Xano & the General Data Protection Regulation (GDPR)

Effective May 2018, the General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

Xano is committed to protecting the privacy of our users and their customers.

Xano continually champions initiatives that prioritize and improve the security and privacy of customer personal data, and we want you, as a Xano customer, to feel confident using our services in light of GDPR requirements. If you partner with Xano, we will support your GDPR compliance efforts by:

  1. Committing in our Privacy Policy to comply with GDPR in relation to processing of customer personal data.

  2. Offering additional security capabilities and features that may help you better protect data that is most sensitive.

  3. Disclosing Subprocessors and offering documentation to assist you in your privacy assessment of our services.

  4. Continuing to evolve our capabilities as the regulatory landscape changes.

You should review this document in conjunction with our Privacy Policy and potentially contact a specialist for legal advice.

What role Does Xano's third-party ISO/IEC 27001, and SOC 2/3 reports play in compliance with the GDPR?

Our third-party ISO/IEC certifications and SOC 2/3 audit reports can be used by customers to help conduct their risk assessments and help them determine whether appropriate technical and organizational measures are in place.

Xano is a Data Processor

  • Xano is a data processor for any personal data made available by our customers.

  • Xano clients will usually act as the data controller for any personal data made available to Xano.

Does Xano offer a Data Processing Agreement (DPA)?

Xano offers a GDPR compliant DPA - Data Processing Agreement, allowing customers with GDPR contractual obligations. GDPR compliant DPA is available for Launch, Scale, Enterprise & Agency Plans by filling out this request form.

Please note GDPR requirements will be covered only for the customers that sign the DPA and acquire a GDPR compliant plan. All other plans will not cover GDPR requirements.


What is GDPR?

GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It’s primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

Who does GDPR apply to?

The GDPR applies to all organizations based inside or outside the EU that processes personal data of EU individuals. According to the European Commission Personal data is any information relating to an identified or identifiable natural person.

Does GDPR apply to EU citizens living in the U.S.?

Not necessarily. The requirements of the GDPR apply to the physical location of the person whose data is being used, rather than their citizenship. If an EU citizen purchases an item while traveling or living in the United States and their data is then stored by an American company, in U.S.-based computer servers — the GDPR would not apply.

Conversely, if an American citizen is living or staying in the EU for an extended period, the GDPR can apply to the usage of his or her data. U.S. citizens who are living in the United States are not subject to these requirements.

What is a Subprocessor?

Xano Subprocessors under the GDPR, is categorized as any business or contractor that customer data may pass through as a side effect of using Xano's service. See more.

What is a data controller?

A data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.

Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.

A data controller could be:

A private company or any other legal entity – Including an incorporated association, incorporated partnership, or public authority.

An individual person – Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.

Please see the GDPR checklist for data controllers.

What is a data processor?

A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

An organization that processes data on behalf of a data controller like cloud service providers. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Xano will typically act as the data processor for any person data made available by your customers.

Last updated