// Trust & Security Report
ThinqLab Ltd (Writefull BV in Netherlands)
Writefull is an AI-powered academic writing assistant for researchers and students. Core products include: Writefull for Word (Microsoft Word integration), Writefull for Overleaf (LaTeX integration), Writefull Revise (standalone document checker), Writefull Cite (citation management), Writefull X, and AI widgets (Academizer, Paraphraser, Title Generator, Abstract Generator, TeXGPT). Products are available at student, researcher, institutional, and publisher tiers.
Certifications held
1
Maturity
Growth
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on writefull.com“Digital Science US participates in the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework and has certified to the U.S. Department of Commerce its compliance with the DPF Principles regarding the processing of EU Personal Data.”
> Show 6 unconfirmed / not-held certifications
source: learn.microsoft.comDoes the app comply with Service Organization Controls (SOC 2)? No
source: learn.microsoft.comIs the app International Organization for Standardization (ISO 27001) certified? No
source: digital-science.comNo public evidence; Digital Science group holds ISO 27701:2019 (Certificate 21331/1) but Writefull is not explicitly listed in scope. Only Dimensions division is mentioned.
source: learn.microsoft.comDoes the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A
source: learn.microsoft.comIs the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No
source: learn.microsoft.comHas the app been Cloud Security Alliance (CSA Star) certified? No
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Hosted on Google Cloud Platform (GCP); UK/EEA operations through ThinqLab Ltd (London, UK); US operations through Digital Science US (participates in EU-US DPF).
Homepage states: 'None of your texts or searches are stored or used for training.' Terms of use states: 'We will not use your Inputs to train models without your consent.' Writefull trains language models on published journal articles, not user data.
// Security controls
Data encryption in transit
Yes - Writefull uses encrypted connections for all text processing. Homepage states: 'Writefull revises your text in seconds using an encrypted connection.'
writefull.comData stored on servers
No - None of user texts, searches, or documents are stored. Data is processed and instantly wiped. Homepage: 'None of your texts or searches are stored or used for training.'
writefull.comAnnual penetration testing
Yes - Writefull conducts annual penetration testing on the app
learn.microsoft.comQuarterly vulnerability scanning
Yes - Quarterly vulnerability scanning on app and supporting infrastructure
learn.microsoft.comDisaster recovery & backup plan
Yes - Documented disaster recovery plan including backup and restore strategy
learn.microsoft.comChange management process
Yes - Established change management process with code review; secondary person approves all code changes
learn.microsoft.comMultifactor authentication (MFA)
Yes - MFA enabled for code repositories, DNS management, and credential access
learn.microsoft.comIntrusion Detection & Prevention (IDPS)
Yes - IDPS software deployed at network perimeter
learn.microsoft.comEvent logging & monitoring
Yes - Event logging on all system components; logs reviewed regularly (human and automated); automated alerts for security events
learn.microsoft.comFormal information security risk management
Yes - Established formal process for ISRM
learn.microsoft.comFormal incident response process
No - Not documented or established. This is a significant gap.
learn.microsoft.comFormal patch management SLA
No - No policy documented for SLA on applying patches
learn.microsoft.com// Products & data scope
data: Processes academic text in Microsoft Word; no data stored on Writefull servers; instant processing and deletion
Microsoft 365 App Certified (attested). Available via Microsoft AppSource.
data: Integrates with Overleaf; processes LaTeX code; no data storage
Part of Overleaf/Digital Science ecosystem. Writefull BV listed as Overleaf group company.
data: Users upload documents for language checking; no permanent storage
Provides overall language quality scoring and Track Changes-compatible corrections
data: Citation tool for academic writing
Available as standalone product
data: Umbrella product offering multiple widgets and features
General purpose product tier
data: Individual AI-powered writing assistance tools
Academizer: academicizes informal text. Paraphraser: multi-level rewriting. Title/Abstract Generators: AI-driven document element generation. TeXGPT: auto-generates LaTeX code.
// What to watch
- Data subject rights are handled manually, not via in-product self-service. Writefull's own privacy notice commits to honoring these rights: 'to request that their personal data is rectified or deleted, or its processing limited' and 'We will comply with any requests to exercise your rights in accordance with applicable law', exercised via the contact form. The Microsoft self-attestation separately reports no automated in-app capability to delete ('...delete an individual's personal data upon request? No'), restrict ('...restrict or limit the processing...? No'), or correct ('...correct or update their personal data? No') on request. Those answers describe the absence of self-service tooling, meaning such requests are fulfilled manually rather than in-product. This is an operational/UX limitation, not a GDPR violation and not an over-claim: nothing in Writefull's public materials asserts a GDPR certification, and manual fulfillment of rights requests is GDPR-permissible.
- No Data Processing Agreement (DPA) explicitly mentioned in privacy policy, though privacy policy references compliance with GDPR. Enterprise/institutional customers should verify DPA availability.
- No formal incident response process documented (Microsoft certification: 'Formal security incident response process documented and established? No'). This is a major operational security gap.
- No patch management SLA policy. While development practices are strong, patching is ad-hoc.
- Parent company (Digital Science) holds ISO 27001:2022 and ISO 27701:2019, but Writefull itself is NOT explicitly listed in the certification scope. Only 8 products are named: Dimensions, ReadCube Papers, Overleaf, Symplectic, Figshare, Altmetric, Metaphacts. Writefull cannot claim these parent certifications.
- Identity verification: Writefull BV is Netherlands-based subsidiary. Operations via ThinqLab Ltd (UK) and Digital Science US. Confirm which entity is the primary data controller for your use case (UK vs US affiliate matters for DPF compliance).
- Microsoft 365 certification is ATTESTATION ONLY (self-reported), not audited. No third-party verification of security claims.
- Service providers include Anthropic and OpenAI for AI processing; also uses Netsuite (billing), Salesforce (CRM), Qualtrics (feedback). Verify their security posture if data flows to these providers.
// At a glance
Pricing model
Freemium with premium tiers: Free tier (limited checks), Premium (individual), Institutional licenses, Publisher licenses. Pricing varies by user segment (students, researchers, institutions).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ThinqLab Ltd (Writefull BV in Netherlands)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
writefull.com