// Trust & Security Report

    Rows GmbH logo

    Rows GmbH

    Rows is an AI-powered spreadsheet / data-analyst tool (core product), with a browser extension (RowsX) for extracting web data into spreadsheets and a public API. Rows was acquired by Superhuman (formerly Grammarly) in February 2026 and, per the vendor's own announcement, the standalone product was scheduled to be sunset by May 31, 2026, with its capabilities folded into Superhuman's Coda product. As of this assessment, rows.com is still live and displays a banner confirming the acquisition.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II Certified: This certification confirms that Rows meets strict criteria for security, availability, and confidentiality

    Verify on rows.com
    GDPR (compliance posture, not a certification)
    HELD

    We ensure that personal data is processed in accordance with the General Data Protection Regulation (GDPR)... If you need a Data Processing Agreement with us, please find the already signed version here

    Verify on rows.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence found. Rows' own security and privacy pages (rows.com/docs/how-do-you-manage-security, rows.com/privacy) do not mention ISO 27001. A third-party (non-vendor-domain) summary claimed 'ISO 27001 Compliant' but this could not be corroborated on any rows.com page and is treated as an unverified overclaim, not vendor evidence.

    source: rows.com
    HIPAA
    NOT CONFIRMED

    No public evidence found. HIPAA is not mentioned anywhere on rows.com's security or privacy pages; Rows is a general business spreadsheet/data tool with no stated healthcare/BAA offering.

    source: rows.com
    PCI DSS
    NOT CONFIRMED

    PCI DSS is referenced only in connection with Rows' payment processor (Stripe), not Rows' own systems: payment providers 'comply with Payment Card Industry (PCI) Data Security Standards' and are 'certified by an independent PCI Qualified Security Assessor.' This is the payment processor's certification, not Rows'.

    source: rows.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found on any rows.com page. A third-party aggregator claimed FedRAMP compliance with no vendor-domain support; treated as an unverified overclaim and excluded.

    source: rows.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any rows.com page.

    source: rows.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence found. Rows describes AI-training posture in its privacy policy but makes no claim of a formal AI-governance certification.

    source: rows.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    EU/EEA. Privacy policy states servers are 'geographically located in the European Union (EU) or the European Economic Area (EEA)'; the security page states 'All data is stored in European data centers, encrypted at rest and in transit.' Hosting infrastructure includes Google Cloud Platform and AWS.

    Vendor states data shared with the Rows AI Analyst is 'not used for training purposes.' The privacy policy specifies the AI feature uses OpenAI and Groq as sub-processors; OpenAI may retain data 'for up to 30 days' for abuse monitoring while 'Groq does not retain your data after processing.' Rows also states elsewhere: 'Rows does not access your spreadsheets, and you can delete your data anytime.' Note: as of the acquisition, Rows' privacy policy states Superhuman's Privacy Policy and Terms apply as of June 16, 2026 (already in effect as of this assessment date), so the AI-training posture described here may be superseded by Superhuman's policy going forward.

    // Security controls

    Encryption at rest

    256-bit AES encryption for stored data, including backups

    rows.com

    Encryption in transit

    HTTPS/TLS protocols when sending data from spreadsheet to Rows servers

    rows.com

    Data residency

    European data centers (EU/EEA); infrastructure on Google Cloud Platform and AWS

    rows.com

    Vulnerability disclosure

    Security researchers can report issues to security@rows.com with proof-of-concept and CVSS scoring; submissions can be encrypted with Rows' published PGP key

    rows.com

    AI data handling

    User data shared with the AI Analyst feature is not used to train AI models; sub-processors are OpenAI (up to 30-day retention) and Groq (no retention after processing)

    rows.com

    // Products & data scope

    Rows (core spreadsheet / AI Data Analyst)Spreadsheet / BI / data analysis

    data: Business data imported from 50+ integrations (social media, ad platforms, data warehouses, back-office tools) and from uploaded documents/PDFs; processed in a hosted spreadsheet.

    Marketed as 'Your new AI Data Analyst'; extracts data from PDFs, imports business data, and answers questions in plain language.

    Rows AIAI data analysis add-on

    data: Spreadsheet data sent to OpenAI/Groq for query answering; vendor states this data is not used for model training.

    Sub-feature of the core product, described on rows.com/ai.

    RowsX (browser extension)Web data extraction

    data: Extracts tables from third-party websites into a Rows spreadsheet.

    One-click import of web page tables; separate from the core AI Analyst.

    Rows APIDeveloper API

    data: Programmatic read/write access to a user's Rows spreadsheets and data.

    Referenced in site footer as 'API Docs'; not independently evaluated for security controls in this assessment.

    // What to watch

    • Rows was acquired by Superhuman (formerly Grammarly), announced February 22, 2026. The vendor's own blog post states the standalone Rows product would be 'gradually sunset... over the next three months' with full shutdown by May 31, 2026 -- a date that has already passed as of this assessment (2026-07-09), yet rows.com remains live with a banner ('Rows joined Superhuman') rather than a hard redirect. Listing status should be re-checked frequently; the product's continued independent availability is uncertain.
    • Rows' own privacy policy notes that 'the Superhuman Privacy Policy and Terms will apply as of June 16 [2026]' -- a date already in effect as of this assessment. This means the AI-training and data-handling posture graded here (sourced from Rows' legacy privacy policy) may already be superseded by Superhuman's policy; this is a legacy-ToS vs current-owner-policy contradiction that could not be fully resolved without fetching Superhuman's current privacy policy.
    • A non-vendor-domain, likely AI-generated search summary claimed Rows is 'PCI Compliant, HIPAA Compliant, SOC 2 Compliant, GDPR Compliant, ISO 27001 Compliant, FedRamp Compliant, and CSA Star Level 1 Compliant.' None of these beyond SOC 2 Type II and a GDPR posture could be corroborated on rows.com; this looks like an aggregator overclaim and was excluded from graded certifications. AIFOXX should not repeat this list.
    • PCI DSS language on rows.com/privacy refers to the payment processor's (Stripe's) certification, not Rows' own infrastructure -- do not attribute this cert to Rows directly.
    • No dedicated trust center (e.g. a Vanta/Drata/SafeBase-hosted trust portal) was found; the only vendor-domain security disclosure is a single docs article (rows.com/docs/how-do-you-manage-security).

    // At a glance

    Pricing model

    Freemium / subscription tiers (Free, paid team/business tiers referenced on rows.com/pricing); tier-by-tier feature and compliance differences were not itemized in the available vendor pages.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Rows GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    rows.com

    > Browse all vendor trust reports