// Trust & Security Report

    Originality.AI logo

    Originality.AI

    Content integrity suite for writers, publishers, agencies and educators: AI Checker (AI-generated text detector), Plagiarism Checker, Grammar Checker, Readability Checker, Fact Checker, Content Quality/Guideline Checker, a Chrome Extension for content-creation replay, an Enterprise plan for agencies/publishers, and a developer API.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "we will implement appropriate safeguards, including European Commission Standard Contractual Clauses under GDPR Article 46(2) or reliance on an adequacy decision under GDPR Article 45, where applicable" and "we process such data in a manner consistent with those laws and our agreements with School Customers."

    Verify on originality.ai
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence of SOC 2 certification on the vendor domain; the Privacy Policy, Terms and Conditions, and content-usage blog post describe only 'reasonable and appropriate security measures' and encryption, with no third-party audit or attestation named. No dedicated /security or /trust page exists (originality.ai/security returns 404).

    source: originality.ai
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found anywhere on originality.ai.

    source: originality.ai
    ISO 27017 / 27018
    NOT CONFIRMED

    No public evidence of ISO 27017/27018 certification found on the vendor domain.

    source: originality.ai
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI-governance certification on the vendor domain.

    source: originality.ai
    CSA STAR / CSA STAR AI
    NOT CONFIRMED

    No public evidence of CSA STAR registration or CSA STAR AI attestation on the vendor domain.

    source: originality.ai
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA compliance or Business Associate Agreements anywhere on the vendor site. The Privacy Policy discusses FERPA/COPPA for Student Data in school contexts but does not reference HIPAA or healthcare use.

    source: originality.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on the vendor domain (payment processing is not described in detail; likely handled by a third-party processor, but no attestation is published).

    source: originality.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on the vendor domain.

    source: originality.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    "Your Personal Information may be stored and processed in Canada, the United States, and other jurisdictions where our service providers or we operate."

    Originality.ai states it does not use personal data to train AI/LLMs, and by default treats scan/input text training use as opt-in with a clear opt-out available: "we do not use your personal data or any Student Data to train AI or large language models" and "ALL users have the option to opt out of the use of their scan/input text to help train and improve our models." A separate blog post states "When you upload content to the Originality.ai site, you opt-in to allow us to keep and use an anonymized version...for testing and training," which reads as a default opt-in for general (non-Student) users unless they opt out, so the practical default may differ from the privacy policy's framing. For school customers, training use is opt-out and honored: "does not use Student Data to train artificial intelligence models" so long as the school has opted out. This opt-in/opt-out phrasing is not fully consistent across the two vendor pages and should be confirmed directly with the vendor for enterprise contracts.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher, described by the vendor as "end-to-end military grade 256 bit encryption" with HTTPS over TLS for browser-to-site traffic.

    originality.ai

    Encryption in transit (privacy policy)

    "we use encryption in transit, including HTTPS/TLS, access controls, and other reasonable and appropriate security measures."

    originality.ai

    Encryption at rest

    Not documented on the vendor domain; no specific claim about at-rest encryption found.

    originality.ai

    Third-party audits / independent attestations

    None published on the vendor domain (no trust center, no SOC 2/ISO report, no penetration-test summary).

    originality.ai

    Data sale / sharing

    "We never sell customer information to third parties" and "Originality.ai also never discloses personal information to third parties except in situations in which a reasonable person would expect it."

    originality.ai

    Enterprise data processing agreements

    Terms reference optional negotiated documents for larger customers: "data processing, student-data, or security addendum" and note that "Enterprise Services are provided under enterprise plans, team plans, school plans, order forms, master services agreements, and data processing agreements," implying a DPA is available on request rather than published/self-serve.

    originality.ai

    User content deletion controls

    "You Can Delete All Scan History With One Click" and users can delete individual scans at any time.

    originality.ai

    // Products & data scope

    AI Checker / Plagiarism Checker / Grammar / Readability / Fact Checker (Pro plan)Consumer / prosumer content-integrity tool

    data: Pasted text, uploaded documents (PDF, Word), or scanned URLs; 30-day scan history retained on Pro plan.

    Self-serve signup, no enterprise contract; billed per-seat with monthly credits.

    Enterprise plan (agencies & publishers)Team / enterprise content-integrity suite

    data: Same scan types at higher volume (15,000 credits/mo), 365-day scan history, team management, dedicated Customer Success Manager.

    Marketing page lists customers including Neil Patel, The New York Times, Reuters, Business Insider, Harvard, Duke, Purdue, Walmart, and AT&T, but the Enterprise page itself publishes no security/compliance details; negotiated DPA/security addendum available per Terms.

    Chrome ExtensionBrowser extension

    data: Captures a replay of how a document was created, for content-provenance verification.

    Adds a client-side data-capture surface (keystroke/edit history) beyond simple text scanning; no separate security disclosure found for the extension specifically.

    API (developer/platform integration)API product

    data: Programmatic AI/plagiarism/fact-check scanning for integration into third-party platforms and workflows.

    No API-specific security documentation (e.g. auth model, rate limiting, data handling) found on the public vendor domain.

    School / Student plansEducation

    data: Student Data processed under FERPA/COPPA-consistent terms; opt-out of AI training available and honored.

    Distinct privacy commitments for Student Data: not sold, not used for targeted advertising, and not used for AI training once the school opts out.

    // What to watch

    • No trust center or dedicated security page exists on the vendor domain (originality.ai/security returns 404); all security claims are inferred from the Privacy Policy, Terms, and a marketing blog post rather than a formal security disclosure.
    • No third-party security certifications (SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, CSA STAR, ISO 42001) found anywhere on the vendor domain -- consistent with a growth-stage self-serve SaaS tool, not evidence of a hidden certification.
    • AI-training data policy is stated inconsistently across two vendor pages: the Privacy Policy frames scan/input-text training use as available with an opt-out ('ALL users have the option to opt out'), while a separate blog post frames it as opt-in ('you opt-in to allow us to keep and use an anonymized version'). The practical default for non-Student, non-Enterprise users should be confirmed directly with the vendor before any high-sensitivity use case.
    • DPA and security addenda are described only as available to Enterprise/School customers via negotiated agreement, not published or self-serve, so DPA=true reflects contractual availability rather than a standard downloadable document.

    // At a glance

    Pricing model

    Self-serve subscription (Pro ~$12.95-14.95/mo) and Enterprise (~$136.58-179/mo) tiers based on monthly credits, plus a free limited scan; API and larger enterprise deals appear to be custom-quoted.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Originality.AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    originality.ai

    > Browse all vendor trust reports