// Trust & Security Report
TextExpander, Inc. (parent: TE SP Holdings, LLC)
Cross-platform text expansion / snippet management tool for Mac, Windows, Chrome and mobile, with Individual, Business/Team, Growth and Enterprise tiers, plus an on-device 'AI Recommendations' feature (Gemini Nano, local inference) for TextExpander for Chrome.
Certifications held
7
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on textexpander.com“TextExpander maintains a SOC 2 and SOC 3 security certification, and our app and database servers run atop SOC 2 and SOC 3 certified infrastructure.”
Verify on trust.textexpander.com“SOC3 ... Request (listed in Compliance section of the official trust center; corroborated by 'TextExpander maintains a SOC 2 and SOC 3 security certification' on the security page)”
Verify on trust.textexpander.com“GDPR-compliant. CCPA-compliant. ... We promptly handle privacy-related requests, including erasure ("right to be forgotten"). We list our sub-processors and the business purposes for which we employ them.”
Verify on trust.textexpander.com“CCPA View (listed under Compliance on the trust center); 'GDPR-compliant. CCPA-compliant.' repeated on /security.”
Verify on trust.textexpander.com“HIPAA-compliant for qualified Enterprise plans ... The platform complies with HIPAA Security, Privacy, and Breach Notification rules.”
Verify on trust.textexpander.com“FSQS Certificate (TextExpander, Inc.) Request”
> Show 5 unconfirmed / not-held certifications
source: trust.textexpander.comNo public evidence: ISO 27001 does not appear on the trust center, the /security page, or the homepage compliance badges (which list HIPAA, SOC2/SOC3, GDPR/CCPA, FSQS, SSO/SAML/SCIM only).
source: trust.textexpander.comNo public evidence. Not listed on the trust center or /security page; payment processing is handled by a listed third-party sub-processor, not covered by a vendor-held PCI attestation.
source: textexpander.comNo public evidence of an AI-management-system certification. TextExpander instead documents AI governance via a contractual AI Policy (no training on Content) rather than a certified ISO 42001 / CSA STAR AI program.
source: trust.textexpander.comNo public evidence; not referenced on the trust center, security page, or AI policy.
source: trust.textexpander.comNo public evidence of FedRAMP authorization. Note: do not confuse with TX-RAMP Level 2, which is a Texas state government cloud-authorization program, not a federal FedRAMP authorization.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States. Privacy Policy: 'We transfer to and process your Personal Data in the United States, the location of our data hosting provider's servers.'
TextExpander's dedicated AI Policy states: 'TextExpander does not use your Content - including the text of your Snippets, expansion inputs and outputs, or any other data you store within the Services - to train, fine-tune, or otherwise improve any foundational AI or large language model,' and that 'This prohibition applies to all Customers and Users by default and requires no opt-out.' Any third-party AI sub-processor engaged in the future must contractually 'Refrain from using Customer Data to train, fine-tune, or improve any AI model.' Currently, 'All AI inference, vectorization, and similarity search used to power Snippet Recommendations and related features is performed on infrastructure owned and operated by TextExpander' (i.e. not shipped to an external model provider). The homepage separately markets 'AI Recommendations' in TextExpander for Chrome as fully on-device via Gemini Nano ('Your data never leaves ... No keystroke logging, no server calls, no AI training on your content'). Flag: the general Privacy Policy (not the AI-specific policy) separately reserves the right to use Personal Data 'To develop new productivity tools, including new artificial intelligence or large learning model tools, and features by identifying organizational trends and best practices based on usage history' - this appears to be aggregate usage-pattern/metadata analysis rather than training on raw snippet Content, but the two documents use different language and should be read together, not in isolation.
// Security controls
Encryption in transit
TLS v1.2 or later; rated A and A+ by SSL Labs (as of 2021-09-01, per vendor trust center)
trust.textexpander.comSSO / SAML
Single Sign-On (SSO/SAML) integrates with Okta, Azure AD, and others; available on Growth tier and above
textexpander.comSCIM provisioning
SCIM (Okta, Azure, OneLogin) for automated user provisioning, Growth tier and above
textexpander.comBackground checks / SDLC
Staff with access to customer data undergo background checks; TextExpander is engineered using a secure software development lifecycle process
trust.textexpander.comBusiness continuity / disaster recovery
Maintains business continuity and disaster recovery plans; publishes a public status page
trust.textexpander.comDocumented policy set
Named security policies on file (available on request via trust center): Acceptable Use, Access Control, Application Security, Asset Management, Backup, BCDR, Change Management, Encryption, Incident Response, Information Security, Password, Physical Security, Third Party Management, Personnel Security, Vulnerability & Penetration Testing Management, Software Development, plus a Cyber Insurance Policy
trust.textexpander.com// Products & data scope
data: User-authored snippets/templates synced across the user's own devices (Mac, Windows, Chrome, mobile)
Entry tier; $3.33/user/mo billed annually. Same core encryption and privacy posture as other tiers, but HIPAA compliance is scoped to 'qualified Enterprise plans,' not Individual.
data: Shared team snippet libraries, admin-controlled permissions, org-level usage statistics
Adds org-controlled sharing, SSO/SAML and SCIM at the Growth tier, standard security review (CAIQ) at Business tier.
data: Local browser context used to surface relevant snippets; vendor states inference runs on-device (Gemini Nano) with no server calls or content-based model training
Marketed as 'HIPAA-safe by design' due to on-device processing; this is a narrower, feature-specific claim distinct from the account-level HIPAA compliance offered on qualified Enterprise plans.
data: Same snippet data model as other tiers, plus custom MSA and dedicated security review artifacts
Adds custom security review, custom MSA, unlimited snippet activity history, dedicated support. This is the tier where HIPAA compliance is explicitly offered per trust center language.
// What to watch
- HIPAA compliance is explicitly scoped to 'qualified Enterprise plans' per the vendor's own trust center - do not present HIPAA as available on Individual/Business tiers without that caveat.
- TX-RAMP Level 2 is a Texas state-government cloud authorization program, not a federal FedRAMP authorization - avoid conflating the two in the listing.
- SOC 2 and SOC 3 report artifacts are gated behind an access request on the vendor's Vanta-style trust center (not directly downloadable), consistent with normal enterprise trust-center practice; the certification claim itself is independently corroborated on the public, ungated /security page and homepage, so held=true is well supported despite the gated report.
- Minor nuance between two vendor documents on AI/data use: the dedicated AI Policy promises no training on Snippet Content, while the general Privacy Policy separately reserves the right to use 'usage history' to build new AI/productivity features. Both are consistent with 'we don't train on your raw content' but AIFOXX's listing should link both documents rather than quoting just one, to avoid over- or under-stating the AI-training posture.
- No ISO 27001, ISO 42001, CSA STAR, PCI DSS, or FedRAMP evidence found on any vendor-domain page as of this review; these should be shown as not held/not evidenced rather than omitted, since the vendor's own trust center enumerates its full compliance list and none of these appear on it.
// At a glance
Pricing model
Per-user monthly/annual subscription (Individual, Business, Growth tiers); custom pricing for Enterprise
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on TextExpander, Inc. (parent: TE SP Holdings, LLC)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.textexpander.com