A SOC 3 (System and Organization Controls 3) report is a formal document that provides assurance about the controls at a service organization relevant to the security, availability, processing integrity, confidentiality, or privacy of the information processed for the users. Unlike its counterpart, the SOC 2 report, which is detailed and intended for a limited, knowledgeable audience (e.g., auditors, compliance officers), the SOC 3 report is designed for a broader audience, such as customers, stakeholders, or the general public, and does not include the detailed description of the testing, results and possible confidential information found in a SOC 2 report.
The SOC 3 report is based on the Trust Services Criteria developed by the American Institute of Certified Public Accountants (AICPA). It provides a summary of the service organization's system and the effectiveness of the controls in place to address one or more of the five trust service principles: security, availability, processing integrity, confidentiality, and privacy. However, it does so in a more general format without the detailed controls and test results, making it a less technical document compared to SOC 2.
Xano's SOC 3 report is here to provide assurance to a wide range of users or the public about our commitment to maintaining a high standard of controls over the information we process, and demonstrate our dedication to high standards of security and operational integrity.
See attachment for high-level data flow diagram and a detailed network diagram.
ASV Scan Service for PCI Compliance
PCI ASV compliance from ServerScan - Scans are ASV-Certified by the PCI Security Standards Council, and satisfy the external network scanning requirement for your PCI DSS Compliance (Requirement 11.2.2). These scans are completed on a quarterly basis.
During PCI scanning process, the vulnerability testing engine performs a series of automated security assessments against our infrastructure at the designated IP or FQDN.
Due to highly confidential and extremely sensitive information, we do not make the penetration testing report publicly available. We do, however, share the summary report. Penetration tests are performed on an annual basis.
This executive attestation report is generated based on the testing performed by our certified security engineers that followed the OWASP and PCI ASV 4.0 best practice guidelines.
The following OWASP web application security risks were included as part of our testing.