// Trust & Security Report

    SmartBear Software Inc. logo

    SmartBear Software Inc.

    Swagger is SmartBear's API design/documentation brand: (1) free open-source tools (Swagger Editor, Swagger UI, Swagger Codegen) that run client-side/self-hosted with no vendor-side data processing, and (2) the commercial "Swagger" team/enterprise offering, which is SmartBear's SwaggerHub SaaS product for API design governance, collaboration, and hosting of API specs.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SmartBear's 2025 SOC2 Type 2 report has been issued and is available for download. The Scope of this SOC 2 Type 2 covers SwaggerHub, Portal, Explore, Pactflow, Zephyr Enterprise, Zephyr (formerly Scale), Zephyr Essentials (formerly Squad) and Platform Services based on the trust service criteria relevant to Security.

    Verify on trust.smartbear.com
    ISO/IEC 27001
    HELD

    "ISO/IEC 27001" is listed as a compliance certification/document category on SmartBear's official Trust Center (badge and document entry under Compliance); full certificate requires an access request through the trust portal.

    Verify on trust.smartbear.com
    GDPR
    HELD

    "SmartBear and its subsidiary QMetry Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF)"; the privacy policy separately documents GDPR data-subject rights (access, correction, erasure, restriction) for EU/UK individuals and use of Standard Contractual Clauses for transfers outside the EEA.

    Verify on smartbear.com
    CCPA
    HELD

    CCPA is listed as a compliance badge on SmartBear's Trust Center, and the privacy policy documents California resident rights consistent with the CCPA.

    Verify on trust.smartbear.com
    > Show 6 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA attestation, BAA offering, or HIPAA compliance claim on SmartBear's trust center, security page, or privacy policy.

    source: trust.smartbear.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on SmartBear's trust center or security page; Swagger/SwaggerHub does not process payment card data as part of its core product.

    source: trust.smartbear.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on SmartBear's trust center or security page (note: some third-party aggregator listings claim FedRAMP for SmartBear, but this was not corroborated on any smartbear.com or swagger.io domain page).

    source: trust.smartbear.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or self-assessment on SmartBear's trust center or security page (third-party sources mention "CSA Star Level 1" but this could not be verified on a vendor-owned page).

    source: trust.smartbear.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI-governance-specific certification on SmartBear's trust center or security page.

    source: smartbear.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence of ISO 27017, 27018, or 27701 certification on SmartBear's trust center; only ISO/IEC 27001 is listed.

    source: trust.smartbear.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    "We process and store personal information both inside the United States and overseas." Transfers outside the EEA/UK use GDPR-compliant safeguards including Standard Contractual Clauses. No dedicated EU-only or region-locked hosting option was found for Swagger/SwaggerHub specifically.

    Neither the SmartBear privacy policy nor the security page states whether customer API specs / SwaggerHub content are used to train AI models. The security page references only "restrictions on sharing confidential or customer data with AI systems" (an internal-use control), not a customer-facing AI-training commitment. Treated as unconfirmed (null) rather than assumed false or true.

    // Security controls

    Encryption in transit and at rest

    Data encryption for data in transit and at rest cited as a standing security practice

    smartbear.com

    Administrative access control

    Multi-factor authentication required for administrative access

    smartbear.com

    Secure development

    Secure code scanning and dependency analysis as part of the SDLC

    smartbear.com

    Monitoring & incident response

    Centralized logging and monitoring, with a formal incident response program

    smartbear.com

    Business continuity

    Regular backup testing and business continuity planning

    smartbear.com

    Third-party risk management

    Third-party vendor security assessments performed

    smartbear.com

    Hosting infrastructure

    Runs on Amazon Web Services (AWS EKS & EC2) per SmartBear's trust center infrastructure disclosure

    trust.smartbear.com

    SOC 2 audit scope

    2025 SOC 2 Type 2 report covers SwaggerHub, Portal, Explore, Pactflow, Zephyr Enterprise/Scale/Essentials, and Platform Services (Trust Services Criteria: Security)

    trust.smartbear.com

    // Products & data scope

    Swagger Open Source Tools (Swagger Editor, Swagger UI, Swagger Codegen)Open-source developer tooling

    data: Runs in the browser or self-hosted; no customer API-spec data is sent to or processed by SmartBear as a SaaS backend for these tools

    Free and community-maintained; not named in the scope of SmartBear's SOC 2 Type 2 report, since there is no vendor-hosted data flow for these tools by default. Self-hostable.

    Swagger (commercial team/enterprise tier, delivered as SwaggerHub)API design & governance SaaS

    data: Hosts customer API specifications (OpenAPI/AsyncAPI/JSON Schema), team collaboration data, org/role metadata, and integration credentials for connected API gateways/version control

    This is the product explicitly named "SwaggerHub" in SmartBear's SOC 2 Type 2 scope statement. It is SaaS-hosted, not self-hostable in the standard commercial tiers found.

    // What to watch

    • AIFOXX should not display SOC 2/ISO 27001 badges against the free open-source tools without the SwaggerHub/commercial-tier caveat, to avoid an over-claim.
    • ISO/IEC 27001 is listed as a named compliance document category on SmartBear's Trust Center (SafeBase-hosted), but the underlying certificate/scope statement is gated behind an access request and was not independently viewable, so the exact certification scope and issuing body could not be fully confirmed beyond the badge listing.
    • Third-party aggregator pages (not vendor-owned) claim SmartBear also holds FedRAMP and CSA STAR Level 1; these were NOT found on any smartbear.com or swagger.io page and are graded held=false per the no-fabrication rule pending vendor-domain confirmation.
    • No vendor statement found confirming or denying AI-model training on customer/API-spec data for Swagger/SwaggerHub's AI features; graded null rather than assumed.
    • All Rights Reserved.").

    // At a glance

    Pricing model

    Freemium: open-source tools are free; SwaggerHub / "Swagger" team and enterprise tiers are subscription-based (per-seat/org pricing, contact sales for enterprise)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SmartBear Software Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.smartbear.com

    > Browse all vendor trust reports