BYOK (Bring Your Own Key) available: 'you supply and control the encryption keys for your Domo environment. You can rotate encryption keys multiple times per day. If you revoke your encryption keys, all data in your Domo instance becomes immediately unreadable.'

    domo.com

    Penetration Testing

    Annual third-party penetration tests confirmed: 'Domo completes third-party audits, compliance assessments, and annual penetration tests to meet customer and regulatory requirements.'

    domo.com

    Bug Bounty / Vulnerability Disclosure

    Vulnerability Disclosure Policy (VDP) hosted on HackerOne at hackerone.com/domo-technologies. Domo uses a responsible disclosure model, not a paid bug bounty. Security researchers report privately; Domo acknowledges and responds.

    hackerone.com

    Access Controls

    SAML- and OIDC-based SSO, Multi-Factor Authentication, IP address restrictions, Role-based access controls (RBAC), least-privilege and separation-of-duties model.

    domo.com

    AI Security (SDLC)

    Secure Development Lifecycle aligned to OWASP Top 10 for LLM Applications. AI SDLC audited externally as part of SOC 2, ISO 27001, ISO 27018, and HITRUST certifications.

    web-assets.domo.com

    AI/ML Incident Response

    Domo has a formal AI/ML Incident Response Plan (IRP). Per FAQ: 'Yes, it is included as part of Domo's formal IRP.'

    web-assets.domo.com

    Logging and Monitoring

    Extensive logging and monitoring of network, system, and application events. SIEM export supported for customer activity logs.

    domo.com

    Trust Center / Status Page

    Public service health dashboard at trust.domo.com showing real-time status across 11 cloud regions. Dedicated security portal at security.domo.com (requires Domo login) and compliance.domo.com (requires Domo login).

    trust.domo.com

    // Products & data scope

    Domo Platform (Core BI)Business Intelligence / Data Analytics

    data: Customer-controlled subscriber data ingested from 1000+ connectors. Domo acts as data processor; customer is data controller. Data governed by Customer Agreements and DPA, not Domo's public privacy notice.

    SOC 1, SOC 2 Type II, ISO 27001, ISO 27018, HIPAA, HITRUST all apply to the core platform. Multi-region deployment available.

    Domo.AI / DomoGPTAI Chat, AI Agents, AI Model Management

    data: By default uses DomoGPT (Amazon Bedrock, Anthropic models) within Domo's private AWS cloud. Customer data does not leave Domo's cloud. Fallback to OpenAI API available (configurable); under enterprise agreement OpenAI does not train on data. No customer data used to train models.

    Features: AI Chat, Beast-mode assistant, AI Services via Apps/Bricks/Workflows, AI Model Management. Customers can disable OpenAI models via Admin AI Service settings.

    Domo Everywhere (Embedded Analytics)Embedded Analytics / White-label BI

    data: Allows embedding Domo dashboards in external apps/portals. Data governance and access controls (RBAC, SSO) extend to embedded users. Subject to same compliance framework as core platform.

    Used to deliver analytics experiences to customers' own end-users. Data scope depends on what the Domo customer chooses to expose.

    Domo for EnterpriseEnterprise BI

    data: Full compliance suite (SOC 1/2, ISO 27001/27018, HIPAA, HITRUST). DPA, BYOK, SIEM export, Security Council governance. Targets regulated industries (healthcare, financial services, government, energy).

    Includes BYOK encryption and enterprise-grade SLAs. Custom contract terms available.

    Domo for BusinessSMB / Growth BI

    data: Standard platform with shared compliance framework. Same underlying cloud infrastructure; fewer customization options than Enterprise tier.

    Free Trial available. Compliance certifications still apply; BYOK and dedicated infrastructure may not be available at this tier.

    // What to watch

    • security.domo.com and compliance.domo.com portals require Domo login — external auditors cannot independently verify certification documents without a Domo account or contacting sales
    • NIST CSF is referenced as a framework Domo aligns to, but is listed alongside certifications in the AI FAQ; NIST CSF is not a formal certification so 'held' is marked unknown
    • When DomoGPT is unavailable (Azure East US region, Tokyo AWS region), OpenAI API is the fallback; customer data is then sent to OpenAI — configurable but on by default in those regions
    • HITRUST certification renewal cadence (2-year) means it could lapse between press release and current date; no independent real-time verification possible without the compliance portal login

    // At a glance

    Pricing model

    Subscription SaaS (annual contract, per-user or capacity-based). Free Trial available. No permanent free tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Domo, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.domo.com

    > Browse all vendor trust reports