// Trust & Security Report

    WEWEB SAS logo

    WEWEB SAS

    Visual development platform (no-code/low-code builder) for building production-grade web applications with AI assistance. Includes visual editor, API integration layer, and code export capabilities (Vue.js SPA).

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence that WeWeb itself holds a SOC 2 Type II report. The DPA's only reference attributes the audit to its outsourced infrastructure provider's data centers, not to WeWeb as a company: 'We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers' data centers. ... The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.' This describes the hosting provider's (AWS) certification, not a WeWeb-held one.

    source: weweb.io
    ISO 27001
    NOT CONFIRMED

    No public evidence that WeWeb itself holds an ISO 27001 certificate. The DPA's only reference attributes the audit to its outsourced infrastructure provider's data centers, not to WeWeb as a company: 'We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers' data centers. ... The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.' This describes the hosting provider's (AWS) certification, not a WeWeb-held one.

    source: weweb.io
    GDPR Compliance Posture
    NOT CONFIRMED

    GDPR is not a formal certification but a regulatory compliance requirement. WeWeb acknowledges data subject rights under GDPR and assists controllers in meeting obligations, but holds no formal 'GDPR certification' (which does not exist as a standard).

    source: weweb.io
    HIPAA Certification
    NOT CONFIRMED

    WeWeb enables HIPAA-compliant configurations: 'you can satisfy HIPAA compliance while using WeWeb as your frontend if you use a HIPAA-compliant backend and connect to it through APIs in the Data & API tab, with sensitive health data stored and processed only in that backend.' WeWeb itself does not claim to be HIPAA-certified.

    source: community.weweb.io
    ISO 27017 (Cloud-Specific)
    NOT CONFIRMED

    no public evidence

    source: weweb.io
    ISO 27018 (Personal Data in Cloud)
    NOT CONFIRMED

    no public evidence

    source: weweb.io
    PCI DSS
    NOT CONFIRMED

    no public evidence

    source: weweb.io
    FedRAMP
    NOT CONFIRMED

    no public evidence

    source: weweb.io

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Per the DPA, WeWeb hosts the editor and published applications on Amazon Web Services (AWS), with the sub-processor table listing the USA as the primary data location (some plugin sub-processors offer user-selected regions). Policy also emphasizes 'keep data on your servers' via API connections to external backends. No EU-resident hosting option is documented for the core platform.

    WeWeb AI feature is mentioned for generating web-apps, but no explicit policy on training data usage found. No statement on whether customer data is used to train the AI. This should be clarified.

    // Security controls

    Encryption in Transit

    HTTPS/TLS (SSL) on all login interfaces and all customer sites

    weweb.io

    Encryption at Rest

    Encryption for stored data; passwords encrypted following industry standards

    weweb.io

    Multi-Tenancy Architecture

    Logical and physical segregation of customer data

    weweb.io

    Access Control

    API keys and OAuth authorization; uniform password policy enforcement

    weweb.io

    Monitoring & Logging

    Extensive logging of system behavior and authentication; alerts for anomalous activities

    weweb.io

    Incident Response

    Security incident documentation and investigation procedures

    weweb.io

    Availability SLA

    Minimum 99.84% uptime commitment with N+1 redundancy for power, network, and HVAC

    weweb.io

    Disaster Recovery

    Backup systems with redundancy; disaster recovery plans with regular testing

    weweb.io

    Data Replication

    Data replicated across multiple availability zones

    weweb.io

    Sub-processor Management

    Contractual data protection requirements imposed on sub-processors with vendor compliance oversight

    weweb.io

    // Products & data scope

    WeWeb Platform (SaaS)No-Code / Low-Code Visual Development Platform

    data: Application data, configurations, Google Sheets integrations. Does not store end-user application data by default (can be configured to route to external backends).

    Primary product. Supports AI-assisted code generation, visual editor, and code export (Vue.js SPA). Can be self-hosted after export.

    WeWeb AIAI-Powered Code Generation

    data: Prompt input for app generation; generated code artifacts

    AI feature that generates full web-apps from natural language. No public policy on whether customer prompts/apps are used for model training.

    WeWeb MarketplacePlugin/Template Marketplace

    data: Marketplace content, user reviews, transactions

    Allows third-party plugin and template distribution. Subject to separate Marketplace Terms.

    // What to watch

    • OUTDATED_PRIVACY_POLICY: Privacy policy dated January 1, 2021 - over 5 years old. Does not mention SOC 2 or ISO 27001 certs.
    • HOST_CERT_CONFLATION: The DPA's SOC 2 Type II and ISO 27001 reference describes the outsourced infrastructure provider's (AWS) data-center 'physical and environmental security controls', NOT a WeWeb company-level certification. No public evidence WeWeb itself holds either certification. Both downgraded to held=false.
    • THIN_TRUST_CENTER: No dedicated public trust center or security page on main domain. The only compliance language lives in the DPA, which is not linked prominently and references its hosting provider's certifications rather than WeWeb's own.
    • CONDITIONAL_HIPAA: Marketing claims HIPAA compliance, but vendor itself does not hold HIPAA certification. Platform enables HIPAA-compliant use only if backend is separately HIPAA-certified.
    • CONDITIONAL_GDPR: Vendor commits to GDPR compliance obligations but this is not a formal certification. Privacy policy is outdated and minimal on GDPR specifics.
    • AI_TRAINING_AMBIGUOUS: WeWeb AI feature is prominent, but no public policy on whether customer prompts/generated code are used for model training. This is a material gap for vendors serving regulated industries.
    • NO_AUDIT_DATES: DPA mentions SOC 2 Type II and ISO 27001 (attributed to the hosting provider) but provides no audit dates, certificate numbers, or expiry dates for WeWeb or the provider.
    • DATA_REGION_US_ONLY: WeWeb hosts the editor and published apps on AWS with the USA as the primary data location per the DPA sub-processor table. No EU-resident hosting option is documented for the core platform, which is a residency consideration for EU/GDPR-sensitive buyers despite the 'keep data on your servers' API architecture.
    • TERMS_OUTDATED: Terms and Conditions from May 9, 2023. Not updated for 2 years despite rapid AI/no-code market changes.
    • LIMITED_COMPLIANCE_DOCS: No publicly available SOC 2 report or ISO 27001 certificate for WeWeb itself. Buyers requiring vendor-level SOC 2/ISO 27001 must confirm directly whether WeWeb (not just its hosting provider) holds an audited certification.

    // At a glance

    Pricing model

    Subscription-based (monthly or annual billing). Freemium tier available. Enterprise plans custom-quoted.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on WEWEB SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    weweb.io

    > Browse all vendor trust reports