// Trust & Security Report

    Learneo, Inc. (Quillbot) logo

    Learneo, Inc. (Quillbot)

    AI writing assistant suite: Paraphraser, Grammar Checker, AI Detector, Plagiarism Checker, AI Humanizer, AI Chat/Ask AI, AI Image Generator, Translator, Summarizer, Citation Generator, plus PDF/file-conversion utilities and browser extensions (Chrome, Edge, Safari, Word) and mobile/desktop apps. Offered as Free, Premium (individual), and Team plans.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS
    HELD

    "We comply with the Payment Card Industry Data Security Standard."

    Verify on quillbot.com
    GDPR (posture/compliance program, not a certification)
    HELD

    "We work hard to comply with the GDPR." Data transferred outside the EU is covered by "the EU-U.S. and Swiss-U.S. Data Privacy Frameworks" and "data protection agreements with Standard Contractual Clauses."

    Verify on quillbot.com
    CCPA
    HELD

    "We abide by the California Consumer Privacy Act."

    Verify on quillbot.com
    EU-U.S. / Swiss-U.S. Data Privacy Framework (DPF)
    HELD

    Quillbot is "certified and comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks ('DPF') and the UK Extension to the EU-U.S. DPF."

    Verify on quillbot.com
    CASA Tier 2 (Google Cloud Application Security Assessment)
    HELD

    "We are verified through the Cloud Application Security Assessment" (listed on the trust center as CASA Tier 2). Note: this is a Google-administered assessment scoped to Chrome-extension/OAuth-app security, not a general enterprise infosec framework like SOC 2 or ISO 27001, and should not be presented as equivalent to those.

    Verify on quillbot.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence - not mentioned on quillbot.com/trust-center, quillbot.com/privacy footer content, or any Quillbot-owned page found. Trust center FAQ covers GDPR, CCPA, PCI DSS, DPF, and CASA Tier 2 only, with no SOC 2 badge or reference.

    source: quillbot.com
    ISO 27001
    NOT CONFIRMED

    No public evidence - trust center lists only GDPR, EU-U.S./Swiss-U.S. Data Privacy Framework, CCPA, PCI DSS, and CASA Tier 2; ISO 27001 is not referenced anywhere on the vendor's own site.

    source: quillbot.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on vendor-owned pages.

    source: quillbot.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence on vendor-owned pages. No AI-governance-specific certification is referenced anywhere on quillbot.com.

    source: quillbot.com
    CSA STAR
    NOT CONFIRMED

    No public evidence on vendor-owned pages. (A third-party aggregator site claimed 'CSA Star Level 1 Compliant' for Quillbot, but this claim does not appear anywhere on quillbot.com and could not be verified on any Quillbot-owned domain, so it is not credited here.)

    source: quillbot.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. FedRAMP is a US-government cloud authorization irrelevant to a consumer/SMB writing tool with no GovCloud offering found; not referenced on vendor pages.

    source: quillbot.com
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned on the trust center, privacy policy, or help center pages reviewed, and Quillbot does not advertise a Business Associate Agreement (BAA) or a healthcare-specific offering.

    source: quillbot.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    Not a dedicated EU/regional processing option found; Quillbot states it 'has offices in the United States and India, and we work with service providers throughout the world,' with EU data transfers covered by the DPF and Standard Contractual Clauses.

    Free and individual Premium users: Quillbot stores extension text inputs by default (as of the Nov 8, 2025 policy update) and may use text inputs to train the models that power its AI tools, with an opt-out available to account holders for both storage and training use. Team Plan users are explicitly excluded from model training: 'We do not train on any text inputs from Team Plan users.' Third-party service providers are contractually barred from using customer data to train their own models: 'It is Quillbot's standard policy to not allow any third-party service provider to use your data to train their AI models.' Because training behavior differs by plan and requires an opt-out for individual users, trains_on_customer_data is set to true at the product-wide level with the Team Plan carve-out noted as the safer tier for business use.

    // Security controls

    Encryption in transit

    Trust center states connections are encrypted; Ask AI feature described as using end-to-end encryption for interactions.

    quillbot.com

    Access controls

    "Quillbot does not access text in sensitive data fields, such as passwords or credit card numbers," and access to customer data is "tightly restricted within our company and our service providers."

    quillbot.com

    Data sale posture

    "No, we do not sell your content... We also do not sell your data."

    quillbot.com

    International transfer safeguards

    EU-U.S./Swiss-U.S. Data Privacy Framework plus Standard Contractual Clauses for transfers outside the EU.

    quillbot.com

    Third-party AI training restriction

    Contractual restriction preventing Quillbot's own third-party service providers from using customer data to train their AI models.

    quillbot.com

    // Products & data scope

    Free tierConsumer writing tools

    data: Text inputs may be stored and, absent opt-out, used for AI model training.

    Broadest data exposure of the three tiers; opt-out available to account holders for storage and training use of extension inputs.

    Premium (individual)Consumer/prosumer writing tools

    data: Same training/storage posture as Free unless the user opts out; no Team-Plan-style blanket exclusion.

    Adds full feature access (Paraphraser, AI Detector, Humanizer, etc.) but does not change the underlying data-training policy versus Free.

    Team PlanSMB/team collaboration

    data: Explicitly excluded from AI model training on text inputs.

    The only tier with a documented, non-opt-in-dependent training exclusion: 'We do not train on any text inputs from Team Plan users.' No SOC 2/ISO/HIPAA program found even at this tier - buyers needing formal audit certifications should treat this as a gap.

    Ask AI / AI ChatAI chat assistant feature

    data: Does not access sensitive fields (passwords, card numbers); described as end-to-end encrypted for interactions.

    Embedded feature across tiers, not a separately certified product.

    // What to watch

    • A third-party aggregator/scanner site surfaced during search claimed Quillbot is 'SOC 2 Compliant, ISO 27001 Compliant, HIPAA Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant' - none of these claims are corroborated on any quillbot.com or learneo.com page, and they are explicitly NOT credited in this assessment. This is a clear over-claim risk if AIFOXX or a buyer relies on third-party aggregator badges instead of the vendor's own trust center.
    • AI-training posture is tier-dependent and partially opt-in/opt-out rather than off-by-default: Free/Premium users are trained-on by default unless they opt out (per the Nov 8, 2025 policy update), while only the Team Plan has a blanket no-training guarantee. This nuance should be surfaced to any buyer choosing a tier for business use.
    • No DPA (Data Processing Addendum) self-serve link or document was found on vendor-owned pages; enterprise/team customers would need to confirm DPA availability directly with Quillbot sales/support.
    • No SOC 2, ISO 27001, or HIPAA program was found despite Quillbot processing large volumes of user-submitted text (including potentially sensitive documents via Ask AI/PDF tools) - reasonable gap for a growth-stage consumer SaaS company but worth flagging for any buyer with strict compliance requirements.

    // At a glance

    Pricing model

    Freemium: free tier plus paid Premium (individual) and Team (per-seat) subscription plans; no public enterprise/custom-contract tier or self-hosted option found.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Learneo, Inc. (Quillbot)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    quillbot.com

    > Browse all vendor trust reports