// Trust & Security Report
Originality.AI
Content integrity suite for writers, publishers, agencies and educators: AI Checker (AI-generated text detector), Plagiarism Checker, Grammar Checker, Readability Checker, Fact Checker, Content Quality/Guideline Checker, a Chrome Extension for content-creation replay, an Enterprise plan for agencies/publishers, and a developer API.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on originality.ai“"we will implement appropriate safeguards, including European Commission Standard Contractual Clauses under GDPR Article 46(2) or reliance on an adequacy decision under GDPR Article 45, where applicable" and "we process such data in a manner consistent with those laws and our agreements with School Customers."”
> Show 8 unconfirmed / not-held certifications
source: originality.aiNo public evidence of SOC 2 certification on the vendor domain; the Privacy Policy, Terms and Conditions, and content-usage blog post describe only 'reasonable and appropriate security measures' and encryption, with no third-party audit or attestation named. No dedicated /security or /trust page exists (originality.ai/security returns 404).
source: originality.aiNo public evidence of ISO 27001 certification found anywhere on originality.ai.
source: originality.aiNo public evidence of ISO 27017/27018 certification found on the vendor domain.
source: originality.aiNo public evidence of ISO/IEC 42001 or any AI-governance certification on the vendor domain.
source: originality.aiNo public evidence of CSA STAR registration or CSA STAR AI attestation on the vendor domain.
source: originality.aiNo mention of HIPAA compliance or Business Associate Agreements anywhere on the vendor site. The Privacy Policy discusses FERPA/COPPA for Student Data in school contexts but does not reference HIPAA or healthcare use.
source: originality.aiNo public evidence of PCI DSS certification on the vendor domain (payment processing is not described in detail; likely handled by a third-party processor, but no attestation is published).
source: originality.aiNo public evidence of FedRAMP authorization on the vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
"Your Personal Information may be stored and processed in Canada, the United States, and other jurisdictions where our service providers or we operate."
Originality.ai states it does not use personal data to train AI/LLMs, and by default treats scan/input text training use as opt-in with a clear opt-out available: "we do not use your personal data or any Student Data to train AI or large language models" and "ALL users have the option to opt out of the use of their scan/input text to help train and improve our models." A separate blog post states "When you upload content to the Originality.ai site, you opt-in to allow us to keep and use an anonymized version...for testing and training," which reads as a default opt-in for general (non-Student) users unless they opt out, so the practical default may differ from the privacy policy's framing. For school customers, training use is opt-out and honored: "does not use Student Data to train artificial intelligence models" so long as the school has opted out. This opt-in/opt-out phrasing is not fully consistent across the two vendor pages and should be confirmed directly with the vendor for enterprise contracts.
// Security controls
Encryption in transit
TLS 1.2 or higher, described by the vendor as "end-to-end military grade 256 bit encryption" with HTTPS over TLS for browser-to-site traffic.
originality.aiEncryption in transit (privacy policy)
"we use encryption in transit, including HTTPS/TLS, access controls, and other reasonable and appropriate security measures."
originality.aiEncryption at rest
Not documented on the vendor domain; no specific claim about at-rest encryption found.
originality.aiThird-party audits / independent attestations
None published on the vendor domain (no trust center, no SOC 2/ISO report, no penetration-test summary).
originality.aiData sale / sharing
"We never sell customer information to third parties" and "Originality.ai also never discloses personal information to third parties except in situations in which a reasonable person would expect it."
originality.aiEnterprise data processing agreements
Terms reference optional negotiated documents for larger customers: "data processing, student-data, or security addendum" and note that "Enterprise Services are provided under enterprise plans, team plans, school plans, order forms, master services agreements, and data processing agreements," implying a DPA is available on request rather than published/self-serve.
originality.aiUser content deletion controls
"You Can Delete All Scan History With One Click" and users can delete individual scans at any time.
originality.ai// Products & data scope
data: Pasted text, uploaded documents (PDF, Word), or scanned URLs; 30-day scan history retained on Pro plan.
Self-serve signup, no enterprise contract; billed per-seat with monthly credits.
data: Same scan types at higher volume (15,000 credits/mo), 365-day scan history, team management, dedicated Customer Success Manager.
Marketing page lists customers including Neil Patel, The New York Times, Reuters, Business Insider, Harvard, Duke, Purdue, Walmart, and AT&T, but the Enterprise page itself publishes no security/compliance details; negotiated DPA/security addendum available per Terms.
data: Captures a replay of how a document was created, for content-provenance verification.
Adds a client-side data-capture surface (keystroke/edit history) beyond simple text scanning; no separate security disclosure found for the extension specifically.
data: Programmatic AI/plagiarism/fact-check scanning for integration into third-party platforms and workflows.
No API-specific security documentation (e.g. auth model, rate limiting, data handling) found on the public vendor domain.
data: Student Data processed under FERPA/COPPA-consistent terms; opt-out of AI training available and honored.
Distinct privacy commitments for Student Data: not sold, not used for targeted advertising, and not used for AI training once the school opts out.
// What to watch
- No trust center or dedicated security page exists on the vendor domain (originality.ai/security returns 404); all security claims are inferred from the Privacy Policy, Terms, and a marketing blog post rather than a formal security disclosure.
- No third-party security certifications (SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, CSA STAR, ISO 42001) found anywhere on the vendor domain -- consistent with a growth-stage self-serve SaaS tool, not evidence of a hidden certification.
- AI-training data policy is stated inconsistently across two vendor pages: the Privacy Policy frames scan/input-text training use as available with an opt-out ('ALL users have the option to opt out'), while a separate blog post frames it as opt-in ('you opt-in to allow us to keep and use an anonymized version'). The practical default for non-Student, non-Enterprise users should be confirmed directly with the vendor before any high-sensitivity use case.
- DPA and security addenda are described only as available to Enterprise/School customers via negotiated agreement, not published or self-serve, so DPA=true reflects contractual availability rather than a standard downloadable document.
// At a glance
Pricing model
Self-serve subscription (Pro ~$12.95-14.95/mo) and Enterprise (~$136.58-179/mo) tiers based on monthly credits, plus a free limited scan; API and larger enterprise deals appear to be custom-quoted.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Originality.AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
originality.ai