For institutional buyers: this page is the short version of what we’d send in a security review. Long version, including DPA template and subprocessor list, is downloadable below.
AES-256 at rest. TLS 1.3 in transit. Database row-level encryption for document text.
Documents deleted 30 days after last edit (user-configurable). Backups purged within 35 days.
User documents are never used to train any model. Our adapter is trained on public + author-permissioned data only.
Row-level security in the database. No human at Rewritelyapp can read your documents without an explicit support consent flow.
Google Cloud Run (europe-west1) for the app layer. Supabase (EU) for data. Vertex AI (europe-west4) for the model.
Cloud-native logging with PII scrubbing. Anomaly alerts on unusual access patterns. Public status page.
| Standard | Status | Notes |
|---|---|---|
| GDPR | Compliant | EU-hosted, DPA on request, data-subject rights via app or email. |
| UK GDPR / DPA 2018 | Compliant | UK registered, ICO registered. |
| CCPA / CPRA | Compliant | Right to know, delete, opt-out honoured. |
| SOC 2 Type I | In progress | Targeting Q4 2026 audit. |
| ISO 27001 | Planned 2027 | Subject to demand from institutional buyers. |
| FERPA-aware | Yes | We treat all student documents under FERPA-aware handling even when not technically subject to it. |
If you’re evaluating Rewritelyapp for a writing center, a research lab, or a department-level rollout, we have the following ready: