// Trust & Security Report

    ThinqLab Ltd (Writefull BV in Netherlands) logo

    ThinqLab Ltd (Writefull BV in Netherlands)

    Writefull is an AI-powered academic writing assistant for researchers and students. Core products include: Writefull for Word (Microsoft Word integration), Writefull for Overleaf (LaTeX integration), Writefull Revise (standalone document checker), Writefull Cite (citation management), Writefull X, and AI widgets (Academizer, Paraphraser, Title Generator, Abstract Generator, TeXGPT). Products are available at student, researcher, institutional, and publisher tiers.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    EU-US Data Privacy Framework (DPF)
    HELD

    Digital Science US participates in the EU-US Data Privacy Framework and the UK Extension to the EU-US Data Privacy Framework and has certified to the U.S. Department of Commerce its compliance with the DPF Principles regarding the processing of EU Personal Data.

    Verify on writefull.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type I or II
    NOT CONFIRMED

    Does the app comply with Service Organization Controls (SOC 2)? No

    source: learn.microsoft.com
    ISO 27001
    NOT CONFIRMED

    Is the app International Organization for Standardization (ISO 27001) certified? No

    source: learn.microsoft.com
    ISO 27701 (Privacy Information Management)
    NOT CONFIRMED

    No public evidence; Digital Science group holds ISO 27701:2019 (Certificate 21331/1) but Writefull is not explicitly listed in scope. Only Dimensions division is mentioned.

    source: digital-science.com
    HIPAA
    NOT CONFIRMED

    Does the app comply with the Health Insurance Portability and Accounting Act (HIPAA)? N/A

    source: learn.microsoft.com
    FedRAMP
    NOT CONFIRMED

    Is the app Federal Risk and Authorization Management Program (FedRAMP) compliant? No

    source: learn.microsoft.com
    CSA STAR
    NOT CONFIRMED

    Has the app been Cloud Security Alliance (CSA Star) certified? No

    source: learn.microsoft.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Hosted on Google Cloud Platform (GCP); UK/EEA operations through ThinqLab Ltd (London, UK); US operations through Digital Science US (participates in EU-US DPF).

    Homepage states: 'None of your texts or searches are stored or used for training.' Terms of use states: 'We will not use your Inputs to train models without your consent.' Writefull trains language models on published journal articles, not user data.

    // Security controls

    Data encryption in transit

    Yes - Writefull uses encrypted connections for all text processing. Homepage states: 'Writefull revises your text in seconds using an encrypted connection.'

    writefull.com

    Data stored on servers

    No - None of user texts, searches, or documents are stored. Data is processed and instantly wiped. Homepage: 'None of your texts or searches are stored or used for training.'

    writefull.com

    Annual penetration testing

    Yes - Writefull conducts annual penetration testing on the app

    learn.microsoft.com

    Quarterly vulnerability scanning

    Yes - Quarterly vulnerability scanning on app and supporting infrastructure

    learn.microsoft.com

    Disaster recovery & backup plan

    Yes - Documented disaster recovery plan including backup and restore strategy

    learn.microsoft.com

    Change management process

    Yes - Established change management process with code review; secondary person approves all code changes

    learn.microsoft.com

    Secure coding practices

    Yes - OWASP Top 10 principles considered in development

    learn.microsoft.com

    Multifactor authentication (MFA)

    Yes - MFA enabled for code repositories, DNS management, and credential access

    learn.microsoft.com

    Intrusion Detection & Prevention (IDPS)

    Yes - IDPS software deployed at network perimeter

    learn.microsoft.com

    Event logging & monitoring

    Yes - Event logging on all system components; logs reviewed regularly (human and automated); automated alerts for security events

    learn.microsoft.com

    Formal information security risk management

    Yes - Established formal process for ISRM

    learn.microsoft.com

    Formal incident response process

    No - Not documented or established. This is a significant gap.

    learn.microsoft.com

    Formal patch management SLA

    No - No policy documented for SLA on applying patches

    learn.microsoft.com

    // Products & data scope

    Writefull for WordWriting assistant - Office integration

    data: Processes academic text in Microsoft Word; no data stored on Writefull servers; instant processing and deletion

    Microsoft 365 App Certified (attested). Available via Microsoft AppSource.

    Writefull for OverleafWriting assistant - LaTeX integration

    data: Integrates with Overleaf; processes LaTeX code; no data storage

    Part of Overleaf/Digital Science ecosystem. Writefull BV listed as Overleaf group company.

    Writefull ReviseDocument checker - standalone

    data: Users upload documents for language checking; no permanent storage

    Provides overall language quality scoring and Track Changes-compatible corrections

    Writefull CiteCitation management

    data: Citation tool for academic writing

    Available as standalone product

    Writefull XMulti-feature platform

    data: Umbrella product offering multiple widgets and features

    General purpose product tier

    AI Widgets (Academizer, Paraphraser, Title Generator, Abstract Generator, TeXGPT)Specialized AI writing tools

    data: Individual AI-powered writing assistance tools

    Academizer: academicizes informal text. Paraphraser: multi-level rewriting. Title/Abstract Generators: AI-driven document element generation. TeXGPT: auto-generates LaTeX code.

    // What to watch

    • Data subject rights are handled manually, not via in-product self-service. Writefull's own privacy notice commits to honoring these rights: 'to request that their personal data is rectified or deleted, or its processing limited' and 'We will comply with any requests to exercise your rights in accordance with applicable law', exercised via the contact form. The Microsoft self-attestation separately reports no automated in-app capability to delete ('...delete an individual's personal data upon request? No'), restrict ('...restrict or limit the processing...? No'), or correct ('...correct or update their personal data? No') on request. Those answers describe the absence of self-service tooling, meaning such requests are fulfilled manually rather than in-product. This is an operational/UX limitation, not a GDPR violation and not an over-claim: nothing in Writefull's public materials asserts a GDPR certification, and manual fulfillment of rights requests is GDPR-permissible.
    • No Data Processing Agreement (DPA) explicitly mentioned in privacy policy, though privacy policy references compliance with GDPR. Enterprise/institutional customers should verify DPA availability.
    • No formal incident response process documented (Microsoft certification: 'Formal security incident response process documented and established? No'). This is a major operational security gap.
    • No patch management SLA policy. While development practices are strong, patching is ad-hoc.
    • Parent company (Digital Science) holds ISO 27001:2022 and ISO 27701:2019, but Writefull itself is NOT explicitly listed in the certification scope. Only 8 products are named: Dimensions, ReadCube Papers, Overleaf, Symplectic, Figshare, Altmetric, Metaphacts. Writefull cannot claim these parent certifications.
    • Identity verification: Writefull BV is Netherlands-based subsidiary. Operations via ThinqLab Ltd (UK) and Digital Science US. Confirm which entity is the primary data controller for your use case (UK vs US affiliate matters for DPF compliance).
    • Microsoft 365 certification is ATTESTATION ONLY (self-reported), not audited. No third-party verification of security claims.
    • Service providers include Anthropic and OpenAI for AI processing; also uses Netsuite (billing), Salesforce (CRM), Qualtrics (feedback). Verify their security posture if data flows to these providers.

    // At a glance

    Pricing model

    Freemium with premium tiers: Free tier (limited checks), Premium (individual), Institutional licenses, Publisher licenses. Pricing varies by user segment (students, researchers, institutions).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ThinqLab Ltd (Writefull BV in Netherlands)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    writefull.com

    > Browse all vendor trust reports