Thank you! Your feedback helps us improve.

Bring Your Own Key FAQ

What is Grammarly’s enterprise key management solution?

Grammarly offers an enterprise key management solution that consists of two options:

  1. Grammarly-managed key
  2. Bring Your Own Key (BYOK)

What is a Grammarly-managed key?

Grammarly-managed keys (GMK) offer application-level encryption and encryption at rest for Grammarly Enterprise accounts utilizing a customer managed key (CMK) in Grammarly’s AWS Key Management Service (KMS). Organizations do not need to set up or maintain the GMK, as this feature is automatically activated for all Grammarly Enterprise customers. You can view the GMK feature on the Grammarly data settings page.

What is Bring Your Own Key?

For Grammarly Enterprise customers who want more control and oversight, Grammarly’s BYOK solution allows customers to use their own customer managed key (CMK) in AWS Key Management Service (KMS) to encrypt and retain control over data stored at rest within Grammarly’s services. Amazon CloudWatch/AWS CloudTrail Logs allow for increased visibility and transparency via detailed logs that show how your data is being accessed within Grammarly’s environment. 

How does Grammarly’s BYOK work?

As a Grammarly BYOK customer, you will set up and configure a customer-managed key (CMK) in your AWS Key Management Service (KMS) within your AWS account. You then write and attach a policy that grants permissions for Grammarly’s AWS account, where our Enterprise Key Management Service (EKMS) runs, to access a limited set of permissions on your key. Once these AWS resources have been created, you will provide the Amazon Resource Names (ARNs) to your Grammarly account team, who will enable BYOK on your Grammarly Business account. This enables Grammarly services to encrypt and decrypt data using your key.

What are the benefits of using Bring Your Own Key?

  • Encrypt your application-level data at rest: Have additional reassurance – on top of Grammarly’s already strong security measures – that you exercise full control over who is accessing your data, and when, all run through AWS’s Key Management Service.
  • Decrypt and Encrypt: Manage access on a granular level to minimize disruption and ensure authorized access to your data
  • Audit Logs: View an audit log in CloudTrail documenting every time Grammarly needs to re-access your key encrypted data, giving you full transparency into data access.

How does BYOK supplement Grammarly’s existing security offerings?

Grammarly utilizes Amazon Web Services (AWS) for all data processing. Data in transit is protected by up-to-date encryption protocols (TLS 1.2). Data at rest is encrypted using the industry-standard AES-256 algorithm.

Each Grammarly customer’s data is segregated logically from other users’ data. Any writing that an individual or organization reviews with Grammarly will never appear in another customer’s writing suggestions.

Grammarly does not allow Microsoft Azure OpenAI, our LLM provider, to retain any data we send or to use it to train its models. This is contractually prohibited.

Additionally, Grammarly's Product Improvement and Training control is automatically off for all Enterprise-tier Grammarly Business accounts, meaning Grammarly does not use content from those organizations to train its models or improve its product for other users.

How do I set up BYOK?

To configure BYOK, visit the Grammarly data settings page to complete the BYOK setup wizard and view the BYOK implementation guide.

For which types of Grammarly accounts is Bring Your Own Key currently available?

BYOK is only available for Enterprise-tier Grammarly Business accounts. Learn more about the different plans we offer here: Grammarly Plans.

What data types are encryptable using BYOK?

  • Your dictionary: With Grammarly’s personal dictionary feature, users can ensure that unique words in their lexicon are not flagged as misspelled. Words are added to the personal dictionary via the account hub or a Grammarly client by any Grammarly user.
  • Org dictionary: Create a custom dictionary of important or unique words for your organization. These words will no longer be flagged as misspellings. Words can be added to the org dictionary by any Grammarly admin, account manager or group manager via the account hub.
  • Style rules: The style rules feature allows you to create custom rules around the proper use, spelling, and formatting of specific words, terms, and phrases to ensure team-wide consistency. Style rules can be added to any Rule set via the account hub by admins, account managers, or users.
  • Knowledge share: Knowledge Share helps your team members decode terms like acronyms or internal project names by providing tooltip-like explanations—a definition of a term, key contacts, and links to relevant documents. Knowledge share terms can be added by any Grammarly admin, account manager, or group manager via the account hub.
  • Snippets: Create custom libraries of common, pre-approved messages for easy use across your teams’ applications and websites that can be easily accessed using Grammarly clients. Org-level snippets can be added to the snippets collection by any Grammarly admin, account manager, or group manager via the account hub. User-level snippets can be added by any user via the account hub. Excludes Snippets folder names.
  • Grammarly Editor Documents: Documents created by users using the Grammarly Editor or scratchpad. Users can upload existing documents or write new documents from scratch via the editor or scratch pad.
  • Grammarly Editor Document metadata: Document metadata such as title and first 100 characters based on document creation. Metadata is derived from each Grammarly Editor or scratchpad document.

I have BYOK set up and want to leave Grammarly, how can I revoke access to my key?

To revoke your Customer Master Key (CMK) at any time:

  1. Access the AWS KMS console [https://console.aws.amazon.com/kms/home]
  2. Find your customer master key.
  3. Edit its policy to change the statement that allows Grammarly key access to deny access.
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Effect": "Deny",
    "Principal": {
    "AWS": "arn:aws:iam::{your-aws-account-id}:root"
    },
    "Action": "kms:*",
    "Resource": "*"
    }
    ]
    }

Immediately after this change is made, Grammarly will be denied use of your CMK. Shortly after that, Grammarly’s key cache will expire and no data will be decryptable.

 

Edited to add: This support article has been updated to clarify Grammarly’s approach to processing user content and explain the Product Improvement & Training control.

Was this article helpful?
Tell us what you think. We promise to act on your feedback to make Grammarly's support pages even more helpful.
Have more questions? Submit a request
privacy enterprise account security acess byok bring key bring your own key trust