// Trust & Security Report

    Xano, Inc. logo

    Xano, Inc.

    No-Code Backend Platform (APIs, Database, Logic, Auth)

    Certifications held

    14

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Xano has completed a comprehensive SOC 2 Type 2 audit. Xano went through a detailed audit with a reputable AICPA auditor and the attestation can be found below.

    Verify on security.xano.com
    SOC 3
    HELD

    SOC 3 Report [listed under Documentation > Reports in Xano Security Center]

    Verify on security.xano.com
    ISO 27001:2022
    HELD

    Xano has the ISO certification. Files: Dekra_ISO_27001_Cert.png [certificate on file, available on request]

    Verify on security.xano.com
    ISO 27701
    HELD

    Files: Xano Inc. ISO 27701 [certificate on file, available on request]

    Verify on security.xano.com
    ISO 9001:2015
    HELD

    Xano has the ISO certification. Files: Xano ISO 9001 Certification [available on request]

    Verify on security.xano.com
    HIPAA (BAA available)
    HELD

    Xano was recently audited and meets all the criteria required for HIPAA compliance. Files: Letter of Attestation 2024 [available on request]. BAA available at Scale1x ($500/mo add-on) or standard with Enterprise plan.

    Verify on security.xano.com
    GDPR
    HELD

    Committing in our Privacy Policy to comply with GDPR in relation to processing of customer personal data. Files: GDPR Letter of Attestation 2024 [available on request]

    Verify on security.xano.com
    ISO 27701 / CPRA
    HELD

    ISO 27701 and CPRA listed under certifications with documentation available on request.

    Verify on security.xano.com
    HDS (Hebergement de Donnees de Sante)
    HELD

    HDS listed as a certification in the Xano Security Center navigation, but no attestation document or proof quote was retrievable from the public page.

    Verify on security.xano.com
    FERPA
    HELD

    Files: FERPA Letter of Attestation 2024 [available on request]

    Verify on security.xano.com
    PIPEDA
    HELD

    Files: PIPEDA Letter of Attestation 2024 [available on request]

    Verify on security.xano.com
    PDPA (Singapore)
    HELD

    Files: PDPA Letter of Attestation 2024 [available on request]

    Verify on security.xano.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Xano is certified to the U.S. Department of Commerce under the EU-U.S. Data Privacy Framework.

    Verify on docs.xano.com
    PCI DSS
    HELD

    PCI DSS (ASV Network Scan) listed under Documentation > Reports in the Security Center. Scope and level not confirmed publicly.

    Verify on security.xano.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    15+ regions: United States, Belgium, Brazil, Canada, France, Germany, India, Indonesia, Japan, Saudi Arabia, Singapore, South Korea, Switzerland, United Kingdom, Australia. Region selection available on paid tiers.

    Xano's AI Terms explicitly state: 'Xano does not use your Input or Output to train its AI models or allow others to do so without your explicit consent.' Third-Party AI Providers (Google Gemini) neither log nor store Input/Output. Subprocessor Braintrust may process prompts in pseudonymous form for compliance purposes; users on paid plans can opt out via workspace settings.

    // Security controls

    Cloud Infrastructure

    Google Cloud Platform (primary). BYOC (Bring Your Own Cloud) on AWS, GCP, or Azure on Enterprise. On-prem/dedicated instance also available.

    security.xano.com

    Encryption at Rest

    Enabled. Listed explicitly in Xano Security Center under Data Security.

    security.xano.com

    Encryption in Transit

    TLS 1.2 or above required for all data transmission.

    xano.com

    Password Hashing

    SHA-256 with unique salts.

    xano.com

    MFA

    Multi-Factor Authentication available and listed under Product Security.

    security.xano.com

    SSO / SAML / OIDC

    SSO, SAML, OIDC supported. Enterprise plan includes internal SSO.

    security.xano.com

    RBAC

    Role-based access control with per-endpoint policy. Role and permissions manager available on Pro+ plans.

