Security and Data Privacy
Last updated 2022-09-22
We take security and data privacy very seriously and maintain a security-first culture across our organization—our philosophy is to do the right thing every time, even when no one is watching. (Read moreopen in new window about how we prioritize user trust at Grammarly.) Here is what you should know about how we safeguard your and your users’ data.
- Grammarly does not store text processed by the Text Editor SDK unless the end user connects their own Grammarly account.
- We make money from selling our service—not from selling user data or advertising.
- Grammarly’s enterprise-grade compliance and validated security controls help keep data safe.
- We use industry-leading infrastructure and best practices to protect your data.
- You control who can access the Grammarly features in your application.
Grammarly does not store text processed by the Text Editor SDK unless the end user connects their own Grammarly account.
The Text Editor SDK must transmit written text to Grammarly’s servers in order to generate suggestions (about spelling and grammar, for example). Grammarly processes that text in two different ways, depending on whether your users have signed in to their Grammarly identity via the connected accounts feature in your application.
- Anonymous users: Grammarly processes the text on our servers and deletes it once processing is complete, within 24 hours of processing it. Grammarly does not persist the text in any database, and Grammarly does not store backups of anonymous users’ text.
- Users who have signed in with their Grammarly identity using connected accounts: Grammarly stores text in accordance with the privacy policies and terms of service that users agreed to when they created their Grammarly identity. Grammarly does this so that we can provide users who have a Grammarly identity with enhanced assistance features, such as personalized dictionaries and Grammarly Business style guides.
In order to improve the features, algorithms, and usability of our service, Grammarly does store usage statistics related to the writing session. For example, Grammarly records the number of suggestions generated for a given writing session, the number of suggestions the user accepted and declined, and the length of the writing session. In addition to helping Grammarly improve the service we offer, this usage information powers customer-facing features such as the dashboardopen in new window in the Developer Hub.
We make money from selling our service—not from selling user data or advertising.
Grammarly makes money by offering best-in-class real-time writing suggestions, with both free and paid product offerings. We do not—and will not—sell any users’ data. We do not—and will not—have an ad-based revenue model. We never provide information to third parties to help them advertise to you or your users.
Grammarly’s enterprise-grade compliance and validated security controls help keep data safe.
We meet enterprise-grade security standards, verified and audited by industry-leading third parties.
Certifications and compliance
- SOC 2 (Type 2): Grammarly obtained a SOC 2 (Type 2) report in June 2021, updated in July 2022, which validates the strength of our security controls.
- ISO/IEC 27001:2013open in new window: The first of our certifications from the International Organization for Standardization certifies that Grammarly’s information security management system meets industry-standard requirements to secure your information.
- ISO/IEC 27017:2015open in new window: This certification validates how we apply information security controls in cloud services to protect your data.
- ISO/IEC 27018:2019open in new window: This certification validates the care we take to protect your and your users’ personally identifiable information (PII) in the cloud.
- HIPAA: We are compliant with the Health Insurance Portability and Accountability Act, demonstrating our commitment to protecting and securing sensitive user information.
- Grammarly is compliant with the Payment Card Industry's Data Security Standard, which validates that payments are handled with industry-standard security. Read Grammarly’s attestation of PCI complianceopen in new window.
- We comply with the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Verified and audited by industry-leading third parties
- We undergo annual internal audits of our services, penetration testing, and security reviews of our AWS environment.
- We use BitSight’s vendor assessment system as part of a broader program to evaluate our security maturity as well as the security of our suppliers.
Security practices
- Dedicated security team: Grammarly’s in-house team of security specialists is focused on ensuring security across the company—in our product and infrastructure as well as in all operations.
- Internal training and monitoring: Grammarly employees complete mandatory annual training on a wide range of privacy and security topics.
- Access management: Grammarly adheres to the principle of least privilege—employees’ data access rights are regularly reviewed to ensure that only the minimum required privileges are granted. All workstations run on centrally controlled endpoint-management software that enforces security configurations and protection solutions.
We use industry-leading infrastructure and best practices to protect your data.
Grammarly’s infrastructure is built to protect your data and your users’ data, meeting the highest industry standards for guaranteeing security, availability, and integrity.
Data hosting on AWS infrastructure
- Grammarly hosts data in Amazon Web Services data centers in the US East and US West Regions and ensures continual availability by using native backup tools.
- We utilize AWS security tools for key management, threat detection, and firewall controls.
Data encryption
- Grammarly encrypts all data in transit and at rest.
- Data transfer is protected by up-to-date encryption protocols (including SSL/TLS 1.2), while data at rest is encrypted using AES-256 server-side encryption.
Cloud platform
- All components that process data operate in Grammarly’s private network inside our secure cloud platform, and each user’s data is isolated from other users’ data.
- We've built redundancy into our cloud architecture and have strict network access controls in place. Our servers and network ports are behind load balancers and a web application firewall.
You control who can access the Grammarly features in your application.
The Text Editor SDK supports two authentication options:
Origin-based authentication. Grammarly will only allow the origins that you configure to communicate with Grammarly's cloud using your application's client ID. You can add multiple allowed origins for your application. Learn more about originsopen in new window.
Request signing using trusted authentication. When this feature is on, all requests from your application to Grammarly must be signed using a shared secret in order to be processed by our cloud. Turning on trusted authentication will block any requests that are not signed with the secret, and is especially recommended for apps on our Plus plan. Learn more about trusted authenticationopen in new window.