Security & Compliance
Last updated: May 29, 2026
We take the security of your data seriously. This page summarizes the controls we have in place and how to report a vulnerability. Questions? Email [email protected].
Encryption
- All traffic is served over HTTPS with HSTS (HTTP Strict Transport Security) enforced.
- Data is encrypted in transit (TLS) between your site and our API; internal services communicate over a private network within our EU infrastructure.
- Passwords are hashed with scrypt; we never store plaintext passwords.
- API keys are stored as one-way hashes — the full key is shown only once at creation.
Access control & abuse protection
- JWT-based sessions with server-side revocation; sessions can be invalidated on password change.
- Progressive login lockout on repeated failed attempts, with operator alerting on brute-force patterns.
- Rate limiting across all public and authenticated endpoints.
- Webhook payloads are verified with HMAC-SHA256 signatures.
- Strict tenant isolation — your translations, glossaries, and usage are scoped to your account.
Data retention
We retain your data only as long as needed to provide the Services:
- Account & translation data — kept while your account is active.
- Deleted accounts — soft-deleted with a 30-day recovery window, then permanently removed.
- Operational logs — rotated on a rolling window and pruned automatically.
- Backups — encrypted database backups with write-ahead-log archiving to object storage for point-in-time recovery.
You can export all of your data (account, translations, Translation Memory) at any time from Settings → Export my data, and delete your account and all associated data from the same page (GDPR Articles 17 & 20). For per-data-class retention windows, see our Data Retention Policy.
Data residency & compliance
- Primary infrastructure is hosted in the EU (Amsterdam).
- GDPR-compliant; a Data Processing Agreement (DPA) is available.
- See our Privacy Policy for how we collect, use, and protect your information.
Responsible disclosure
If you believe you've found a security vulnerability, please report it to [email protected]. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you avoid accessing or modifying other customers' data. Our machine-readable policy is published at /.well-known/security.txt.
Questions
For security or compliance questions during procurement, contact [email protected] or reach our team via the contact page.