Summary
Your data is safe.
- Compliance: Rows is SOC 2 and GDPR compliant, with regular security audits.
- Data Storage: All data is stored in European data centers, encrypted at rest and in transit.
- AI & Privacy: User data is never used to train AI models, ensuring privacy.
- Control: Rows does not access your spreadsheets, and you can delete your data anytime.
- More info: Check our docs and privacy policy.
We value your security
At Rows, we know that we have to be a spreadsheet that you can entrust with any type of data. As such, we place the highest priority on ensuring the security of your data.
We follow state-of-the-art security practices, as some of our integration partners, for example, Google or Facebook, perform security audits of our platform.
Your data, including backed-up data, is encrypted at rest, that is when it’s stored on our servers, using 256-bit AES encryption. When sending data from your spreadsheet to our servers, we use HTTPS TLS protocols.
Your credit card data is additionally protected using Stripe’s security procedures.
Compliance
We are committed to adhering to the highest standards of data protection and security compliance. Rows is:
- GDPR Compliant: We ensure that personal data is processed in accordance with the General Data Protection Regulation (GDPR), respecting the privacy and rights of all our users in the European Union and beyond.
- SOC 2 Type II Certified: This certification confirms that Rows meets strict criteria for security, availability, and confidentiality, and that our systems are designed to safeguard sensitive data effectively.
How to report an issue
To report an issue, you should send us an email to security@rows.com with all the detail below:
- Issue description.
- How to, video or proof of concept.
- CVSS calculator output.
- Self-assessed severity.
- Any other information you consider useful for the Rows team.
- Encrypt your email report with our PGP key.
By submitting a vulnerability report to Rows, you grant to Rows GmbH, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Also, it is important that you notify us if any of this material is not your own work or is covered by the intellectual property rights of others. Not notifying us means that you've represented that no third-party intellectual property rights are involved.
Prevention of spam reports
At Rows, we appreciate the time and effort that security researchers put into finding vulnerabilities to help us secure our platform. However, to maintain the effectiveness and efficiency of our vulnerability program, we urge all reporters to adhere to the following guidelines to prevent spam reports:
No Automated Scan Reports Without Insight: While automated tools can assist in identifying potential vulnerabilities, they often generate false positives or highlight low-severity, non-exploitable issues. We discourage the submission of raw automated scanner output. If you use automated tools, please manually validate each finding, understand its impact, and provide a proof of concept or a detailed explanation.
Quality Over Quantity: A well-written report with a detailed explanation and proof-of-concept for a single vulnerability is far more valuable than multiple reports with scant details. We urge researchers to focus on the quality of their submissions.
Penalty for Spamming: To maintain the quality of our vulnerability program, reporters who repeatedly submit low-quality, out-of-scope, or duplicate reports may be temporarily or permanently excluded from the program. In severe cases, we may restrict their ability to submit future reports.
Our goal is to foster a community that values quality and meaningful contributions. We appreciate your understanding and cooperation in maintaining the standards of our vulnerability program.
Thank you for helping keep Rows and our customers safe.
Last update: 24 Feb 2026.