// Trust & Security Report

    Federico Terzi (Individual / Open Source Project) logo

    Federico Terzi (Individual / Open Source Project)

    Espanso: A privacy-first, cross-platform text expander for Windows, macOS, and Linux. Single-product family, open-source, GPL-3 licensed, written in Rust. No commercial variants or tiers.

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    no public evidence

    SOC 2 Type 2
    NOT CONFIRMED

    no public evidence

    ISO 27001
    NOT CONFIRMED

    no public evidence

    GDPR Compliance
    NOT CONFIRMED

    no formal GDPR certification; product design is GDPR-compliant by architecture (local-only, no data collection)

    source: espanso.org
    HIPAA
    NOT CONFIRMED

    out of scope for a text expander; not a healthcare product

    PCI DSS
    NOT CONFIRMED

    out of scope; desktop application, no payment processing

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Local only (desktop application, no cloud storage)

    Not applicable. Espanso is a text expander, not an AI service. No cloud component, no data collection, no training.

    // Security controls

    Architecture

    100% local operation, no cloud backend, no data collection, no tracking

    github.com

    Code Transparency

    Open-source (GPL-3 license), full source code available on GitHub for independent code review

    github.com

    Binary Signing

    Windows binaries code-signed via SignPath.io (third-party signing service)

    github.com

    Memory Management

    Minimizes keylogging exposure: stores only last 5 chars by default (configurable), regex matches up to 30 chars

    github.com

    Vulnerability Disclosure

    Report to maintainer federicoterzi96@gmail.com; no formal responsible disclosure timeline published

    github.com

    Key Detection Method

    OS-specific APIs: RawInput (Windows), addGlobalMonitorForEvents (macOS), X Record Extension (Linux)

    github.com

    // Products & data scope

    EspansoProductivity - Text Expansion

    data: Local only; configuration stored in local files (~/.config/espanso on Linux/Mac, %APPDATA%/espanso on Windows)

    Desktop application for Windows, macOS, Linux. No cloud sync, no multi-device support, no account creation required. CLI-configurable or via YAML files. Extensible via packages shared on Espanso Hub.

    // What to watch

    • No formal privacy policy or terms of service published on website (typical for small open-source projects; not a red flag but a gap)
    • No enterprise security certifications (SOC 2, ISO 27001) - by design, as this is a volunteer open-source project, not a company
    • Security documentation refers to GitHub and notes docs are 'incomplete, will be updated soon' - suggests documentation maintenance is ad-hoc
    • Vulnerability disclosure lacks formal SLA or timeline - relies on maintainer goodwill and email response
    • Code-signing uses third-party service (SignPath) - acceptable, but verification chain depends on SignPath.io trust

    // At a glance

    Pricing model

    Free and open-source (donation-supported)

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Federico Terzi (Individual / Open Source Project)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    espanso.org

    > Browse all vendor trust reports