Typeless claims ISO 27001, on-device privacy

Typeless said on May 20 that it had obtained ISO 27001 certification, adding a formal security standard to a privacy pitch it has been making around its voice-dictation product. The company paired the claim with language on its site and app store listing that says user history is stored on-device, cloud data retention is zero and customer data is not used to train models. Typeless also says it maintains HIPAA-related documentation and GDPR-facing contractual terms through its trust and legal pages. The company is based in Palo Alto, California, according to its website. ### What exactly did Typeless say it had achieved? Typeless’s Trust Center says the company provides access to its “SOC 2 Type II report, ISO 27001 certification, and HIPAA compliance documentation.” The page describes those materials as part of the company’s security and compliance posture. The company’s public materials do not, in the snippets reviewed, spell out the certifying body or the effective date of the ISO 27001 certificate. (trust.typeless.com) Typeless’s announcement on X, referenced in the source brief, said the company had earned ISO 27001 while maintaining GDPR and HIPAA controls. ### What does Typeless say about where user data goes? Typeless’s data-controls and product pages describe the service as having “zero cloud data retention.” Its App Store listing also says the product is “Private by design,” with “Zero cloud data retention,” “Never trained on your data,” and “On-device history storage.” (trust.typeless.com) The company’s marketing language matters because Typeless is selling a voice-input product that can be used across messaging, documents and work apps. (trust.typeless.com) Voice tools can capture sensitive health, work and personal information before users edit it, making storage and training policies central to buyer questions. That framing comes from Typeless’s own product descriptions rather than a regulator’s finding. (typeless.com) ### How do the GDPR and HIPAA claims show up on Typeless’s site? Typeless’s Data Processing Agreement, last updated February 25, 2026, says it applies when processing is subject to “applicable Data Protection Laws,” including the GDPR, UK GDPR and CCPA. The DPA says Typeless acts as a processor or service provider, will not sell personal data, and will process data only as needed to provide the service. (typeless.com) The same DPA says categories of processed data may include account information, usage and device metadata, and customer-provided content. It also lists security measures including encryption in transit and at rest, access controls, role-based permissions and data minimization practices. HIPAA appears on the company’s Trust Center as “HIPAA compliance documentation.” The public pages reviewed do not, on their own, establish whether Typeless is a covered entity, a business associate in specific deployments, or offering a standard business associate agreement to all customers. (typeless.com) HHS says HIPAA applies through defined roles and rules for protected health information. ### Does ISO 27001 mean the same thing as HIPAA or GDPR compliance? ISO says ISO/IEC 27001:2022 is a standard for information security management systems focused on managing risks to confidentiality, integrity and availability. That is different from GDPR, which is a legal regime for personal data protection, and from HIPAA, which governs health information in specific U.S. healthcare contexts. (trust.typeless.com) Typeless’s public materials present those frameworks together: ISO 27001 as a certification, HIPAA as documentation and GDPR through its contractual and processing terms. The company’s claim is not that the standards are interchangeable, but that its controls are intended to support multiple privacy and security requirements at once. ### What can users verify right now? As of May 20, Typeless’s Trust Center, legal pages and app-store listing were publicly accessible and carried the core claims behind the announcement. (iso.org) Those materials show the company’s current public posture on certification, retention, training and device storage. The next concrete step for customers is likely to be document review. Typeless’s Trust Center says it hosts the ISO 27001 certification, SOC 2 Type II report, HIPAA compliance documentation and a subprocessor list, while the DPA sets the legal terms for data processing. (trust.typeless.com)