// Trust & Security Report
Rows GmbH
Rows is an AI-powered spreadsheet / data-analyst tool (core product), with a browser extension (RowsX) for extracting web data into spreadsheets and a public API. Rows was acquired by Superhuman (formerly Grammarly) in February 2026 and, per the vendor's own announcement, the standalone product was scheduled to be sunset by May 31, 2026, with its capabilities folded into Superhuman's Coda product. As of this assessment, rows.com is still live and displays a banner confirming the acquisition.
Certifications held
2
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on rows.com“SOC 2 Type II Certified: This certification confirms that Rows meets strict criteria for security, availability, and confidentiality”
Verify on rows.com“We ensure that personal data is processed in accordance with the General Data Protection Regulation (GDPR)... If you need a Data Processing Agreement with us, please find the already signed version here”
> Show 6 unconfirmed / not-held certifications
source: rows.comNo public evidence found. Rows' own security and privacy pages (rows.com/docs/how-do-you-manage-security, rows.com/privacy) do not mention ISO 27001. A third-party (non-vendor-domain) summary claimed 'ISO 27001 Compliant' but this could not be corroborated on any rows.com page and is treated as an unverified overclaim, not vendor evidence.
source: rows.comNo public evidence found. HIPAA is not mentioned anywhere on rows.com's security or privacy pages; Rows is a general business spreadsheet/data tool with no stated healthcare/BAA offering.
source: rows.comPCI DSS is referenced only in connection with Rows' payment processor (Stripe), not Rows' own systems: payment providers 'comply with Payment Card Industry (PCI) Data Security Standards' and are 'certified by an independent PCI Qualified Security Assessor.' This is the payment processor's certification, not Rows'.
source: rows.comNo public evidence found on any rows.com page. A third-party aggregator claimed FedRAMP compliance with no vendor-domain support; treated as an unverified overclaim and excluded.
source: rows.comNo public evidence found. Rows describes AI-training posture in its privacy policy but makes no claim of a formal AI-governance certification.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
EU/EEA. Privacy policy states servers are 'geographically located in the European Union (EU) or the European Economic Area (EEA)'; the security page states 'All data is stored in European data centers, encrypted at rest and in transit.' Hosting infrastructure includes Google Cloud Platform and AWS.
Vendor states data shared with the Rows AI Analyst is 'not used for training purposes.' The privacy policy specifies the AI feature uses OpenAI and Groq as sub-processors; OpenAI may retain data 'for up to 30 days' for abuse monitoring while 'Groq does not retain your data after processing.' Rows also states elsewhere: 'Rows does not access your spreadsheets, and you can delete your data anytime.' Note: as of the acquisition, Rows' privacy policy states Superhuman's Privacy Policy and Terms apply as of June 16, 2026 (already in effect as of this assessment date), so the AI-training posture described here may be superseded by Superhuman's policy going forward.
// Security controls
Encryption in transit
HTTPS/TLS protocols when sending data from spreadsheet to Rows servers
rows.comData residency
European data centers (EU/EEA); infrastructure on Google Cloud Platform and AWS
rows.comVulnerability disclosure
Security researchers can report issues to security@rows.com with proof-of-concept and CVSS scoring; submissions can be encrypted with Rows' published PGP key
rows.comAI data handling
User data shared with the AI Analyst feature is not used to train AI models; sub-processors are OpenAI (up to 30-day retention) and Groq (no retention after processing)
rows.com// Products & data scope
data: Business data imported from 50+ integrations (social media, ad platforms, data warehouses, back-office tools) and from uploaded documents/PDFs; processed in a hosted spreadsheet.
Marketed as 'Your new AI Data Analyst'; extracts data from PDFs, imports business data, and answers questions in plain language.
data: Spreadsheet data sent to OpenAI/Groq for query answering; vendor states this data is not used for model training.
Sub-feature of the core product, described on rows.com/ai.
data: Extracts tables from third-party websites into a Rows spreadsheet.
One-click import of web page tables; separate from the core AI Analyst.
data: Programmatic read/write access to a user's Rows spreadsheets and data.
Referenced in site footer as 'API Docs'; not independently evaluated for security controls in this assessment.
// What to watch
- Rows was acquired by Superhuman (formerly Grammarly), announced February 22, 2026. The vendor's own blog post states the standalone Rows product would be 'gradually sunset... over the next three months' with full shutdown by May 31, 2026 -- a date that has already passed as of this assessment (2026-07-09), yet rows.com remains live with a banner ('Rows joined Superhuman') rather than a hard redirect. Listing status should be re-checked frequently; the product's continued independent availability is uncertain.
- Rows' own privacy policy notes that 'the Superhuman Privacy Policy and Terms will apply as of June 16 [2026]' -- a date already in effect as of this assessment. This means the AI-training and data-handling posture graded here (sourced from Rows' legacy privacy policy) may already be superseded by Superhuman's policy; this is a legacy-ToS vs current-owner-policy contradiction that could not be fully resolved without fetching Superhuman's current privacy policy.
- A non-vendor-domain, likely AI-generated search summary claimed Rows is 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant.' None of these beyond SOC 2 Type II and a GDPR posture could be corroborated on rows.com; this looks like an aggregator overclaim and was excluded from graded certifications. AIFOXX should not repeat this list.
- PCI DSS language on rows.com/privacy refers to the payment processor's (Stripe's) certification, not Rows' own infrastructure -- do not attribute this cert to Rows directly.
- No dedicated trust center (e.g. a Vanta/Drata/SafeBase-hosted trust portal) was found; the only vendor-domain security disclosure is a single docs article (rows.com/docs/how-do-you-manage-security).
// At a glance
Pricing model
Freemium / subscription tiers (Free, paid team/business tiers referenced on rows.com/pricing); tier-by-tier feature and compliance differences were not itemized in the available vendor pages.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Rows GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
rows.com