// Trust & Security Report
WEWEB SAS
Visual development platform (no-code/low-code builder) for building production-grade web applications with AI assistance. Includes visual editor, API integration layer, and code export capabilities (Vue.js SPA).
Certifications held
0
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: weweb.ioNo public evidence that WeWeb itself holds a SOC 2 Type II report. The DPA's only reference attributes the audit to its outsourced infrastructure provider's data centers, not to WeWeb as a company: 'We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers' data centers. ... The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.' This describes the hosting provider's (AWS) certification, not a WeWeb-held one.
source: weweb.ioNo public evidence that WeWeb itself holds an ISO 27001 certificate. The DPA's only reference attributes the audit to its outsourced infrastructure provider's data centers, not to WeWeb as a company: 'We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers' data centers. ... The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.' This describes the hosting provider's (AWS) certification, not a WeWeb-held one.
source: weweb.ioGDPR is not a formal certification but a regulatory compliance requirement. WeWeb acknowledges data subject rights under GDPR and assists controllers in meeting obligations, but holds no formal 'GDPR certification' (which does not exist as a standard).
source: community.weweb.ioWeWeb enables HIPAA-compliant configurations: 'you can satisfy HIPAA compliance while using WeWeb as your frontend if you use a HIPAA-compliant backend and connect to it through APIs in the Data & API tab, with sensitive health data stored and processed only in that backend.' WeWeb itself does not claim to be HIPAA-certified.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Per the DPA, WeWeb hosts the editor and published applications on Amazon Web Services (AWS), with the sub-processor table listing the USA as the primary data location (some plugin sub-processors offer user-selected regions). Policy also emphasizes 'keep data on your servers' via API connections to external backends. No EU-resident hosting option is documented for the core platform.
WeWeb AI feature is mentioned for generating web-apps, but no explicit policy on training data usage found. No statement on whether customer data is used to train the AI. This should be clarified.
// Security controls
Encryption at Rest
Encryption for stored data; passwords encrypted following industry standards
weweb.ioMonitoring & Logging
Extensive logging of system behavior and authentication; alerts for anomalous activities
weweb.ioAvailability SLA
Minimum 99.84% uptime commitment with N+1 redundancy for power, network, and HVAC
weweb.ioDisaster Recovery
Backup systems with redundancy; disaster recovery plans with regular testing
weweb.ioSub-processor Management
Contractual data protection requirements imposed on sub-processors with vendor compliance oversight
weweb.io// Products & data scope
data: Application data, configurations, Google Sheets integrations. Does not store end-user application data by default (can be configured to route to external backends).
Primary product. Supports AI-assisted code generation, visual editor, and code export (Vue.js SPA). Can be self-hosted after export.
data: Prompt input for app generation; generated code artifacts
AI feature that generates full web-apps from natural language. No public policy on whether customer prompts/apps are used for model training.
data: Marketplace content, user reviews, transactions
Allows third-party plugin and template distribution. Subject to separate Marketplace Terms.
// What to watch
- OUTDATED_PRIVACY_POLICY: Privacy policy dated January 1, 2021 - over 5 years old. Does not mention SOC 2 or ISO 27001 certs.
- HOST_CERT_CONFLATION: The DPA's SOC 2 Type II and ISO 27001 reference describes the outsourced infrastructure provider's (AWS) data-center 'physical and environmental security controls', NOT a WeWeb company-level certification. No public evidence WeWeb itself holds either certification. Both downgraded to held=false.
- THIN_TRUST_CENTER: No dedicated public trust center or security page on main domain. The only compliance language lives in the DPA, which is not linked prominently and references its hosting provider's certifications rather than WeWeb's own.
- CONDITIONAL_HIPAA: Marketing claims HIPAA compliance, but vendor itself does not hold HIPAA certification. Platform enables HIPAA-compliant use only if backend is separately HIPAA-certified.
- CONDITIONAL_GDPR: Vendor commits to GDPR compliance obligations but this is not a formal certification. Privacy policy is outdated and minimal on GDPR specifics.
- AI_TRAINING_AMBIGUOUS: WeWeb AI feature is prominent, but no public policy on whether customer prompts/generated code are used for model training. This is a material gap for vendors serving regulated industries.
- NO_AUDIT_DATES: DPA mentions SOC 2 Type II and ISO 27001 (attributed to the hosting provider) but provides no audit dates, certificate numbers, or expiry dates for WeWeb or the provider.
- DATA_REGION_US_ONLY: WeWeb hosts the editor and published apps on AWS with the USA as the primary data location per the DPA sub-processor table. No EU-resident hosting option is documented for the core platform, which is a residency consideration for EU/GDPR-sensitive buyers despite the 'keep data on your servers' API architecture.
- TERMS_OUTDATED: Terms and Conditions from May 9, 2023. Not updated for 2 years despite rapid AI/no-code market changes.
- LIMITED_COMPLIANCE_DOCS: No publicly available SOC 2 report or ISO 27001 certificate for WeWeb itself. Buyers requiring vendor-level SOC 2/ISO 27001 must confirm directly whether WeWeb (not just its hosting provider) holds an audited certification.
// At a glance
Pricing model
Subscription-based (monthly or annual billing). Freemium tier available. Enterprise plans custom-quoted.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on WEWEB SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
weweb.io