Xano Documentation
Searchโ€ฆ
Xano Documentation
Welcome
Release notes
Roadmap & Requests
Frequently Asked Questions
๐Ÿ’ก
Start here
What is Xano?
What's included
Technology
What is a Backend?
Why have a separate Backend?
๐Ÿค”
Fundamentals
Getting Started with Xano
Designing your Database
Setting up your API
Connecting to a Front-End
๐Ÿ—„๏ธ The Database
Database Basics
Field Types
Database Relationships
Data Sources
Database Performance
Database Storage
Importing data
๐Ÿ”Œ
The API
API Basics
NO CODE API Builder
Webhooks
Testing your API
API Request History
Auto-Documentation
Branches
API Performance
๐Ÿช„
Working with data
The Basics
Variables
Dot Notation
Search
Functions
Filters
Addons (GraphQL-like)
Lambdas (JavaScript)
Date & Times
โš’๏ธ Building Backend Features
Sign-up & Log in
Restricting Access
Password Reset
Passwordless Auth (Magic Link)
Payments
Email Notifications
SMS
Location
Generating CSV Files
Separating Data
๐Ÿš€
Xano Features
Data Caching
Schema Versioning
Dynamic Image Transformation
Snippets (Share your API)
Background Tasks (Cron Jobs)
File Management
๐Ÿ“•
HOW-to Guides
Full Build Tutorials
Data Manipulation
External APIs
Encryption
More Video Tutorials
โ˜๏ธ Your Xano Account
Help and Support
Account Page
Billing
Upgrading an Instance
Increasing Plan Limits
Enterprise Plans
Adjust Server Performance
Agency Plan
Custom Domain
Change Server Region
Manage Team
Bandwidth Usage
Time Synchronization
API Rate Limit
Developer API
Share Xano. Make money
๐Ÿ”’
Security and Compliance
Best Practices
GDPR
HIPAA
ISO 27001:2013
ISO 9001:2015
PCI Compliance (ASV Network Scan)
๐Ÿ’ฒ
Special Discount Pricing
Non Profits
Students
๐Ÿ”จ
Troubleshooting
Clear Cache
Bug Bounty
Troubleshooting
Powered By GitBook
GDPR
General Data Protection Regulation

You should review this document in conjunction with our Privacy Policy and potentially contact a specialist for legal advice.
Effective May 2018, the General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). Itโ€™s primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterpriseโ€”regardless of its location and the data subjects' citizenship or residenceโ€”that is processing the personal information of individuals inside the EEA.

Not necessarily. The requirements of the GDPR apply to the physical location of the person whose data is being used, rather than their citizenship. If an EU citizen purchases an item while traveling or living in the United States and their data is then stored by an American company, in U.S.-based computer servers โ€” the GDPR would not apply.
Conversely, if an American citizen is living or staying in the EU for an extended period, the GDPR can apply to the usage of his or her data. U.S. citizens who are living in the United States are not subject to these requirements.

A data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.
Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.

A private company or any other legal entity โ€“ Including an incorporated association, incorporated partnership, or public authority.
An individual person โ€“ Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.
Please see the GDPR checklist for data controllers.

A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
An organization that processes data on behalf of a data controller like cloud service providers. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Xano will typically act as the data processor for any person data made available by your customers.

The GDPR applies to all organizations based inside or outside the EU that processes personal data of EU individuals. According to the European Commission Personal data is any information relating to an identified or identifiable natural person.

  • Xano clients will usually act as the data controller for any personal data made available to Xano.
  • Xano is a data processor for any personal data made available by our customers.

Xano offers a GDPR compliant DPA - Data Processing Agreement, allowing customers with GDPR contractual obligations. GDPR compliant DPA is available for Launch, Scale, Enterprise & Agency Plans by filling out this request form.
Please note GDPR requirements will be covered only for the customers that sign the DPA and acquire a GDPR compliant plan. All other plans will not cover GDPR requirements.

Xano Subprocessors under the GDPR, is categorized as any business or contractor that customer data may pass through as a side effect of using Xano's service. See more.
โ€‹
Security and Compliance - Previous
Best Practices
Next - Security and Compliance
HIPAA
Last modified 2mo ago
Copy link
On this page
๏ปฟDoes GDPR apply to EU citizens living in the U.S.?
What is a data controller?
A data controller could be:
What is a data processor?
Who does GDPR apply to?
Data Controller or Data Processor?
Does Xano offer a Data Processing Agreement (DPA)?
What is a Subprocessor?