// Trust & Security Report
Domo, Inc.
Business Intelligence, Data Analytics, and AI Platform
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on domo.com“Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.”
Verify on web-assets.domo.com“We are compliant with all applicable data protection regulations such as GDPR, CCPA, etc., and your data is handled with the highest standards of care as per the leading security frameworks and standards such as SOC 2 Type II, ISO 27001, ISO 27018, HITRUST, NIST CSF, and HIPAA.”
Verify on domo.com“Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.”
Verify on web-assets.domo.com“Yes, our SDLC process, which includes development practices for AI, have been audited by external third parties as part of our SOC 2, ISO 27001, ISO 27018, and HITRUST certifications.”
Verify on domo.com“Domo meets security, compliance, and privacy requirements for regulated industries including financial services, healthcare, life sciences, government, and energy. Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.”
Verify on domo.com“Domo Achieves HITRUST Risk-based, 2-year Certification. Domo's cloud-based platform running on Amazon Web Services (AWS) has earned Certified status for information security by HITRUST.”
Verify on domo.com“Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA. Our data privacy policies are designed to meet or exceed the requirements of all relevant data protection regulations, such as the GDPR and CCPA.”
Verify on domo.com“Current certifications include SOC 1, SOC 2, ISO 27001, ISO 27018, HIPAA, HITRUST, GDPR, and CCPA.”
Verify on web-assets.domo.com“Data is handled with the highest standards of care as per the leading security frameworks and standards such as SOC 2 Type II, ISO 27001, ISO 27018, HITRUST, NIST CSF, and HIPAA.”
> Show 2 unconfirmed / not-held certifications
source: domo.comNo mention of FedRAMP found on any Domo trust, security, or compliance page.
source: domo.comNo mention of PCI DSS found on any Domo trust, security, or compliance page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: AWS US-East-1, US-West-2, EU-West-1, EU-West-2, CA-Central-1, AP-Northeast-1 (Tokyo), AP-South-1, AP-Southeast-2; Azure East US; GCP US-East4; OCI US-Ashburn-1. Region selection confirmed via trust.domo.com service health dashboard.
Explicit no-training commitment confirmed in official FAQ (July 2024): 'Is customer data used to train AI models? No, our current AI offerings do not use customer data to train AI models.' The default DomoGPT feature (powered by Amazon Bedrock) keeps all data inside Domo's private cloud. AWS does not log or store prompts. When OpenAI is used as a fallback, customer data is sent to OpenAI under a Domo enterprise agreement where OpenAI does not train on the data, and inputs/outputs are retained for up to 30 days for abuse detection only. Privacy policy explicitly states: 'Domo does not use Google Workspace APIs to develop, improve, or train generalized/non-personalized AI and/or ML models.'
// Security controls
Encryption in Transit
Transport layer encryption (TLS). Confirmed: 'Transport layer encryption and encryption at rest' listed in Domo's security framework.
domo.comEncryption at Rest
Encryption at rest confirmed. BYOK (Bring Your Own Key) available: 'you supply and control the encryption keys for your Domo environment. You can rotate encryption keys multiple times per day. If you revoke your encryption keys, all data in your Domo instance becomes immediately unreadable.'
domo.comPenetration Testing
Annual third-party penetration tests confirmed: 'Domo completes third-party audits, compliance assessments, and annual penetration tests to meet customer and regulatory requirements.'
domo.comBug Bounty / Vulnerability Disclosure
Vulnerability Disclosure Policy (VDP) hosted on HackerOne at hackerone.com/domo-technologies. Domo uses a responsible disclosure model, not a paid bug bounty. Security researchers report privately; Domo acknowledges and responds.
hackerone.comAccess Controls
SAML- and OIDC-based SSO, Multi-Factor Authentication, IP address restrictions, Role-based access controls (RBAC), least-privilege and separation-of-duties model.
domo.comAI Security (SDLC)
Secure Development Lifecycle aligned to OWASP Top 10 for LLM Applications. AI SDLC audited externally as part of SOC 2, ISO 27001, ISO 27018, and HITRUST certifications.
web-assets.domo.comAI/ML Incident Response
Domo has a formal AI/ML Incident Response Plan (IRP). Per FAQ: 'Yes, it is included as part of Domo's formal IRP.'
web-assets.domo.comLogging and Monitoring
Extensive logging and monitoring of network, system, and application events. SIEM export supported for customer activity logs.
domo.comTrust Center / Status Page
Public service health dashboard at trust.domo.com showing real-time status across 11 cloud regions. Dedicated security portal at security.domo.com (requires Domo login) and compliance.domo.com (requires Domo login).
trust.domo.com// Products & data scope
data: Customer-controlled subscriber data ingested from 1000+ connectors. Domo acts as data processor; customer is data controller. Data governed by Customer Agreements and DPA, not Domo's public privacy notice.
SOC 1, SOC 2 Type II, ISO 27001, ISO 27018, HIPAA, HITRUST all apply to the core platform. Multi-region deployment available.
data: By default uses DomoGPT (Amazon Bedrock, Anthropic models) within Domo's private AWS cloud. Customer data does not leave Domo's cloud. Fallback to OpenAI API available (configurable); under enterprise agreement OpenAI does not train on data. No customer data used to train models.
Features: AI Chat, Beast-mode assistant, AI Services via Apps/Bricks/Workflows, AI Model Management. Customers can disable OpenAI models via Admin AI Service settings.
data: Allows embedding Domo dashboards in external apps/portals. Data governance and access controls (RBAC, SSO) extend to embedded users. Subject to same compliance framework as core platform.
Used to deliver analytics experiences to customers' own end-users. Data scope depends on what the Domo customer chooses to expose.
data: Full compliance suite (SOC 1/2, ISO 27001/27018, HIPAA, HITRUST). DPA, BYOK, SIEM export, Security Council governance. Targets regulated industries (healthcare, financial services, government, energy).
Includes BYOK encryption and enterprise-grade SLAs. Custom contract terms available.
data: Standard platform with shared compliance framework. Same underlying cloud infrastructure; fewer customization options than Enterprise tier.
Free Trial available. Compliance certifications still apply; BYOK and dedicated infrastructure may not be available at this tier.
// What to watch
- security.domo.com and compliance.domo.com portals require Domo login — external auditors cannot independently verify certification documents without a Domo account or contacting sales
- NIST CSF is referenced as a framework Domo aligns to, but is listed alongside certifications in the AI FAQ; NIST CSF is not a formal certification so 'held' is marked unknown
- When DomoGPT is unavailable (Azure East US region, Tokyo AWS region), OpenAI API is the fallback; customer data is then sent to OpenAI — configurable but on by default in those regions
- HITRUST certification renewal cadence (2-year) means it could lapse between press release and current date; no independent real-time verification possible without the compliance portal login
// At a glance
Pricing model
Subscription SaaS (annual contract, per-user or capacity-based). Free Trial available. No permanent free tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Domo, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.domo.com