// Trust & Security Report

    Turnitin, LLC logo

    Turnitin, LLC

    Academic integrity and assessment platform for education: Turnitin Feedback Studio / Similarity (plagiarism and text-similarity checking), Turnitin AI writing detection, Turnitin Clarity (AI-assisted writing feedback, built on third-party LLMs including Claude), iThenticate (research/publisher integrity checking), plus acquired sister products Gradescope (grading) and ExamSoft (secure digital exams) sold under the Turnitin corporate umbrella.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Turnitin undergoes annual SOC2 Type II audits conducted by an external and independent auditor (AICPA).

    Verify on guides.turnitin.com
    SOC 2 Type I (historical)
    HELD

    Turnitin ... successfully completed the SOC 2 Type 1 audit [and moved into] their SOC 2 Type 2 audit period, targeted for completion in Q4 2018.

    Verify on turnitin.co.uk
    GDPR (posture)
    HELD

    We fully embrace the upcoming changes and have evaluated and updated our data privacy practices to exceed the requirements set forth by GDPR ... we always use appropriate safeguards, such as the EU Model Clauses and the EU-US or Swiss-US Privacy Shield.

    Verify on turnitin.co.uk
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of Turnitin itself holding ISO 27001 was found on any turnitin.com/turnitin.co.uk domain. The only ISO 27001 reference found in Turnitin's own site content is for a third-party integration partner (Scorion), not for Turnitin's own systems - this is the partner's certification, not Turnitin's.

    source: turnitin.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or a Business Associate Agreement offering was found on Turnitin's own domain. Turnitin is an education/academic-integrity product line that does not appear to process protected health information, so HIPAA is likely out of scope rather than an unmet requirement.

    source: guides.turnitin.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification found on Turnitin's own domain.

    source: turnitin.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on Turnitin's own domain.

    source: turnitin.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 AI-management-system certification found on Turnitin's own domain, despite Turnitin now shipping AI-detection and AI-assisted-writing (Clarity) features.

    source: guides.turnitin.com
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR or CSA STAR for AI registration found on Turnitin's own domain.

    source: turnitin.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Turnitin Feedback Studio offers regional data storage in the EU and APAC regions in addition to the US; GDPR-covered data transfers rely on EU Standard Contractual Clauses.

    Turnitin's Clarity AI writing-feedback assistant runs on pre-trained third-party LLMs (cited by Turnitin as Claude Haiku 3.5 and Claude Sonnet 3.7) which 'do not use or retain any student or assignment data submitted to Turnitin for AI training and evaluation.' However, Turnitin separately states it 'does use anonymized student assignment data to evaluate, improve, and extend the quality of the Turnitin AI assistant responses and capabilities,' using anonymization tools to strip PII before using data for feature improvement. Institutions can opt out of AI writing detection processing entirely from admin account settings. Net effect: no raw/identifiable student data is used to train third-party foundation models, but de-identified data is used by Turnitin for its own feature development, which is a nuance AIFOXX should surface rather than a simple yes/no.

    // Security controls

    Independent audit

    Annual SOC 2 Type II audit performed by an independent, AICPA-affiliated CPA firm.

    guides.turnitin.com

    Cross-border transfer safeguards

    EU Standard Contractual (Model) Clauses used for data exported from the EEA; UK/EU GDPR Data Protection Officer point of contact (DPO@turnitin.com) with the UK ICO as lead supervisory authority.

    turnitin.co.uk

    Data residency options

    Regional data storage available in the US, EU, and APAC for Feedback Studio.

    turnitin.co.uk

    AI opt-out control

    Institutions can disable AI writing detection processing from the administrator account settings.

    guides.turnitin.com

    // Products & data scope

    Turnitin Feedback Studio / SimilarityPlagiarism and text-similarity detection

    data: Student-submitted written assignments, matched against Turnitin's proprietary academic database and internet/publication sources.

    Core, longest-running product; covered by the company-wide SOC 2 Type II audit and regional (US/EU/APAC) data storage.

    Turnitin AI Writing DetectionAI-generated text detection

    data: Same submitted-assignment text as Similarity; institution-level opt-out available.

    Detection model itself is Turnitin-trained; does not equal the separate Clarity assistant.

    Turnitin ClarityAI-assisted writing feedback tool for students

    data: Draft writing and prompts passed to third-party foundation models (Claude Haiku 3.5 / Claude Sonnet 3.7 per Turnitin's own FAQ) for generating feedback; Turnitin states the underlying models do not retain that data, but Turnitin itself uses anonymized copies for internal quality improvement.

    Newest product (2025-2026); has the most material AI-training nuance of the family.

    iThenticateResearch/publication integrity checking

    data: Manuscripts, theses, dissertations, and professional documents from publishers, researchers, and institutions rather than K-12/higher-ed classroom submissions.

    Distinct customer base (publishers/researchers) from the classroom-facing products; separate privacy policy referenced by evidence.

    GradescopeAssignment grading and coursework assessment

    data: Student coursework and exam scans/uploads for grading workflows.

    Acquired product (2018) with its own privacy policy at gradescope.com/privacy; treat as a related but separately documented data-handling surface.

    ExamSoftSecure digital exam delivery/lockdown

    data: High-stakes exam content, device lockdown telemetry, and (per marketing) student ID verification data for secure/offline exams.

    Acquired product (2021) aimed at bar-exam/licensure-style high-stakes assessment; a materially different, more sensitive data scope than the classroom writing-review products and should be evaluated separately if a customer is scoping ExamSoft specifically.

    // What to watch

    • Recommend a human re-verify the live https://www.turnitin.com/en_us/about-us/privacy-center/overview and SOC 2 report request page before publishing.
    • Turnitin's UK blog post 'Our commitment to data privacy: Turnitin and GDPR' states data transfers rely on 'the EU-US or Swiss-US Privacy Shield, for which Turnitin is fully certified' - the EU-US/Swiss-US Privacy Shield framework was invalidated by the CJEU (Schrems II, 2020) and later superseded by the EU-US Data Privacy Framework (2023). This looks like stale/unmaintained legacy content (page carries no clear last-updated date) rather than a live certification; do not present 'Privacy Shield certified' as current.
    • No ISO 27001 certification could be confirmed for Turnitin itself; the only ISO 27001 mention on turnitin.com belongs to an integration partner (Scorion), which must not be conflated with Turnitin's own certification.
    • Third-party compliance-aggregator sites (e.g. a nudgesecurity.com vendor profile) list Turnitin as FedRAMP, PCI DSS, HIPAA, and CSA STAR compliant; none of these claims could be corroborated on Turnitin's own domain, so they were excluded from this assessment and should not be trusted without direct vendor confirmation.
    • AI-training posture has a real nuance worth surfacing to users: Turnitin states the third-party LLMs behind Clarity do not retain submitted student data, but Turnitin itself uses anonymized/de-identified student assignment data to improve its own AI features - this is a partial 'no' on training, not an unqualified one.
    • Turnitin is a multi-product family (Feedback Studio/Similarity, AI Writing Detection, Clarity, iThenticate, Gradescope, ExamSoft) assembled through acquisitions; each sub-product may carry its own privacy policy and data-handling scope, and the SOC 2 Type II audit's exact system/product boundary (i.e., whether it covers every sub-product listed here) could not be confirmed from public pages alone.

    // At a glance

    Pricing model

    Institutional licensing (per-institution/per-seat agreements negotiated with schools, districts, and publishers); no self-serve consumer pricing observed in evidence.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Turnitin, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    turnitin.com

    > Browse all vendor trust reports