// Trust & Security Report
Writer, Inc.
Full-stack enterprise generative AI platform: WRITER Agent (delegated agentic execution), AI Studio (agent build/deploy/manage platform with Knowledge Graph RAG), and the Palmyra family of proprietary LLMs (including long-context Palmyra X5, and open-weights Palmyra Small/Base on Hugging Face). Sold to marketing, legal, and other enterprise functions at regulated companies.
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on writer.com“Writer maintains SOC 2 Type II compliance and undergoes annual examinations that evaluate the controls they have designed and implemented based on the trust services criteria relevant to Security, Availability, and Confidentiality. Writer has completed an annual SOC 2 (Type II) audit (including HIPAA/HITECH).”
Verify on writer.com“WRITER achieves ISO trust triad, setting new standard for security, privacy, and responsible AI in the enterprise... WRITER has achieved ISO/IEC 27001, 27701, and 42001 certifications, making WRITER one of the first model developers to meet this full slate of global standards for privacy, security, and responsible AI.”
Verify on writer.com“ISO/IEC 27701 is an extension of ISO 27001 that demonstrates Writer's commitment to upholding stringent privacy practices that align with global regulations, such as GDPR, HIPAA, CCPA, PCI, and Data Privacy Framework.”
Verify on writer.com“ISO/IEC 42001 is one of the first global standards for responsible and safe AI, certifying that WRITER has adequate governance, risk, and accountability processes in place to develop and deploy AI systems.”
Verify on writer.com“Writer has completed an annual SOC 2 (Type II) audit (including HIPAA/HITECH), and maintains certifications for HIPAA... compliance. Guardrails help organizations meet HIPAA (Healthcare) regulatory requirements through features like PII detection.”
Verify on writer.com“Writer maintains a Data Processing Agreement (DPA) incorporated by reference into the applicable subscription agreement; for transfers of Personal Data, the EU Standard Contractual Clauses (SCCs) form part of Writer's DPA, with specific provisions for Swiss data protection requirements.”
Verify on writer.com“Writer maintains certifications for HIPAA and PCI compliance. ISO/IEC 27701 aligns with global regulations such as GDPR, HIPAA, CCPA, PCI, and Data Privacy Framework.”
> Show 2 unconfirmed / not-held certifications
source: writer.comNo public evidence of FedRAMP authorization found on writer.com trust or blog content reviewed. Not listed alongside the ISO/SOC 2/HIPAA/PCI slate described in Writer's own trust materials.
source: writer.comNo public evidence of a CSA STAR registry entry or certification found on writer.com. Writer's public trust messaging centers on the ISO 27001/27701/42001 + SOC 2 + HIPAA + PCI set; CSA STAR is not mentioned.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primarily United States (San Francisco-headquartered); international transfers to the EU/EEA and Switzerland are governed by Standard Contractual Clauses referenced in Writer's DPA. No explicit customer-selectable EU-only data residency region was confirmed in the pages reviewed; enterprise buyers requiring EU data residency should confirm directly with Writer's sales/legal team.
Writer's help center states plainly: 'We do not train our LLMs with customer data.' This applies across Starter, Team, and Enterprise plans. The one tier-specific nuance: Enterprise customers can optionally 'further train our models with your own best-in-class examples' for custom fine-tuning, an opt-in, customer-initiated feature, not Writer using customer data to train its base/shared models. No contradiction found between this support-article language and the trust center's marketing claims.
// Security controls
Encryption
Writer states it safeguards information with administrative, technical, physical, and organizational security measures; standard practice for SOC 2/ISO 27001-audited SaaS is TLS in transit and encryption at rest, though a specific vendor-domain quote naming the cipher/standard was not captured in this pass.
writer.comAccess control / governance
Role-based permissions and least-privilege access with organization- and team-level custom roles; audit logs surface usage across an organization; customers can configure organization-wide data controls including an automated data deletion schedule.
writer.comAgent sandboxing
WRITER Agent operates within a secure, containerized sandbox completely isolated from host infrastructure and other user sessions; all files and data are temporarily stored and permanently destroyed at the end of each session.
support.writer.comContent guardrails
Configurable Guardrails scan content for PII (e.g. Social Security numbers, bank account numbers) and financial data to help regulated customers meet HIPAA, GDPR, and PCI DSS requirements at the application layer.
support.writer.comThird-party audits
Annual SOC 2 Type II examination (Security, Availability, Confidentiality trust services criteria); ISO/IEC 27001, 27701, and 42001 certification audits.
writer.comDeployment flexibility
Enterprise customers can self-deploy Palmyra models into their own Virtual Private Cloud (VPC) for organizations requiring maximum control over data and infrastructure; Palmyra Small and Base are also released as open-weight models on Hugging Face.
writer.com// Products & data scope
data: Reads company knowledge/context connected via Knowledge Graph and integrations to execute marketing and content tasks end-to-end; sandboxed session storage destroyed after each session
Flagship product, positioned as 'not a tool you prompt, an agent you delegate to.' Available from Starter plan up.
data: Full-stack development environment with Graph RAG, Skills, guardrails, roles/permissions, and observability integrations
Targeted at enterprise IT teams; integrates with existing identity, security, and observability stack rather than replacing it.
data: Model family trained on public + licensed data (not customer data); includes long-context Palmyra X5 (1M-token context)
Palmyra Small and Base are additionally released as open-weight models on Hugging Face; larger/closed variants can be self-deployed into a customer VPC for Enterprise customers.
// What to watch
- HIPAA and PCI DSS are described by Writer as 'certifications' in secondary summaries, but neither HIPAA nor PCI DSS is a certification with an accredited certificate body in the way ISO 27001 or SOC 2 are; treat these as compliance/attestation posture (SOC 2 report scoped to include HITECH/HIPAA, PCI-aligned controls) rather than a discrete issued certificate. Recommend requesting the actual SOC 2 report and any BAA template directly from Writer to confirm scope before relying on this for a healthcare or payments use case.
- No public evidence of FedRAMP or CSA STAR was found; if AIFOXX lists Writer for US public-sector or highly regulated buyers, this gap should be called out.
- Data residency: no explicit EU-only or region-pinned hosting option was confirmed from public vendor pages; only SCC-based international transfer language was found. Enterprise buyers with strict data-residency requirements should confirm directly with Writer.
// At a glance
Pricing model
Per-seat SaaS subscription for Starter (published list price, e.g. ~$39/user/month monthly, 14-day free trial) and Team tiers (seat-based, list pricing in the mid-$20s/user/month annual); Enterprise is custom-quoted and unlocks advanced security, flexible deployment (VPC self-hosting), and unlimited custom agents.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Writer, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
writer.com