// Trust & Security Report

    Writer, Inc. logo

    Writer, Inc.

    Full-stack enterprise generative AI platform: WRITER Agent (delegated agentic execution), AI Studio (agent build/deploy/manage platform with Knowledge Graph RAG), and the Palmyra family of proprietary LLMs (including long-context Palmyra X5, and open-weights Palmyra Small/Base on Hugging Face). Sold to marketing, legal, and other enterprise functions at regulated companies.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Writer maintains SOC 2 Type II compliance and undergoes annual examinations that evaluate the controls they have designed and implemented based on the trust services criteria relevant to Security, Availability, and Confidentiality. Writer has completed an annual SOC 2 (Type II) audit (including HIPAA/HITECH).

    Verify on writer.com
    ISO/IEC 27001
    HELD

    WRITER achieves ISO trust triad, setting new standard for security, privacy, and responsible AI in the enterprise... WRITER has achieved ISO/IEC 27001, 27701, and 42001 certifications, making WRITER one of the first model developers to meet this full slate of global standards for privacy, security, and responsible AI.

    Verify on writer.com
    ISO/IEC 27701
    HELD

    ISO/IEC 27701 is an extension of ISO 27001 that demonstrates Writer's commitment to upholding stringent privacy practices that align with global regulations, such as GDPR, HIPAA, CCPA, PCI, and Data Privacy Framework.

    Verify on writer.com
    ISO/IEC 42001 (AI Management System)
    HELD

    ISO/IEC 42001 is one of the first global standards for responsible and safe AI, certifying that WRITER has adequate governance, risk, and accountability processes in place to develop and deploy AI systems.

    Verify on writer.com
    HIPAA
    HELD

    Writer has completed an annual SOC 2 (Type II) audit (including HIPAA/HITECH), and maintains certifications for HIPAA... compliance. Guardrails help organizations meet HIPAA (Healthcare) regulatory requirements through features like PII detection.

    Verify on writer.com
    GDPR (compliance posture)
    HELD

    Writer maintains a Data Processing Agreement (DPA) incorporated by reference into the applicable subscription agreement; for transfers of Personal Data, the EU Standard Contractual Clauses (SCCs) form part of Writer's DPA, with specific provisions for Swiss data protection requirements.

    Verify on writer.com
    PCI DSS
    HELD

    Writer maintains certifications for HIPAA and PCI compliance. ISO/IEC 27701 aligns with global regulations such as GDPR, HIPAA, CCPA, PCI, and Data Privacy Framework.

    Verify on writer.com
    > Show 2 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on writer.com trust or blog content reviewed. Not listed alongside the ISO/SOC 2/HIPAA/PCI slate described in Writer's own trust materials.

    source: writer.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or certification found on writer.com. Writer's public trust messaging centers on the ISO 27001/27701/42001 + SOC 2 + HIPAA + PCI set; CSA STAR is not mentioned.

    source: writer.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primarily United States (San Francisco-headquartered); international transfers to the EU/EEA and Switzerland are governed by Standard Contractual Clauses referenced in Writer's DPA. No explicit customer-selectable EU-only data residency region was confirmed in the pages reviewed; enterprise buyers requiring EU data residency should confirm directly with Writer's sales/legal team.

    Writer's help center states plainly: 'We do not train our LLMs with customer data.' This applies across Starter, Team, and Enterprise plans. The one tier-specific nuance: Enterprise customers can optionally 'further train our models with your own best-in-class examples' for custom fine-tuning, an opt-in, customer-initiated feature, not Writer using customer data to train its base/shared models. No contradiction found between this support-article language and the trust center's marketing claims.

    // Security controls

    Encryption

    Writer states it safeguards information with administrative, technical, physical, and organizational security measures; standard practice for SOC 2/ISO 27001-audited SaaS is TLS in transit and encryption at rest, though a specific vendor-domain quote naming the cipher/standard was not captured in this pass.

    writer.com

    Access control / governance

    Role-based permissions and least-privilege access with organization- and team-level custom roles; audit logs surface usage across an organization; customers can configure organization-wide data controls including an automated data deletion schedule.

    writer.com

    Agent sandboxing

    WRITER Agent operates within a secure, containerized sandbox completely isolated from host infrastructure and other user sessions; all files and data are temporarily stored and permanently destroyed at the end of each session.

    support.writer.com

    Content guardrails

    Configurable Guardrails scan content for PII (e.g. Social Security numbers, bank account numbers) and financial data to help regulated customers meet HIPAA, GDPR, and PCI DSS requirements at the application layer.

    support.writer.com

    Third-party audits

    Annual SOC 2 Type II examination (Security, Availability, Confidentiality trust services criteria); ISO/IEC 27001, 27701, and 42001 certification audits.

    writer.com

    Deployment flexibility

    Enterprise customers can self-deploy Palmyra models into their own Virtual Private Cloud (VPC) for organizations requiring maximum control over data and infrastructure; Palmyra Small and Base are also released as open-weight models on Hugging Face.

    writer.com

    // Products & data scope

    WRITER AgentAgentic AI assistant / delegated task execution

    data: Reads company knowledge/context connected via Knowledge Graph and integrations to execute marketing and content tasks end-to-end; sandboxed session storage destroyed after each session

    Flagship product, positioned as 'not a tool you prompt, an agent you delegate to.' Available from Starter plan up.

    AI StudioAgent build/deploy/manage platform for IT and developers

    data: Full-stack development environment with Graph RAG, Skills, guardrails, roles/permissions, and observability integrations

    Targeted at enterprise IT teams; integrates with existing identity, security, and observability stack rather than replacing it.

    Palmyra LLMsProprietary large language models

    data: Model family trained on public + licensed data (not customer data); includes long-context Palmyra X5 (1M-token context)

    Palmyra Small and Base are additionally released as open-weight models on Hugging Face; larger/closed variants can be self-deployed into a customer VPC for Enterprise customers.

    // What to watch

    • HIPAA and PCI DSS are described by Writer as 'certifications' in secondary summaries, but neither HIPAA nor PCI DSS is a certification with an accredited certificate body in the way ISO 27001 or SOC 2 are; treat these as compliance/attestation posture (SOC 2 report scoped to include HITECH/HIPAA, PCI-aligned controls) rather than a discrete issued certificate. Recommend requesting the actual SOC 2 report and any BAA template directly from Writer to confirm scope before relying on this for a healthcare or payments use case.
    • No public evidence of FedRAMP or CSA STAR was found; if AIFOXX lists Writer for US public-sector or highly regulated buyers, this gap should be called out.
    • Data residency: no explicit EU-only or region-pinned hosting option was confirmed from public vendor pages; only SCC-based international transfer language was found. Enterprise buyers with strict data-residency requirements should confirm directly with Writer.

    // At a glance

    Pricing model

    Per-seat SaaS subscription for Starter (published list price, e.g. ~$39/user/month monthly, 14-day free trial) and Team tiers (seat-based, list pricing in the mid-$20s/user/month annual); Enterprise is custom-quoted and unlocks advanced security, flexible deployment (VPC self-hosting), and unlimited custom agents.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Writer, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    writer.com

    > Browse all vendor trust reports