User trust drives everything we do at Grammarly. We put users’ privacy and security first, building on Grammarly’s best-in-class security practices and long-standing commitment to safe, responsible AI innovation.
Dedicated security team: Grammarly’s in-house team of security specialists is focused on ensuring security across the company—in our product and infrastructure, and in all operations. The team also oversees risk management and standards compliance. Company executives are directly involved in overseeing security strategy.
Data security: Through industry-standard data protection, secure infrastructure, and third-party verification, Grammarly ensures data security across our product ecosystem.
Data ownership: Your words are yours—we do not sell or monetize your or your team’s content. We make money when you purchase our paid products.
Data hosting: Grammarly hosts data in Amazon Web Services data centers in the US East region and ensures continual product availability by using native backup tools. An industry-leading infrastructure provider, AWS is certified as compliant with ISO 27001 and has received a SOC 2 (Type 2) report.
Data encryption: Grammarly encrypts all data in transit and at rest. Data transfer is protected using the industry-standard TLS 1.2 protocol, while data at rest in AWS is encrypted using AES-256 server-side encryption. Grammarly uses AWS Key Management Services for database encryption and secure key management. Enterprise clients can either provide their own encryption keys or use a Grammarly-managed key to control and view access to data stored at rest in Grammarly’s service.
Cloud platform: All components that process your data operate in Grammarly’s private network inside our secure cloud platform, and each user’s data is isolated from other users’ data. Grammarly’s servers and network ports are behind load balancers and a web application firewall. Grammarly maintains a thorough vendor-review process that includes multi-step security and privacy assessments.
External penetration testing: Grammarly continually works to identify and fix security vulnerabilities in our product and infrastructure. That’s why we undergo third-party network penetration tests and AWS security and corporate infrastructure security assessments and audits.
Bug bounty program: Grammarly’s ongoing HackerOne bug bounty program promotes transparency and provides a channel for external security researchers to identify potential security concerns. Our team responds rapidly—and resolves these issues before they can be exploited. If you believe you’ve discovered a security-related issue, please report it at HackerOne or contact us at security@grammarly.com.
Data access: Grammarly adheres to the principle of least privilege—employees’ data access rights are regularly reviewed to ensure only minimum required privileges are granted. All workstations run on centrally controlled endpoint-management software that enforces security configurations and protection solutions.
Internal protections: Grammarly supports multifactor authentication (MFA) and requires FIDO2 for all employees. Engineers do not have persistent access to production. Grammarly manages internal systems with SAML single sign-on (SSO) and mandatory MFA. Company-managed devices connect to the Grammarly corporate network via required biometric or physical key authentication methods that meet FIDO2 specifications.
Dedicated security team: Grammarly’s in-house team of security specialists is focused on ensuring security across the company—in our product and infrastructure, and in all operations. The team also oversees risk management and standards compliance. Company executives are directly involved in overseeing security strategy.
Internal training and monitoring: Grammarly employees complete mandatory annual training on a wide range of privacy and security topics. In addition, our Security Champions program ensures that teams have an embedded security-focused adviser who drives team-specific security initiatives.
Incident management: In the case of a security incident, Grammarly’s documented incident management procedure establishes channels for identifying and communicating the incident to Grammarly’s Security team. The Security team defines the type of event and its severity and then responds to it according to approved service-level agreements (SLAs) based on industry best practices. Grammarly’s Legal team is consulted on incidents to assess the necessity and manner of reporting and remediation. Security events that impact privacy are subject to additional analysis and response by Grammarly’s Legal team.
Grammarly’s incident management procedure can be found on Grammarly’s security portal. You can obtain access to the portal through your Grammarly representative.
Team administration: Administration tools make it easy to add, remove, or transfer accounts and to manage team member roles, permissions, and access within your company.
SAML single sign-on: SSO allows for access management and enforcement of company-specific controls through integrations with identity providers.
Two-step authentication: For an extra layer of safety, multi-factor authentication is available for team members across your company to secure their individual access.
Custom security controls: Use your own security key, and choose how long employees can stay logged in before needing to reauthenticate.
- Grammarly has completed and maintains a SOC 2 (Type 2) attestation annually. This examination, conducted by Ernst & Young, validates that Grammarly meets the strict SOC 2 standards for security, availability, confidentiality, and customer data privacy. Please contact your Grammarly Sales team for more information, including the Access Management Policy documents.
- Grammarly has certified to the Department of Commerce that it complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) regarding the collection, use, and retention of personal data from the EU, UK, and Switzerland.
- Grammarly has obtained and annually maintains ISO 27001, 27017, 27018, 27701, and 42001 certifications, which speak to our strong commitment to information security, privacy, and responsible AI governance across our systems and practices. Additionally, we benchmark against the NIST Cybersecurity Framework, NIST Privacy Framework, and NIST AI Risk Management Framework.
