// Trust & Security Report
Learneo, Inc. (Quillbot)
AI writing assistant suite: Paraphraser, Grammar Checker, AI Detector, Plagiarism Checker, AI Humanizer, AI Chat/Ask AI, AI Image Generator, Translator, Summarizer, Citation Generator, plus PDF/file-conversion utilities and browser extensions (Chrome, Edge, Safari, Word) and mobile/desktop apps. Offered as Free, Premium (individual), and Team plans.
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on quillbot.com“"We comply with the Payment Card Industry Data Security Standard."”
Verify on quillbot.com“"We work hard to comply with the GDPR." Data transferred outside the EU is covered by "the EU-U.S. and Swiss-U.S. Data Privacy Frameworks" and "data protection agreements with Standard Contractual Clauses."”
Verify on quillbot.com“Quillbot is "certified and comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks ('DPF') and the UK Extension to the EU-U.S. DPF."”
Verify on quillbot.com“"We are verified through the Cloud Application Security Assessment" (listed on the trust center as CASA Tier 2). Note: this is a Google-administered assessment scoped to Chrome-extension/OAuth-app security, not a general enterprise infosec framework like SOC 2 or ISO 27001, and should not be presented as equivalent to those.”
> Show 7 unconfirmed / not-held certifications
source: quillbot.comNo public evidence - not mentioned on quillbot.com/trust-center, quillbot.com/privacy footer content, or any Quillbot-owned page found. Trust center FAQ covers GDPR, CCPA, PCI DSS, DPF, and CASA Tier 2 only, with no SOC 2 badge or reference.
source: quillbot.comNo public evidence - trust center lists only GDPR, EU-U.S./Swiss-U.S. Data Privacy Framework, CCPA, PCI DSS, and CASA Tier 2; ISO 27001 is not referenced anywhere on the vendor's own site.
source: quillbot.comNo public evidence on vendor-owned pages. No AI-governance-specific certification is referenced anywhere on quillbot.com.
source: quillbot.comNo public evidence on vendor-owned pages. (A third-party aggregator site claimed 'CSA Star Level 1 Compliant' for Quillbot, but this claim does not appear anywhere on quillbot.com and could not be verified on any Quillbot-owned domain, so it is not credited here.)
source: quillbot.comNo public evidence. FedRAMP is a US-government cloud authorization irrelevant to a consumer/SMB writing tool with no GovCloud offering found; not referenced on vendor pages.
source: quillbot.comNo public evidence. HIPAA is not mentioned on the trust center, privacy policy, or help center pages reviewed, and Quillbot does not advertise a Business Associate Agreement (BAA) or a healthcare-specific offering.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Not offered
Data region
Not a dedicated EU/regional processing option found; Quillbot states it 'has offices in the United States and India, and we work with service providers throughout the world,' with EU data transfers covered by the DPF and Standard Contractual Clauses.
Free and individual Premium users: Quillbot stores extension text inputs by default (as of the Nov 8, 2025 policy update) and may use text inputs to train the models that power its AI tools, with an opt-out available to account holders for both storage and training use. Team Plan users are explicitly excluded from model training: 'We do not train on any text inputs from Team Plan users.' Third-party service providers are contractually barred from using customer data to train their own models: 'It is Quillbot's standard policy to not allow any third-party service provider to use your data to train their AI models.' Because training behavior differs by plan and requires an opt-out for individual users, trains_on_customer_data is set to true at the product-wide level with the Team Plan carve-out noted as the safer tier for business use.
// Security controls
Encryption in transit
Trust center states connections are encrypted; Ask AI feature described as using end-to-end encryption for interactions.
quillbot.comAccess controls
"Quillbot does not access text in sensitive data fields, such as passwords or credit card numbers," and access to customer data is "tightly restricted within our company and our service providers."
quillbot.comInternational transfer safeguards
EU-U.S./Swiss-U.S. Data Privacy Framework plus Standard Contractual Clauses for transfers outside the EU.
quillbot.comThird-party AI training restriction
Contractual restriction preventing Quillbot's own third-party service providers from using customer data to train their AI models.
quillbot.com// Products & data scope
data: Text inputs may be stored and, absent opt-out, used for AI model training.
Broadest data exposure of the three tiers; opt-out available to account holders for storage and training use of extension inputs.
data: Same training/storage posture as Free unless the user opts out; no Team-Plan-style blanket exclusion.
Adds full feature access (Paraphraser, AI Detector, Humanizer, etc.) but does not change the underlying data-training policy versus Free.
data: Explicitly excluded from AI model training on text inputs.
The only tier with a documented, non-opt-in-dependent training exclusion: 'We do not train on any text inputs from Team Plan users.' No SOC 2/ISO/HIPAA program found even at this tier - buyers needing formal audit certifications should treat this as a gap.
data: Does not access sensitive fields (passwords, card numbers); described as end-to-end encrypted for interactions.
Embedded feature across tiers, not a separately certified product.
// What to watch
- A third-party aggregator/scanner site surfaced during search claimed Quillbot is 'SOC 2 Compliant, ISO 27001 Compliant, HIPAA Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant' - none of these claims are corroborated on any quillbot.com or learneo.com page, and they are explicitly NOT credited in this assessment. This is a clear over-claim risk if AIFOXX or a buyer relies on third-party aggregator badges instead of the vendor's own trust center.
- AI-training posture is tier-dependent and partially opt-in/opt-out rather than off-by-default: Free/Premium users are trained-on by default unless they opt out (per the Nov 8, 2025 policy update), while only the Team Plan has a blanket no-training guarantee. This nuance should be surfaced to any buyer choosing a tier for business use.
- No DPA (Data Processing Addendum) self-serve link or document was found on vendor-owned pages; enterprise/team customers would need to confirm DPA availability directly with Quillbot sales/support.
- No SOC 2, ISO 27001, or HIPAA program was found despite Quillbot processing large volumes of user-submitted text (including potentially sensitive documents via Ask AI/PDF tools) - reasonable gap for a growth-stage consumer SaaS company but worth flagging for any buyer with strict compliance requirements.
// At a glance
Pricing model
Freemium: free tier plus paid Premium (individual) and Team (per-seat) subscription plans; no public enterprise/custom-contract tier or self-hosted option found.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Learneo, Inc. (Quillbot)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
quillbot.com