// Trust & Security Report
Federico Terzi (Individual / Open Source Project)
Espanso: A privacy-first, cross-platform text expander for Windows, macOS, and Linux. Single-product family, open-source, GPL-3 licensed, written in Rust. No commercial variants or tiers.
Certifications held
0
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 6 unconfirmed / not-held certifications
no public evidence
no public evidence
no public evidence
source: espanso.orgno formal GDPR certification; product design is GDPR-compliant by architecture (local-only, no data collection)
out of scope for a text expander; not a healthcare product
out of scope; desktop application, no payment processing
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Local only (desktop application, no cloud storage)
Not applicable. Espanso is a text expander, not an AI service. No cloud component, no data collection, no training.
// Security controls
Code Transparency
Open-source (GPL-3 license), full source code available on GitHub for independent code review
github.comMemory Management
Minimizes keylogging exposure: stores only last 5 chars by default (configurable), regex matches up to 30 chars
github.comVulnerability Disclosure
Report to maintainer federicoterzi96@gmail.com; no formal responsible disclosure timeline published
github.comKey Detection Method
OS-specific APIs: RawInput (Windows), addGlobalMonitorForEvents (macOS), X Record Extension (Linux)
github.com// Products & data scope
data: Local only; configuration stored in local files (~/.config/espanso on Linux/Mac, %APPDATA%/espanso on Windows)
Desktop application for Windows, macOS, Linux. No cloud sync, no multi-device support, no account creation required. CLI-configurable or via YAML files. Extensible via packages shared on Espanso Hub.
// What to watch
- No formal privacy policy or terms of service published on website (typical for small open-source projects; not a red flag but a gap)
- No enterprise security certifications (SOC 2, ISO 27001) - by design, as this is a volunteer open-source project, not a company
- Security documentation refers to GitHub and notes docs are 'incomplete, will be updated soon' - suggests documentation maintenance is ad-hoc
- Vulnerability disclosure lacks formal SLA or timeline - relies on maintainer goodwill and email response
- Code-signing uses third-party service (SignPath) - acceptable, but verification chain depends on SignPath.io trust
// At a glance
Pricing model
Free and open-source (donation-supported)
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Federico Terzi (Individual / Open Source Project)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
espanso.org