Effective: May 17, 2019

Grammarly Security Practices

Want to know more about Grammarly for your organization?

Applications and infrastructure

All of Grammarly’s servers are hosted by Amazon Web Services (AWS) in the United States. All components that process user data operate within Grammarly’s private network. Only a small number of Grammarly’s servers, protected behind load balancers and a firewall, are accessible from the Internet.
Applications and infrastructure

Data encryption

Connections between the client apps and the backend infrastructure are protected by up-to-date encryption protocols (including SSL/TLS 1.2) while maintaining compatibility with the cipher suites the client supports. All databases, data storage, and backups are encrypted at rest using AES-256.

Organizational and information security

All Grammarly employees complete an annual privacy and security training that covers topics such as data privacy, physical security, data and information security, and incident reporting. In addition, all employees must read and sign Grammarly’s Internal Data Security and Privacy Policy.
Grammarly also operates a bug bounty program to identify and fix issues efficiently. To conduct your own penetration tests, please contact your Grammarly account representative for an arrangement.

Security for team administration

In addition to the security we’ve built at an infrastructure level, we also provide administration features to our paid Grammarly Business teams. These features allow administrators to manage their teams and include capabilities to create, transfer, or revoke access as needed.

Product security

Grammarly uses secure, industry-leading services to manage roles and access policies, certificates, encryption keys and secrets, firewalls, network access lists, and log collection and monitoring.
Our security and platform team performs regular check-ins with every development team and all code is thoroughly reviewed and checked through a version control system. We automatically scan our applications and libraries for known vulnerabilities and apply fixes promptly.

Employee practices

To access any of Grammarly’s internal systems, employees must authenticate via a single-sign-on system with mandatory 2-factor authentication. We regularly review employees’ access to the systems that hold or process customer data and revoke access for employees who no longer require it to do their work.

Customer data policy

Grammarly does not sell or rent users’ personal data to advertisers or to other third parties to enable them to deliver advertisements. For more information, please review our Privacy Policy.

Grammarly has a set of policies and technical controls that prevent employees from accessing customer data that is stored or processed by Grammarly systems. Where appropriate, Grammarly uses private keys and restricts network access to particular employees.

While Grammarly may track anonymized, aggregate statistics by website domain, Grammarly doesn’t collect browsing history from specific users while they browse the web. Information such as web server access logs or IP addresses is collected only for a limited time and only to provide specific services to the user, such as fraud prevention.


Grammarly complies with the EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. For more details, see Grammarly’s Privacy Policy.

Third-party vendors

Before using a third-party vendor, Grammarly carefully evaluates the vendor's security practices. Grammarly removes personal information from third-party systems if it is no longer needed or if a user requests account deletion.
Learn more about our security practices in our whitepaper.

Ready to sign your team up for Grammarly?