// Trust & Security Report

    Textio, Inc. logo

    Textio, Inc.

    AI-powered HR communication platform with three modules: Performance Feedback (in-the-moment manager coaching), Recruiting (bias-reduction and language optimization for job postings), and Interview Feedback (structured hiring documentation) - delivered via textio.com and ATS/performance-tool integrations.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Textio has achieved SOC 2 Type II attestation through an accredited third-party auditor.

    Verify on textio.com
    ISO/IEC 27001:2022
    HELD

    Textio's Information Security Management System (ISMS) has been certified compliant with the ISO/IEC 27001:2022 standard by an accredited third-party vendor.

    Verify on textio.com
    CSA STAR (Level 1 self-assessment)
    HELD

    Textio is registered with the Cloud Security Alliance (CSA) and provides additional details of its information security program through the Consensus Assessments Initiative Questionnaire (CAIQ).

    Verify on cloudsecurityalliance.org
    > Show 6 unconfirmed / not-held certifications
    ISO 27017 (cloud security)
    NOT CONFIRMED

    No public evidence. Textio's security page lists ISO/IEC 27001:2022 as its certification but does not mention ISO 27017.

    source: textio.com
    ISO 27018 (PII in cloud)
    NOT CONFIRMED

    No public evidence. Not referenced on Textio's security or privacy pages.

    source: textio.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Textio markets itself as "the OG AI for HR" and describes extensive AI/ML use, but its security page lists no AI-governance-specific certification (ISO 42001, CSA STAR for AI).

    source: textio.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Textio processes HR/employment data (recruiting, performance, interview feedback), not protected health information, and its security page makes no HIPAA claim.

    source: textio.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Textio's platform does not process payment card data and its security page makes no PCI claim.

    source: textio.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on Textio's site.

    source: textio.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    United States only - "Customer data is stored in the United States and not transferred to other countries" (per textio.com/security); hosted on AWS across multiple US availability zones.

    Unclear/unresolved. Textio's homepage markets scale of training data ("1+ billion HR documents power Textio's algorithms, with 10 million new records added every month", "30+ AI models power Textio's generative capabilities") and a company blog post states Textio AI "automatically strips your content of PII like names, email addresses, and phone numbers" before processing. However, neither the Privacy Policy, the /security page, nor the dedicated /ai/data-privacy page contains an explicit statement on whether individual customer/tenant data is used to train shared models, nor any opt-out mechanism or tier-based distinction. The Privacy Policy explicitly defers Customer Data handling to separate customer contracts ("Our processing of Customer Data is governed by the contracts that we have in place with our customers, not this Privacy Policy"), so the actual training posture likely lives in a DPA/MSA not publicly visible. This is a gap, not a confirmed over-claim, and should be verified directly with the vendor before enterprise procurement.

    // Security controls

    Encryption in transit

    TLS 1.2 with 2048-bit RSA certificate; SSL 3.0 and TLS 1.0 disabled

    textio.com

    Encryption at rest

    AES-256 via AWS storage services; keys managed via AWS KMS (shared-tenancy keys, no customer-specific keys)

    textio.com

    Hosting infrastructure

    Amazon Web Services (AWS), US-based data centers, multiple availability zones; Textio staff have no physical access to AWS facilities

    textio.com

    Data residency

    Customer data stored in the United States and not transferred to other countries

    textio.com

    Penetration testing

    Documented as a standing program ("Penetration testing" section on the security page); frequency/vendor not disclosed publicly

    textio.com

    Subprocessors

    Published subprocessor list (~15 entries) including AWS (hosting) and Anthropic (LLM services), all disclosed as US-based

    textio.com

    Incident response / BCDR

    Documented incident response procedure and business continuity/disaster recovery program (sections present on security page; specifics under NDA)

    textio.com

    Personnel security

    Background checks, confidentiality agreements, and security awareness training for employees

    textio.com

    // Products & data scope

    Textio Performance FeedbackHR / performance management

    data: Manager/employee feedback and goal text, processed in real time for coaching suggestions

    Flagship module; in-the-moment guidance for writing performance feedback.

    Textio RecruitingHR / talent acquisition

    data: Job posting and recruiting-communication text

    Bias-reduction and inclusive-language optimization for job ads.

    Textio Interview FeedbackHR / hiring workflow

    data: Interview notes and candidate evaluation text

    Newer module (marked "NEW!" on homepage) for structured interview documentation.

    // What to watch

    • AI training posture on customer data is not publicly documented: no statement on whether tenant data trains shared models, and no opt-out described in the Privacy Policy, /security, or /ai/data-privacy pages, despite prominent marketing about model scale ('1+ billion HR documents', '30+ AI models'). Recommend requesting written confirmation via a DPA/MSA before listing any training claim.
    • CSA STAR listing is a Level 1 self-assessment (CAIQ), not an independently audited Level 2/3 attestation - should not be conflated with SOC 2/ISO rigor in listing copy.
    • SOC 2 and ISO 27001 audit reports/certificates are gated behind NDA (not publicly downloadable in full), consistent with normal enterprise practice but noted for transparency.

    // At a glance

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Textio, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    textio.com

    > Browse all vendor trust reports