// Trust & Security Report
Textio, Inc.
AI-powered HR communication platform with three modules: Performance Feedback (in-the-moment manager coaching), Recruiting (bias-reduction and language optimization for job postings), and Interview Feedback (structured hiring documentation) - delivered via textio.com and ATS/performance-tool integrations.
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on textio.com“Textio has achieved SOC 2 Type II attestation through an accredited third-party auditor.”
Verify on textio.com“Textio's Information Security Management System (ISMS) has been certified compliant with the ISO/IEC 27001:2022 standard by an accredited third-party vendor.”
Verify on cloudsecurityalliance.org“Textio is registered with the Cloud Security Alliance (CSA) and provides additional details of its information security program through the Consensus Assessments Initiative Questionnaire (CAIQ).”
> Show 6 unconfirmed / not-held certifications
source: textio.comNo public evidence. Textio's security page lists ISO/IEC 27001:2022 as its certification but does not mention ISO 27017.
source: textio.comNo public evidence. Not referenced on Textio's security or privacy pages.
source: textio.comNo public evidence. Textio markets itself as "the OG AI for HR" and describes extensive AI/ML use, but its security page lists no AI-governance-specific certification (ISO 42001, CSA STAR for AI).
source: textio.comNo public evidence. Textio processes HR/employment data (recruiting, performance, interview feedback), not protected health information, and its security page makes no HIPAA claim.
source: textio.comNo public evidence. Textio's platform does not process payment card data and its security page makes no PCI claim.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
United States only - "Customer data is stored in the United States and not transferred to other countries" (per textio.com/security); hosted on AWS across multiple US availability zones.
Unclear/unresolved. Textio's homepage markets scale of training data ("1+ billion HR documents power Textio's algorithms, with 10 million new records added every month", "30+ AI models power Textio's generative capabilities") and a company blog post states Textio AI "automatically strips your content of PII like names, email addresses, and phone numbers" before processing. However, neither the Privacy Policy, the /security page, nor the dedicated /ai/data-privacy page contains an explicit statement on whether individual customer/tenant data is used to train shared models, nor any opt-out mechanism or tier-based distinction. The Privacy Policy explicitly defers Customer Data handling to separate customer contracts ("Our processing of Customer Data is governed by the contracts that we have in place with our customers, not this Privacy Policy"), so the actual training posture likely lives in a DPA/MSA not publicly visible. This is a gap, not a confirmed over-claim, and should be verified directly with the vendor before enterprise procurement.
// Security controls
Encryption at rest
AES-256 via AWS storage services; keys managed via AWS KMS (shared-tenancy keys, no customer-specific keys)
textio.comHosting infrastructure
Amazon Web Services (AWS), US-based data centers, multiple availability zones; Textio staff have no physical access to AWS facilities
textio.comData residency
Customer data stored in the United States and not transferred to other countries
textio.comPenetration testing
Documented as a standing program ("Penetration testing" section on the security page); frequency/vendor not disclosed publicly
textio.comSubprocessors
Published subprocessor list (~15 entries) including AWS (hosting) and Anthropic (LLM services), all disclosed as US-based
textio.comIncident response / BCDR
Documented incident response procedure and business continuity/disaster recovery program (sections present on security page; specifics under NDA)
textio.comPersonnel security
Background checks, confidentiality agreements, and security awareness training for employees
textio.com// Products & data scope
data: Manager/employee feedback and goal text, processed in real time for coaching suggestions
Flagship module; in-the-moment guidance for writing performance feedback.
data: Job posting and recruiting-communication text
Bias-reduction and inclusive-language optimization for job ads.
data: Interview notes and candidate evaluation text
Newer module (marked "NEW!" on homepage) for structured interview documentation.
// What to watch
- AI training posture on customer data is not publicly documented: no statement on whether tenant data trains shared models, and no opt-out described in the Privacy Policy, /security, or /ai/data-privacy pages, despite prominent marketing about model scale ('1+ billion HR documents', '30+ AI models'). Recommend requesting written confirmation via a DPA/MSA before listing any training claim.
- CSA STAR listing is a Level 1 self-assessment (CAIQ), not an independently audited Level 2/3 attestation - should not be conflated with SOC 2/ISO rigor in listing copy.
- SOC 2 and ISO 27001 audit reports/certificates are gated behind NDA (not publicly downloadable in full), consistent with normal enterprise practice but noted for transparency.
// At a glance
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Textio, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
textio.com