Company text should only go where the rewrite needs it

No. Text you submit is processed to return the rewrite and is not used to train Rewrait's models or any third-party model. On Team plans this is contractual: a written no-training guarantee plus a DPA. The design backs the policy. Rewrait only receives text on demand - when a user selects something or dictates a draft and triggers a shortcut - so there is no standing stream of your company's writing to mine in the first place. Rewrite history is off by default, meaning even your own past rewrites are not retained unless you opt in, and feedback events never store text. The AI subprocessors that perform rewrites (OpenAI and Google Gemini) see only the text of the specific request, plus whatever approved source context the shortcut is configured to read.

It comes back to you and, by default, that is the end of it. The pipeline is short: your selected text and the shortcut's approved context go to the AI provider, the rewrite comes back, and the replacement happens in your app. Rewrait does not store the text unless you have turned on rewrite history, which is off by default. If you do enable history - some users want a record of past rewrites - every item can be deleted individually, and turning history off again stops new items from being saved. Thumbs-up and thumbs-down feedback is recorded as an event without the underlying text, so quality signals never become a copy of your writing. Voice dictation works the same way: audio is transcribed by Deepgram at the moment you dictate, and the transcript follows the same rules as typed text.

No. All three integrations request read-only OAuth scopes, so Rewrait is technically unable to write, move, or delete anything in your docs - the permission is never granted, not merely unused. Access is also narrower than read-everything: the workspace owner approves a whitelist of specific sources, and shortcuts can only read pages on that list. Each source is fetched read-only, cached to limit repeat fetches, and capped at 12,000 characters, so a shortcut pulls the policy section it needs rather than syncing your knowledge base. OAuth tokens for these connections are stored AES-encrypted, and the owner can disconnect an integration at any time, which severs access immediately. If your security review needs the exact scope strings we request from each provider, email [email protected] and we will send them.

Not yet - SOC 2 is on our roadmap, and we will not pretend otherwise with a badge that links nowhere. What we offer today: the commitments on this page (on-demand processing, no training on your text, history off by default, read-only encrypted integrations), a DPA and written no-training guarantee on Team plans, and direct answers - a founder responds to security questionnaires personally, usually faster than a compliance portal would. The honest trade: Rewrait is a small company, so you get fewer certificates and more access. If your procurement process strictly requires a SOC 2 report before any purchase, tell us at [email protected] - that demand is exactly what moves the audit up our roadmap, and we will tell you honestly whether our timeline fits yours.

Less than you might expect. Account data: names, emails, credentials or OAuth identities, workspace membership, and billing records - card details live with Stripe, never with us. Configuration: your styles, shortcuts, workflows, the approved source whitelist, and AES-encrypted OAuth tokens for connected integrations. Content: by default, none. Rewrite history is opt-in per user and deletable item by item; feedback events store no text; cached copies of approved sources are capped at 12,000 characters and fetched read-only. The application and its Postgres database run on Fly.io, and the workspace owner can disconnect any integration at any time, which cuts off source access immediately. If your review needs this as a formal data inventory, or you have a questionnaire in your own format, email [email protected] - a founder fills it in directly.