    xano.com

    Audit Logging

    Full audit trail: history of every change, approval, and access. Database audit logs available.

    security.xano.com

    Anti-DDoS

    Anti-DDoS protection via Google Cloud Platform listed as active.

    security.xano.com

    Firewall / WAF

    Firewall active. Web Application Firewall (WAF) is Enterprise-only add-on, not included in standard plans.

    xano.com

    Endpoint Detection & Response (EDR)

    EDR listed as active under Endpoint Security in the Security Center.

    security.xano.com

    Penetration Testing

    Annual penetration testing conducted. Pentest Report available in Security Center under Documentation > Reports. Specific firm name and date not disclosed publicly.

    security.xano.com

    SAST / Vulnerability Scanning

    Snyk used for code verification. Static Application Security Testing integrated into SDLC. Vulnerability and patch management process documented.

    xano.com

    Bug Bounty Program

    None found. No HackerOne, Bugcrowd, or other public bug bounty program identified as of 2026-06-27.

    Backup

    7-day rolling backup on Essential plan; 14-day on Pro plan.

    xano.com

    Uptime SLA

    99.95% on Essential; 99.99% on Pro and above.

    xano.com

    Subprocessors

    Subprocessors list published at docs.xano.com/legal/xano-subprocessors. Includes Braintrust for AI feature prompt processing.

    docs.xano.com

    // Products & data scope

    Free PlanNo-code backend (evaluation / hobby)

    data: Shared infrastructure. No compliance guarantees. 100K record limit, 1 GB image storage (watermarked). Rate-limited (10 req/20s).

    Not suitable for production workloads or regulated data. No GDPR, SOC 2, or HIPAA coverage on this tier.

    Essential Plan ($85/mo billed annually)No-code backend (SMB / startup)

    data: Dedicated infrastructure. GDPR, ISO, SOC 2 and SOC 3 compliance included. 100 GB storage, 3 workspaces, 5 team seats, 7-day backup, 99.95% SLA.

    HIPAA add-on not available on this tier. DPA available on request. Branching, CLI sandbox, background tasks included.

    Pro Plan ($224/mo billed annually)No-code backend (growth / mid-market)

    data: Dedicated infrastructure with managed load balancer. GDPR, ISO 27001/27701, SOC 2/3 included. HIPAA add-on available at $500/mo extra (includes BAA). 250 GB storage, 5 workspaces, 10 team seats, 14-day backup, 99.99% SLA.

    HIPAA-covered workloads require the $500/mo add-on to activate BAA. Role and permissions manager included.

    Enterprise / Custom PlanNo-code backend (enterprise / regulated industries)

    data: BYOC (AWS/GCP/Azure), dedicated single-tenant instance, or on-prem. Full compliance suite: SOC 2 T2, ISO 27001, HIPAA with BAA, GDPR DPA, custom data residency, SSO/SAML, dedicated IP, 24/7 monitoring. Unlimited scalability.

    HIPAA BAA is standard (no add-on fee). WAF available. 365/24/7 dedicated support. On-prem and self-hosted options. Multi-tenant isolation with per-tenant policy.

    // What to watch

    • HIPAA coverage requires a paid add-on ($500/mo) on Pro tier or Enterprise plan — not included by default.
    • WAF (Web Application Firewall) is Enterprise-only; standard plans rely on GCP-level DDoS and a basic firewall.
    • No public bug bounty program (HackerOne/Bugcrowd) identified as of 2026-06-27.
    • SOC 2 Type 2 report restricted to verified enterprise inquiries only; SOC 3 is the publicly available version.
    • Braintrust subprocessor processes AI prompt data in pseudonymous form — paid users can opt out via workspace settings.
    • HDS (French healthcare hosting) certification listed in the security center navigation but supporting documentation not publicly accessible for confirmation.

    // At a glance

    Pricing model

    Freemium + tiered subscription ($85/mo Essential, $224/mo Pro, custom Enterprise). HIPAA add-on $500/mo on Pro tier.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Xano, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.xano.com

    > Browse all vendor trust reports