// Trust & Security Report
Text, Inc.
ChatBot (ChatBot by Text) - AI-powered conversational agent for customer support, sales, and engagement across web, mobile, and messaging channels (Messenger, SMS, etc.). Part of broader Text platform including LiveChat and other communication tools.
Certifications held
8
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on chatbot.com“The platform holds SOC 2, GDPR, CCPA, PCI DSS, and Data Privacy Framework compliance, along with WCAG 2.2 accessibility verification.”
Verify on chatbot.com“Text commits to subjecting all personal data received from European Union (EU), European Economic Area (EEA) and Switzerland to GDPR protections (Regulation EU 2016/679). Data Privacy Framework certification effective July 10, 2023.”
Verify on chatbot.com“Recognition of consumer rights including data access, correction, and opt-out options. CCPA/CPRA compliance explicitly listed.”
Verify on chatbot.com“PCI DSS (SAQ A level). Platform for ecommerce requires PCI DSS compliance for payment data handling.”
Verify on chatbot.com“Text has achieved certification under the EU-US DPF, obtaining adequacy status. This pivotal adequacy decision signifies that the United States provides an equivalent level of safeguard for personal data. Certification became effective July 10, 2023.”
Verify on chatbot.com“Text self-certified compliance with the UK Extension to the EU-US DPF, implemented through the Data Protection (Adequacy) (United States of America) Regulations 2023, effective October 12, 2023.”
Verify on text.com“Swiss-U.S. Data Privacy Framework (DPF) certification valid as of September 15, 2024, recognized by Swiss Federal Council for adequate data protection.”
Verify on chatbot.com“WCAG 2.2 accessibility verification included in platform certifications.”
> Show 3 unconfirmed / not-held certifications
source: chatbot.comNo public evidence of certification on the vendor's own domain. The vendor's blog list of held certifications (SOC 2, GDPR, CCPA, PCI DSS, Data Privacy Framework, WCAG 2.2) does NOT include ISO 27001; the blog references ISO 27001 only as a standard organizations should pursue, not one the platform holds. The trust center (trust.text.com) does not confirm it either.
source: chatbot.comNo public evidence of HIPAA compliance found. ChatBot markets specifically to healthcare organizations, but HIPAA certification not mentioned in privacy policy, trust documentation, or security blog posts. Status unknown - may require enterprise contract negotiation.
source: chatbot.comNo public evidence of ISO/IEC 42001 AI governance certification found despite extensive security documentation.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Global with multiple cloud regions (Google Cloud, AWS). Data may be processed outside customer's country. EU/UK data transfers protected by Standard Contractual Clauses (Module II SCCs) and Data Privacy Framework adequacy determinations.
Platform trains AI agent on customer-provided sources (website URL, help center docs, knowledge base, product docs) via RAG (Retrieval-Augmented Generation). Does NOT train on customer conversation data for model improvement. Customers fully control what data the agent learns from.
// Security controls
Encryption at Rest
Multiple copies of personal data with recovery capability; backup copies stored separately from primary systems
text.comAuthentication
Two-factor authentication (2FA) available. Passwords require minimum 12 characters with numbers, capitals, and special characters. OAuth 2.1 with short-lived tokens and PKCE mandate for API access.
text.comAccess Control
Least privilege access. Personnel deactivation upon service termination. Role-based access controls with documented security policies. Unique machine identities per agent.
text.comData Compartmentalization
Logical data compartmentalization between customers. Clients cannot access other clients' data.
chatbot.comTesting & Monitoring
Annual penetration testing. Annual risk assessments. Event logging maintained for minimum 10 days. Real-time monitoring and anomaly detection of agent actions. Immutable audit trails.
text.comInfrastructure Security
Hosted on Google Cloud and AWS. Web Application Firewall for DDoS mitigation. Endpoint detection and response (EDR) on staff devices. Software supply chain scanning.
chatbot.comIncident Response
Breach notification as required by law. Documented incident breach records maintained.
chatbot.com// Products & data scope
data: Pre-chat surveys, chat conversations, ticket content. Customer-provided training data only (website, help center, docs).
Core product. Free 14-day trial. Pricing from $19/mo. Supports multichannel deployment (website, Messenger, SMS, etc.).
data: Product catalog, customer data, transaction context. PCI DSS SAQ A compliance for payment handling.
AI agent for product recommendations, sales, checkout assistance. Case study: Wembley Stadium ($1.5M in 8 months).
data: Patient inquiries, appointment scheduling, general information. HIPAA compliance not publicly documented.
Solution marketed for healthcare but HIPAA certification status unclear. Recommend enterprise assessment.
data: Student inquiries, enrollment support, general campus information.
Use cases in student support and institutional communications.
// What to watch
- SOC 2 specificity: Blog post states 'SOC 2 (Type II recommended)' but doesn't explicitly confirm Type II certification held. Search results suggest Type II is the goal/recommendation, not necessarily current status. Recommend vendor confirm Type I vs Type II.
- ISO 27001 NOT held (corrected): The vendor's security blog does not list ISO 27001 among the certifications the platform holds; it references ISO 27001 only as a standard organizations should pursue. The first-pass draft had graded this held=true against a proof quote that does not literally appear on the cited page. Downgraded to held=false (no public evidence). Trust center (trust.text.com) exists but content was not accessible to confirm otherwise.
- HIPAA gap: Platform markets to healthcare organizations but no HIPAA certification or compliance framework mentioned in public documentation. May be available under enterprise agreement only.
- Identity verification: Vendor is 'Text, Inc.' (parent company at text.com), product is 'ChatBot' or 'ChatBot by Text' (at chatbot.com). Confirmed same entity via copyright notice and legal pages. No conflation risk.
- Trust center accessibility: trust.text.com domain confirmed but page content not fully accessible during assessment. Further verification recommended.
- Blog vs official stance: Certifications sourced from blog post (educational content) rather than official compliance dashboard. Blog may represent aspirational standards or generic recommendations rather than current ChatBot.com status.
// At a glance
Pricing model
SaaS subscription. Free trial (14 days, no credit card required). Pricing from $19/month individual to custom enterprise plans.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Text, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.text.com