// Trust & Security Report

    TextExpander, Inc. (parent: TE SP Holdings, LLC) logo

    TextExpander, Inc. (parent: TE SP Holdings, LLC)

    Cross-platform text expansion / snippet management tool for Mac, Windows, Chrome and mobile, with Individual, Business/Team, Growth and Enterprise tiers, plus an on-device 'AI Recommendations' feature (Gemini Nano, local inference) for TextExpander for Chrome.

    Certifications held

    7

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2
    HELD

    TextExpander maintains a SOC 2 and SOC 3 security certification, and our app and database servers run atop SOC 2 and SOC 3 certified infrastructure.

    Verify on textexpander.com
    SOC 3
    HELD

    SOC3 ... Request (listed in Compliance section of the official trust center; corroborated by 'TextExpander maintains a SOC 2 and SOC 3 security certification' on the security page)

    Verify on trust.textexpander.com
    GDPR
    HELD

    GDPR-compliant. CCPA-compliant. ... We promptly handle privacy-related requests, including erasure ("right to be forgotten"). We list our sub-processors and the business purposes for which we employ them.

    Verify on trust.textexpander.com
    CCPA
    HELD

    CCPA View (listed under Compliance on the trust center); 'GDPR-compliant. CCPA-compliant.' repeated on /security.

    Verify on trust.textexpander.com
    HIPAA
    HELD

    HIPAA-compliant for qualified Enterprise plans ... The platform complies with HIPAA Security, Privacy, and Breach Notification rules.

    Verify on trust.textexpander.com
    FSQS (Financial Services Qualification System, UK)
    HELD

    FSQS Certificate (TextExpander, Inc.) Request

    Verify on trust.textexpander.com
    TX-RAMP Level 2
    HELD

    TX-RAMP Level 2 Certification Request

    Verify on trust.textexpander.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: ISO 27001 does not appear on the trust center, the /security page, or the homepage compliance badges (which list HIPAA, SOC2/SOC3, GDPR/CCPA, FSQS, SSO/SAML/SCIM only).

    source: trust.textexpander.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not listed on the trust center or /security page; payment processing is handled by a listed third-party sub-processor, not covered by a vendor-held PCI attestation.

    source: trust.textexpander.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of an AI-management-system certification. TextExpander instead documents AI governance via a contractual AI Policy (no training on Content) rather than a certified ISO 42001 / CSA STAR AI program.

    source: textexpander.com
    CSA STAR
    NOT CONFIRMED

    No public evidence; not referenced on the trust center, security page, or AI policy.

    source: trust.textexpander.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization. Note: do not confuse with TX-RAMP Level 2, which is a Texas state government cloud-authorization program, not a federal FedRAMP authorization.

    source: trust.textexpander.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States. Privacy Policy: 'We transfer to and process your Personal Data in the United States, the location of our data hosting provider's servers.'

    TextExpander's dedicated AI Policy states: 'TextExpander does not use your Content - including the text of your Snippets, expansion inputs and outputs, or any other data you store within the Services - to train, fine-tune, or otherwise improve any foundational AI or large language model,' and that 'This prohibition applies to all Customers and Users by default and requires no opt-out.' Any third-party AI sub-processor engaged in the future must contractually 'Refrain from using Customer Data to train, fine-tune, or improve any AI model.' Currently, 'All AI inference, vectorization, and similarity search used to power Snippet Recommendations and related features is performed on infrastructure owned and operated by TextExpander' (i.e. not shipped to an external model provider). The homepage separately markets 'AI Recommendations' in TextExpander for Chrome as fully on-device via Gemini Nano ('Your data never leaves ... No keystroke logging, no server calls, no AI training on your content'). Flag: the general Privacy Policy (not the AI-specific policy) separately reserves the right to use Personal Data 'To develop new productivity tools, including new artificial intelligence or large learning model tools, and features by identifying organizational trends and best practices based on usage history' - this appears to be aggregate usage-pattern/metadata analysis rather than training on raw snippet Content, but the two documents use different language and should be read together, not in isolation.

