Thank you! Your feedback helps us improve.

Bring Your Own Key FAQ

What is Bring Your Own Key?

Grammarly’s BYOK solution allows customers to use Customer Managed Keys (CMK) in AWS Key Management Service (KMS) to encrypt and retain control over data stored at rest within Grammarly’s services. Amazon CloudWatch/AWS CloudTrail Logs allow for increased visibility and transparency via detailed logs that show how your data is being accessed within Grammarly’s environment.

How does Grammarly’s BYOK work?

As a Grammarly BYOK customer, you will set up and configure a customer-managed key (CMK) in your AWS Key Management Service (KMS) within your AWS account. You then write and attach a policy that grants permissions for Grammarly’s AWS account, where our Enterprise Key Management Service (EKMS) runs, to access a limited set of permissions on your key. Once these AWS resources have been created, you will provide the Amazon Resource Names (ARNs) to your Grammarly account team, who will enable BYOK on your Grammarly Business account. This enables Grammarly services to encrypt and decrypt data using your key.

What are the benefits of using Bring Your Own Key?

  • Encrypt your application-level data at rest: Have additional reassurance – on top of Grammarly’s already strong security measures – that you exercise full control over who is accessing your data, and when, all run through AWS’s Key Management Service.
  • Decrypt and Encrypt: Manage access on a granular level to minimize disruption and ensure authorized access to your data
  • Audit Logs: View an audit log in CloudTrail documenting every time Grammarly needs to re-access your key encrypted data, giving you full transparency into data access.

How does BYOK supplement Grammarly’s existing security offerings?

Grammarly utilizes Amazon Web Services (AWS) for all data processing. Data in transit is protected by up-to-date encryption protocols (including SSL/TLS 1.2). Data at rest is encrypted using the industry-standard AES-256 algorithm.

Each Grammarly customer’s data is segregated logically from other users’ data. Any writing that an individual or organization reviews with Grammarly will never appear in another customer’s writing suggestions.

Grammarly does not allow Microsoft Azure OpenAI, our LLM provider, to retain any data we send or to use it to train its models. This is contractually prohibited.

Grammarly does not store any user generated writing data for Enterprise customers. This means that all user generated text while using the Grammarly desktop clients or browser extension is not stored persistently in Grammarly. This content is sent to Grammarly, evaluated to return writing suggestions, and then deleted. No data is retained persistently, therefore BYOK is not applicable to this data set.

How do I set up BYOK?

Please reach out to your Grammarly account representative, who can provide our BYOK implementation guide with more specifics about the requirements needed. To complete the BYOK configuration process, you will then need to provide your account team with certain AWS credentials.

For which types of Grammarly accounts is Bring Your Own Key currently available?

BYOK is only available for Enterprise-tier Grammarly Business accounts. Learn more about the different plans we offer here: Grammarly Plans.

What data types are encryptable using BYOK?

  • Your dictionary: With Grammarly’s personal dictionary feature, users can ensure that unique words in their lexicon are not flagged as misspelled. Words are added to the personal dictionary via the account hub or a Grammarly client by any Grammarly user.
  • Org dictionary: Create a custom dictionary of important or unique words for your organization. These words will no longer be flagged as misspellings. Words can be added to the org dictionary by any Grammarly admin, account manager or group manager via the account hub.
  • Style rules: The style rules feature allows you to create custom rules around the proper use, spelling, and formatting of specific words, terms, and phrases to ensure team-wide consistency. Style rules can be added to any Rule set via the account hub by admins, account managers, or users.
  • Knowledge share: Knowledge Share helps your team members decode terms like acronyms or internal project names by providing tooltip-like explanations—a definition of a term, key contacts, and links to relevant documents. Knowledge share terms can be added by any Grammarly admin, account manager, or group manager via the account hub.
  • Snippets: Create custom libraries of common, pre-approved messages for easy use across your teams’ applications and websites that can be easily accessed using Grammarly clients. Org-level snippets can be added to the snippets collection by any Grammarly admin, account manager, or group manager via the account hub. User-level snippets can be added by any user via the account hub. Excludes Snippets folder names.
  • Grammarly Editor Documents: Documents created by users using the Grammarly Editor or scratchpad. Users can upload existing documents or write new documents from scratch via the editor or scratch pad.
  • Grammarly Editor Document metadata: Document metadata such as title and first 100 characters based on document creation. Metadata is derived from each Grammarly Editor or scratchpad document.

I have BYOK set up and want to leave Grammarly, how can I revoke access to my key?

To revoke your Customer Master Key (CMK) at any time:

  1. Access the AWS KMS console []
  2. Find your customer master key.
  3. Edit its policy to change the statement that allows Grammarly key access to deny access.
    "Version": "2012-10-17",
    "Statement": [
    "Effect": "Deny",
    "Principal": {
    "AWS": "arn:aws:iam::{your-aws-account-id}:root"
    "Action": "kms:*",
    "Resource": "*"

Immediately after this change is made, Grammarly will be denied use of your CMK. Shortly after that, Grammarly’s key cache will expire and no data will be decryptable.

Was this article helpful?
Tell us what you think. We promise to act on your feedback to make Grammarly's support pages even more helpful.
Have more questions? Submit a request
privacy enterprise account security acess byok bring key bring your own key