Effective: May 17, 2019
Applications and infrastructure
All of Grammarly’s servers are hosted by Amazon Web Services (AWS) in the United States. All components that process user data operate within Grammarly’s private network. Only a small number of Grammarly’s servers, protected behind load balancers and a firewall, are accessible from the Internet.
Connections between the client apps and the backend infrastructure are protected by up-to-date encryption protocols (including SSL/TLS 1.2) while maintaining compatibility with the cipher suites the client supports. All databases, data storage, and backups are encrypted at rest using AES-256.
Organizational and information security
Grammarly also operates a bug bounty program to identify and fix issues efficiently. To conduct your own penetration tests, please contact your Grammarly account representative for an arrangement.
Security for team administration
In addition to the security we’ve built at an infrastructure level, we also provide administration features to our paid Grammarly Business teams. These features allow administrators to manage their teams and include capabilities to create, transfer, or revoke access as needed.
Grammarly uses secure, industry-leading services to manage roles and access policies, certificates, encryption keys and secrets, firewalls, network access lists, and log collection and monitoring.
Our security and platform team performs regular check-ins with every development team and all code is thoroughly reviewed and checked through a version control system. We automatically scan our applications and libraries for known vulnerabilities and apply fixes promptly.
To access any of Grammarly’s internal systems, employees must authenticate via a single-sign-on system with mandatory 2-factor authentication. We regularly review employees’ access to the systems that hold or process customer data and revoke access for employees who no longer require it to do their work.
Customer data policy
Grammarly has a set of policies and technical controls that prevent employees from accessing customer data that is stored or processed by Grammarly systems. Where appropriate, Grammarly uses private keys and restricts network access to particular employees.
While Grammarly may track anonymized, aggregate statistics by website domain, Grammarly doesn’t collect browsing history from specific users while they browse the web. Information such as web server access logs or IP addresses is collected only for a limited time and only to provide specific services to the user, such as fraud prevention.
Before using a third-party vendor, Grammarly carefully evaluates the vendor's security practices. Grammarly removes personal information from third-party systems if it is no longer needed or if a user requests account deletion.