    // Security controls

    Encryption at rest

    AES-256

    trust.textexpander.com

    Encryption in transit

    TLS v1.2 or later; rated A and A+ by SSL Labs (as of 2021-09-01, per vendor trust center)

    trust.textexpander.com

    SSO / SAML

    Single Sign-On (SSO/SAML) integrates with Okta, Azure AD, and others; available on Growth tier and above

    textexpander.com

    SCIM provisioning

    SCIM (Okta, Azure, OneLogin) for automated user provisioning, Growth tier and above

    textexpander.com

    Background checks / SDLC

    Staff with access to customer data undergo background checks; TextExpander is engineered using a secure software development lifecycle process

    trust.textexpander.com

    Business continuity / disaster recovery

    Maintains business continuity and disaster recovery plans; publishes a public status page

    trust.textexpander.com

    Documented policy set

    Named security policies on file (available on request via trust center): Acceptable Use, Access Control, Application Security, Asset Management, Backup, BCDR, Change Management, Encryption, Incident Response, Information Security, Password, Physical Security, Third Party Management, Personnel Security, Vulnerability & Penetration Testing Management, Software Development, plus a Cyber Insurance Policy

    trust.textexpander.com

    // Products & data scope

    TextExpander (Individual)Personal productivity / text expansion

    data: User-authored snippets/templates synced across the user's own devices (Mac, Windows, Chrome, mobile)

    Entry tier; $3.33/user/mo billed annually. Same core encryption and privacy posture as other tiers, but HIPAA compliance is scoped to 'qualified Enterprise plans,' not Individual.

    TextExpander for Business / GrowthTeam collaboration / shared snippet libraries

    data: Shared team snippet libraries, admin-controlled permissions, org-level usage statistics

    Adds org-controlled sharing, SSO/SAML and SCIM at the Growth tier, standard security review (CAIQ) at Business tier.

    TextExpander for Chrome + AI RecommendationsBrowser extension with on-device AI snippet suggestion

    data: Local browser context used to surface relevant snippets; vendor states inference runs on-device (Gemini Nano) with no server calls or content-based model training

    Marketed as 'HIPAA-safe by design' due to on-device processing; this is a narrower, feature-specific claim distinct from the account-level HIPAA compliance offered on qualified Enterprise plans.

    TextExpander EnterpriseEnterprise deployment

    data: Same snippet data model as other tiers, plus custom MSA and dedicated security review artifacts

    Adds custom security review, custom MSA, unlimited snippet activity history, dedicated support. This is the tier where HIPAA compliance is explicitly offered per trust center language.

    // What to watch

    • HIPAA compliance is explicitly scoped to 'qualified Enterprise plans' per the vendor's own trust center - do not present HIPAA as available on Individual/Business tiers without that caveat.
    • TX-RAMP Level 2 is a Texas state-government cloud authorization program, not a federal FedRAMP authorization - avoid conflating the two in the listing.
    • SOC 2 and SOC 3 report artifacts are gated behind an access request on the vendor's Vanta-style trust center (not directly downloadable), consistent with normal enterprise trust-center practice; the certification claim itself is independently corroborated on the public, ungated /security page and homepage, so held=true is well supported despite the gated report.
    • Minor nuance between two vendor documents on AI/data use: the dedicated AI Policy promises no training on Snippet Content, while the general Privacy Policy separately reserves the right to use 'usage history' to build new AI/productivity features. Both are consistent with 'we don't train on your raw content' but AIFOXX's listing should link both documents rather than quoting just one, to avoid over- or under-stating the AI-training posture.
    • No ISO 27001, ISO 42001, CSA STAR, PCI DSS, or FedRAMP evidence found on any vendor-domain page as of this review; these should be shown as not held/not evidenced rather than omitted, since the vendor's own trust center enumerates its full compliance list and none of these appear on it.

    // At a glance

    Pricing model

    Per-user monthly/annual subscription (Individual, Business, Growth tiers); custom pricing for Enterprise

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on TextExpander, Inc. (parent: TE SP Holdings, LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.textexpander.com

    > Browse all vendor trust reports