Data Security

Backups Enabled

Xano is dedicated to safeguarding your data with a robust framework of disaster recovery procedures and preventative measures. We implement daily backups (every 24 hours), securely stored in the same region as your primary location but within a distinct zone to provide resilience against potential disasters at the main site. On any of our paid plans, Xano maintains full backups of your server instance on a rolling 3-day cycle. In the event of significant problems, you are encouraged to contact our support team for assistance in restoring your instance(s). For Enterprise users, Xano will typically have 30 days of rolling 24-hour backups and a 7-day point-in-time recovery log for per second backup flexibility.

For subscribers of our paid plans, we offer the advantage of schema versioning for various elements such as database tables, API groups, API endpoints, functions, add-ons, and background tasks. This feature facilitates effortless reversion to prior versions should any errors occur. The extent of version history available varies with the chosen paid plan; for further information, please see our documentation.

Additionally, for all paid users, Xano maintains a 24-hour request history for all API requests directed to the Xano instance, encompassing requests that may not accurately align with a designated route. This data is accessible via the Xano interface or through the Xano Metadata API.

Leveraging the Google Cloud Platform (GCP) as our cloud hosting provider, we ensure that your data remains encrypted both at rest and in transit, maintaining the highest level of security.

Our Disaster Recovery Continuity of Operations program emphasizes our commitment to seamless business continuity, enabling us to sustain essential operations even in the face of significant challenges, such as major service disruptions, cyberattacks, widespread virus outbreaks, or natural disasters.

Encryption-at-rest

Xano relies on the Google Cloud Platform (GCP) as our trusted cloud hosting provider, benefiting from Google Cloud's exceptional encryption practices for data both at rest and in transit.

Google's robust encryption-at-rest measures encompass the utilization of the advanced AES algorithm. All data stored within the platform is encrypted at the storage level using Data Encryption Keys (DEKs), with a default encryption strength of AES-256, ensuring an exceptionally high level of security. It's worth noting that only a small number of Persistent Disks created before 2015 employ AES-128, which is still considered secure. The choice of AES encryption aligns with the recommendations of the National Institute of Standards and Technology (NIST) for long-term storage, further reinforcing our commitment to meeting customer compliance requirements.

Access Monitoring

At Xano, we log and monitor all user events, including those happening internally by employees. These events undergo weekly auditing procedures. We employ an Access Control policy combined with RBAC (Role-Based Access Control) mechanisms, restricting access to sensitive information to designated roles.

Administration / privileged accounts are only provided to Management that is authorized to perform system administration tasks. The number of privileged accounts is kept to a minimum. Our regular access audits serve as an assurance that each employee is granted precisely the access required for their specific responsibilities, with no room for unnecessary permissions.

Physical Security

The security of physical access to Xano instances is managed through a combination of a virtual private network (VPN) and device and identity access management software. In addition, to ensure the protection of any sensitive physical information, Xano enforces a strict "Clear Desk, Clear Screen" policy company-wide, compelling all employees to maintain a workspace free of unattended work-related items at all times.

Encryption-in-transit

Xano relies on the Google Cloud Platform (GCP) as our trusted cloud hosting provider, benefiting from Google Cloud's exceptional encryption practices for data both at rest and in- transit.

Encryption in-transit in GCP employs a variety of technologies, led primarily by TLS, to ensure that data is securely transmitted between different points in a network, safeguarding it from unauthorized access and alteration.

Google Cloud Platform (GCP) employs various encryption mechanisms to secure data in transit, meaning as it moves from one location to another, such as between user devices and GCP services, or between different services within GCP. The objective of encryption in transit is to protect data from unauthorized access, tampering, or eavesdropping as it traverses over networks.

Specifically, GCP typically uses Transport Layer Security (TLS) to encrypt data that is in transit over the network. TLS establishes a secure channel between two systems, ensuring the confidentiality and integrity of the data being exchanged. When clients connect to GCP services, they often do so via HTTPS, which is HTTP over TLS, to guarantee that the data is encrypted while in transit. GCP also employs other mechanisms like Virtual Private Cloud (VPC) peering and Interconnect for secure data transit between different cloud resources or between on-premises resources and the cloud. Xano supports TLS 1.2 and 1.3. Please see more information in this report.

For internal communications between GCP services, Google relies on its own highly secure and redundant global network infrastructure. This ensures that data traveling within Google's environment is also encrypted and rigorously secured against intrusion.

Xano requires all web communication over HTTPS TLSv1.2 or above.

Data Erasure

Individual users bear the responsibility for managing and deleting data within their respective Xano instances. Our data retention practices strictly adhere to the guidelines specified in our Privacy Policy, ensuring that only necessary user data is retained by Xano.

Upon discontinuing Xano services, you retain the capability to export all data from your Xano account(s). You maintain complete control over the data utilized within your instances. However, it's important to note that any code associated with your Xano setup is not exportable.