Citizen Developers

Reliable, secure, compliant.

Ensure your data is safe with the highest standards of data security

Talk to sales

Xano Security

The ultimate care for your data.

Store data securely with at rest encryption

Passwords are digitally signed with sha256 and unique salts.

Transmit data securely with SSL

Secure Socket Layer (SSL) is an industry-standard for securing and encrypting data transmission.

Prevent DDoS and other attacks with single-tenancy

On Xano's dedicated resource plans, the user's instance is on a single-tenant deployment or architecture.

Secure your backend

Xano is built to help citizen developers scale their backend, using technologies like Docker, Kubernetes, and Google Cloud.

Workspace / Role based access control

Login authentication

Password encryption

Password requirements

2FA security

Inactivity timeout

Workspace / Role based access control

Stay in control

RBAC (Role-based access control) or role-based permissions is a way to restrict access based on a user's defined role.

Learn more →

Workspace / Role based access control

Workspace / Role based access control

Stay in control

RBAC (Role-based access control) or role-based permissions is a way to restrict access based on a user's defined role.

Learn more →

Login authentication

Login authentication

Customizable login processes

Authentication is the way the backend handles adding users and allowing them to access certain areas of your app.

Learn more →

Password encryption

Password encryption

Keep passwords safe

Passwords are digitally signed with sha256 and unique salts.

Learn more →

Password requirements

Password requirements

Strong passwords

A password must be a minimum of eight (8) characters, maximum of 256 characters, at least one (1) alphabetic character, and at least one (1) numeric character.

Learn more →

2FA security

2FA security

Additional layer of security

2FA security requires the use of two different forms of identification to access and authenticate an account.

Learn more →

Inactivity timeout

Inactivity timeout

Protect your privacy

An inactivity timer which will log you out after 2 hours of inactivity. This can be adjusted or disabled entirely via your account settings.

Learn more →

Security & compliance certifications

ISO 27001

ISO 27001

ISO 27001 is the only auditable international standard that defines requirements of a information security management system.

ISO 9001

ISO 9001

ISO 9001:2015 serves as the quality benchmark of organizations located across the globe.

ISO 27701

ISO 27701

This standard is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards for information security management systems.

SOC2

SOC2

SOC 2 is an internal control report capturing how a company safeguards customer data and how well those controls are operating.

GDPR

GDPR

Xano continually champions initiatives that prioritize and improve the security and privacy of customer personal data.

HIPAA

HIPAA

HIPAA (1996) is a set of regulations governing the use and disclosure of protected health information.

CPRA

CPRA

Safeguards for sensitive data including location, demographics, beliefs, affiliations, communications, genetics, sexuality, and health related records.

CCPA

CCPA

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.

LGPD

LGPD

The LGPD sets rules for handling personal data in Brazil, applying to both domestic and foreign entities processing Brazilians' data.

PIPEDA

PIPEDA

A Canadian federal law from 2000 regulating personal information handling in commercial activities nationwide, except where provinces have similar laws.

FERPA

FERPA

FERPA gives parents rights over their children's education records. These rights transfer to students at age 18 or when they attend post-secondary school.

PDPA

PDPA

A Singapore law regulating personal data handling, providing individuals more control over their data use by organizations.

Frequently asked questions

Yes. Xano complies by utilizing the following open source licenses of: PHP 8, Node.js, PostgreSQL, Angular 17, and Redis 7.2.

It does not come standard. It is only possible if enabled through our Enterprise Edition.

Yes, Xano integrates SAST into its development process to analyze source code for vulnerabilities. This approach enables the early detection of security issues during the coding phase. By utilizing automated tools, Xano can identify potential vulnerabilities, such as SQL injection, cross-site scripting (XSS), and insecure coding practices.

Each of our database types (i.e. text, int, decimal, boolean, etc) have their own built-in filters to validate their input. When assigning a type to a database column or input variable, you can rely on the contents of that variable to have successfully passed the appropriate input validation for that specific type.

Xano requires all web communication over HTTPS TLSv1.2 or above.

Xano currently supports the following regions: Australia, Belgium, Brazil, Canada, France, Germany, India, Indonesia, Japan, Saudi Arabia, Singapore, South Korea, the United Kingdom, and the United States.

Yes, using Redis is mandatory. Xano uses it for caching various parts of the application schema. It is also used for API/function caching (if enabled) and it is accessible within our function stack.

Multi-zone configurations are supported through our Enterprise BYOC offering. It is not supported through the traditional SaaS plans.

Code is verified using Snyk.

Xano allows you to set rate limits on your queries so that you can limit the requests per given time period that an API endpoint can be called. The Rate Limit function comes with a few settings for configuration.

Upon discontinuing Xano services, you retain the capability to export all data from your Xano account(s). You maintain complete control over the data utilized within your instances. However, it's important to note that any code associated with your Xano setup is not exportable.

Yes, Xano provides support for background tasks (cron jobs), allowing them to execute concurrently. Moreover, the resources allocated for background tasks are segregated from those designated for API operations.