// Trust & Security Report
Xano, Inc.
No-Code Backend Platform (APIs, Database, Logic, Auth)
Certifications held
14
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.xano.com“Xano has completed a comprehensive SOC 2 Type 2 audit. Xano went through a detailed audit with a reputable AICPA auditor and the attestation can be found below.”
Verify on security.xano.com“SOC 3 Report [listed under Documentation > Reports in Xano Security Center]”
Verify on security.xano.com“Xano has the ISO certification. Files: Dekra_ISO_27001_Cert.png [certificate on file, available on request]”
Verify on security.xano.com“Files: Xano Inc. ISO 27701 [certificate on file, available on request]”
Verify on security.xano.com“Xano has the ISO certification. Files: Xano ISO 9001 Certification [available on request]”
Verify on security.xano.com“Xano was recently audited and meets all the criteria required for HIPAA compliance. Files: Letter of Attestation 2024 [available on request]. BAA available at Scale1x ($500/mo add-on) or standard with Enterprise plan.”
Verify on security.xano.com“Committing in our Privacy Policy to comply with GDPR in relation to processing of customer personal data. Files: GDPR Letter of Attestation 2024 [available on request]”
Verify on security.xano.com“ISO 27701 and CPRA listed under certifications with documentation available on request.”
Verify on security.xano.com“HDS listed as a certification in the Xano Security Center navigation, but no attestation document or proof quote was retrievable from the public page.”
Verify on security.xano.com“Files: FERPA Letter of Attestation 2024 [available on request]”
Verify on security.xano.com“Files: PIPEDA Letter of Attestation 2024 [available on request]”
Verify on security.xano.com“Files: PDPA Letter of Attestation 2024 [available on request]”
Verify on docs.xano.com“Xano is certified to the U.S. Department of Commerce under the EU-U.S. Data Privacy Framework.”
Verify on security.xano.com“PCI DSS (ASV Network Scan) listed under Documentation > Reports in the Security Center. Scope and level not confirmed publicly.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
15+ regions: United States, Belgium, Brazil, Canada, France, Germany, India, Indonesia, Japan, Saudi Arabia, Singapore, South Korea, Switzerland, United Kingdom, Australia. Region selection available on paid tiers.
Xano's AI Terms explicitly state: 'Xano does not use your Input or Output to train its AI models or allow others to do so without your explicit consent.' Third-Party AI Providers (Google Gemini) neither log nor store Input/Output. Subprocessor Braintrust may process prompts in pseudonymous form for compliance purposes; users on paid plans can opt out via workspace settings.
// Security controls
Cloud Infrastructure
Google Cloud Platform (primary). BYOC (Bring Your Own Cloud) on AWS, GCP, or Azure on Enterprise. On-prem/dedicated instance also available.
security.xano.comEncryption at Rest
Enabled. Listed explicitly in Xano Security Center under Data Security.
security.xano.comSSO / SAML / OIDC
SSO, SAML, OIDC supported. Enterprise plan includes internal SSO.
security.xano.comRBAC
Role-based access control with per-endpoint policy. Role and permissions manager available on Pro+ plans.
xano.comAudit Logging
Full audit trail: history of every change, approval, and access. Database audit logs available.
security.xano.comFirewall / WAF
Firewall active. Web Application Firewall (WAF) is Enterprise-only add-on, not included in standard plans.
xano.comEndpoint Detection & Response (EDR)
EDR listed as active under Endpoint Security in the Security Center.
security.xano.comPenetration Testing
Annual penetration testing conducted. Pentest Report available in Security Center under Documentation > Reports. Specific firm name and date not disclosed publicly.
security.xano.comSAST / Vulnerability Scanning
Snyk used for code verification. Static Application Security Testing integrated into SDLC. Vulnerability and patch management process documented.
xano.comBug Bounty Program
None found. No HackerOne, Bugcrowd, or other public bug bounty program identified as of 2026-06-27.
Subprocessors
Subprocessors list published at docs.xano.com/legal/xano-subprocessors. Includes Braintrust for AI feature prompt processing.
docs.xano.com// Products & data scope
data: Shared infrastructure. No compliance guarantees. 100K record limit, 1 GB image storage (watermarked). Rate-limited (10 req/20s).
Not suitable for production workloads or regulated data. No GDPR, SOC 2, or HIPAA coverage on this tier.
data: Dedicated infrastructure. GDPR, ISO, SOC 2 and SOC 3 compliance included. 100 GB storage, 3 workspaces, 5 team seats, 7-day backup, 99.95% SLA.
HIPAA add-on not available on this tier. DPA available on request. Branching, CLI sandbox, background tasks included.
data: Dedicated infrastructure with managed load balancer. GDPR, ISO 27001/27701, SOC 2/3 included. HIPAA add-on available at $500/mo extra (includes BAA). 250 GB storage, 5 workspaces, 10 team seats, 14-day backup, 99.99% SLA.
HIPAA-covered workloads require the $500/mo add-on to activate BAA. Role and permissions manager included.
data: BYOC (AWS/GCP/Azure), dedicated single-tenant instance, or on-prem. Full compliance suite: SOC 2 T2, ISO 27001, HIPAA with BAA, GDPR DPA, custom data residency, SSO/SAML, dedicated IP, 24/7 monitoring. Unlimited scalability.
HIPAA BAA is standard (no add-on fee). WAF available. 365/24/7 dedicated support. On-prem and self-hosted options. Multi-tenant isolation with per-tenant policy.
// What to watch
- HIPAA coverage requires a paid add-on ($500/mo) on Pro tier or Enterprise plan — not included by default.
- WAF (Web Application Firewall) is Enterprise-only; standard plans rely on GCP-level DDoS and a basic firewall.
- No public bug bounty program (HackerOne/Bugcrowd) identified as of 2026-06-27.
- SOC 2 Type 2 report restricted to verified enterprise inquiries only; SOC 3 is the publicly available version.
- Braintrust subprocessor processes AI prompt data in pseudonymous form — paid users can opt out via workspace settings.
- HDS (French healthcare hosting) certification listed in the security center navigation but supporting documentation not publicly accessible for confirmation.
// At a glance
Pricing model
Freemium + tiered subscription ($85/mo Essential, $224/mo Pro, custom Enterprise). HIPAA add-on $500/mo on Pro tier.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Xano, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.xano.com