- Grammarly complies with HIPAA Security, Privacy, and Breach Notification rules.
- Grammarly complies with the Data Security Standard of the Payment Card Industry (PCI), which validates that payments are handled with industry-standard security. Read Grammarly’s attestation of PCI compliance, which is renewed annually.
At Grammarly, we view security as our most critical product feature. We maintain technical and organizational safeguards that are designed to provide an appropriate level of security. To learn more about our privacy and security practices, please review our Trust Center at: https://www.grammarly.com/trust.
Please be aware that no security measures are perfect or impenetrable. We cannot and do not guarantee absolute security.
Grammarly collects information such as username, email address, and contact and language preferences. Our Privacy Policy provides a description of how we collect, use, and disclose information about you and describes the privacy choices available to you.
Users can request a personal data report from Grammarly at any time to see what personal information Grammarly processes about you by navigating to your privacy settings and clicking Submit Request under Personal Data Report.
For information on Grammarly’s product improvement and training controls, please visit this updated page: Product Improvement and Training control. Further, individual users can control where Grammarly operates—for instance, in a browser or on the desktop—which affects how much of your data it processes.
For more information regarding how Grammarly processes your personal data, please see our Privacy Policy.
At Grammarly, we use a combination of technical and organizational safeguards designed to protect your data. These safeguards include encryption, secure network configuration, data transfer restrictions and restricted employee access, among other measures. For example, data in transit is encrypted using TLS, and data at rest is encrypted using AES256, while passwords are hashed using bcrypt.
All data is stored on servers hosted by Amazon Web Services in the United States, one of the world’s leading data center providers. We also engage trusted service providers like Amazon Web Services to help us operate, provide, improve, integrate, customize, and support our services. These trusted service providers are bound by agreements that require them to follow data privacy and security requirements and only use your data in the way we tell them to.
Grammarly implements technical controls to isolate each customer’s data. Customer data is stored in a multi-tenant environment but is segregated logically via tenant IDs. Any writing that an individual or organization reviews with Grammarly will never appear in another customer’s writing suggestions.
To learn more about our privacy and security practices, please review our Trust Center: https://www.grammarly.com/trust.
We will store documents created in the Grammarly Editor until they are deleted by the user within the account or upon request after contract termination or expiration.
For all other user text processed by Grammarly (i.e., anything not saved in the Grammarly Editor), a customer’s personal data is processed as necessary to deliver and administer services to that same customer in accordance with our Privacy Policy.
To provide a seamless and highly functional experience and to improve our products, we may leverage random samples of aggregated and de-identified user content to refine and enhance our service for all customers, unless the user has opted out of having their content used for product improvement and training.
In accordance with our Privacy Policy, you can delete your personal data from Grammarly by deleting your account. This will include any user documents that you stored in the Grammarly Editor. The instructions on how to do that are available on the Delete your Grammarly account page.
Additionally, you can request a personal data report from Grammarly at any time to see what personal data Grammarly processes about you by navigating to your privacy settings and clicking Submit Request under Personal Data Report.
We take your privacy very seriously. As further described in our Privacy Policy, we disclose information to certain limited recipients and in the scenarios described in the policy. This includes, for example, sharing information with companies within the Grammarly corporate family for business operations and product integration, as well as third parties that may process personal data if you choose to enable third-party apps through our online marketplace.
Any information used to power Grammarly’s generative AI features, such as prompt type, prompt text, and the context in which it’s used, will be shared with our small number of thoroughly vetted service providers for the purpose of providing you with the Grammarly experience. We do not allow these large language model (LLM) service providers to train their models on user content. See our Privacy Policy to learn more.
Grammarly takes your privacy seriously and restricts access to user data across our network, infrastructure, and services. Only those authorized to access data critical to their work may do so.
Access is granted via specific, audited permissions, and access to data requires review and approval by the responsible managers. For example, if you encounter a problem with your account that can be fixed only by reviewing your text, a select group working directly on that task may access your document with your permission.
We do not sell your content. We make money when users purchase our paid products, and not by selling or monetizing user content.
No. A keylogger is a type of malicious software or surveillance tool that records every keystroke typed on a keyboard without the user’s knowledge. The captured data—such as passwords or personal information—is often sent to a third party for purposes like identity theft, financial fraud, or unauthorized access. Grammarly’s product doesn’t fit any of these descriptions.
Grammarly does not record every keystroke on your device. Grammarly is also blocked from running in read-only and sensitive fields, such as payment forms, passwords, and addresses, on a best-efforts basis. We make it clear when Grammarly is active, and you can easily turn it off any time, then turn it back on within a document or site. See the Tips & Tutorials section for detailed instructions. You can also learn more about our user-first approach to security and privacy at: https://www.grammarly.com/trust.