// Trust & Security Report
SmartBear Software Inc.
Swagger is SmartBear's API design/documentation brand: (1) free open-source tools (Swagger Editor, Swagger UI, Swagger Codegen) that run client-side/self-hosted with no vendor-side data processing, and (2) the commercial "Swagger" team/enterprise offering, which is SmartBear's SwaggerHub SaaS product for API design governance, collaboration, and hosting of API specs.
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.smartbear.com“SmartBear's 2025 SOC2 Type 2 report has been issued and is available for download. The Scope of this SOC 2 Type 2 covers SwaggerHub, Portal, Explore, Pactflow, Zephyr Enterprise, Zephyr (formerly Scale), Zephyr Essentials (formerly Squad) and Platform Services based on the trust service criteria relevant to Security.”
Verify on trust.smartbear.com“"ISO/IEC 27001" is listed as a compliance certification/document category on SmartBear's official Trust Center (badge and document entry under Compliance); full certificate requires an access request through the trust portal.”
Verify on smartbear.com“"SmartBear and its subsidiary QMetry Inc. comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF)"; the privacy policy separately documents GDPR data-subject rights (access, correction, erasure, restriction) for EU/UK individuals and use of Standard Contractual Clauses for transfers outside the EEA.”
Verify on trust.smartbear.com“CCPA is listed as a compliance badge on SmartBear's Trust Center, and the privacy policy documents California resident rights consistent with the CCPA.”
> Show 6 unconfirmed / not-held certifications
source: trust.smartbear.comNo public evidence of a HIPAA attestation, BAA offering, or HIPAA compliance claim on SmartBear's trust center, security page, or privacy policy.
source: trust.smartbear.comNo public evidence of PCI DSS certification on SmartBear's trust center or security page; Swagger/SwaggerHub does not process payment card data as part of its core product.
source: trust.smartbear.comNo public evidence of FedRAMP authorization on SmartBear's trust center or security page (note: some third-party aggregator listings claim FedRAMP for SmartBear, but this was not corroborated on any smartbear.com or swagger.io domain page).
source: trust.smartbear.comNo public evidence of a CSA STAR registry entry or self-assessment on SmartBear's trust center or security page (third-party sources mention "CSA Star Level 1" but this could not be verified on a vendor-owned page).
source: smartbear.comNo public evidence of ISO/IEC 42001 or any AI-governance-specific certification on SmartBear's trust center or security page.
source: trust.smartbear.comNo public evidence of ISO 27017, 27018, or 27701 certification on SmartBear's trust center; only ISO/IEC 27001 is listed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
"We process and store personal information both inside the United States and overseas." Transfers outside the EEA/UK use GDPR-compliant safeguards including Standard Contractual Clauses. No dedicated EU-only or region-locked hosting option was found for Swagger/SwaggerHub specifically.
Neither the SmartBear privacy policy nor the security page states whether customer API specs / SwaggerHub content are used to train AI models. The security page references only "restrictions on sharing confidential or customer data with AI systems" (an internal-use control), not a customer-facing AI-training commitment. Treated as unconfirmed (null) rather than assumed false or true.
// Security controls
Encryption in transit and at rest
Data encryption for data in transit and at rest cited as a standing security practice
smartbear.comAdministrative access control
Multi-factor authentication required for administrative access
smartbear.comMonitoring & incident response
Centralized logging and monitoring, with a formal incident response program
smartbear.comHosting infrastructure
Runs on Amazon Web Services (AWS EKS & EC2) per SmartBear's trust center infrastructure disclosure
trust.smartbear.comSOC 2 audit scope
2025 SOC 2 Type 2 report covers SwaggerHub, Portal, Explore, Pactflow, Zephyr Enterprise/Scale/Essentials, and Platform Services (Trust Services Criteria: Security)
trust.smartbear.com// Products & data scope
data: Runs in the browser or self-hosted; no customer API-spec data is sent to or processed by SmartBear as a SaaS backend for these tools
Free and community-maintained; not named in the scope of SmartBear's SOC 2 Type 2 report, since there is no vendor-hosted data flow for these tools by default. Self-hostable.
data: Hosts customer API specifications (OpenAPI/AsyncAPI/JSON Schema), team collaboration data, org/role metadata, and integration credentials for connected API gateways/version control
This is the product explicitly named "SwaggerHub" in SmartBear's SOC 2 Type 2 scope statement. It is SaaS-hosted, not self-hostable in the standard commercial tiers found.
// What to watch
- AIFOXX should not display SOC 2/ISO 27001 badges against the free open-source tools without the SwaggerHub/commercial-tier caveat, to avoid an over-claim.
- ISO/IEC 27001 is listed as a named compliance document category on SmartBear's Trust Center (SafeBase-hosted), but the underlying certificate/scope statement is gated behind an access request and was not independently viewable, so the exact certification scope and issuing body could not be fully confirmed beyond the badge listing.
- Third-party aggregator pages (not vendor-owned) claim SmartBear also holds FedRAMP and CSA STAR Level 1; these were NOT found on any smartbear.com or swagger.io page and are graded held=false per the no-fabrication rule pending vendor-domain confirmation.
- No vendor statement found confirming or denying AI-model training on customer/API-spec data for Swagger/SwaggerHub's AI features; graded null rather than assumed.
- All Rights Reserved.").
// At a glance
Pricing model
Freemium: open-source tools are free; SwaggerHub / "Swagger" team and enterprise tiers are subscription-based (per-seat/org pricing, contact sales for enterprise)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SmartBear Software Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.smartbear.com