Key_illustration_security_page.png

Industry-leading security

Discover the steps we take to protect our customers and their data. If you have any other questions or would like to know more about our industry-leading data security, please feel free to reach out.

Compliance and certifications

  • icon_certificate
    SOC 2 Type 2

    Lokalise, Inc. is SOC 2 Type 2 certified. This SOC 2 Type 2 compliance demonstrates that our security policies, measures, and procedures rigorously protect the consumer data managed by the Lokalise translation management platform/system.

  • iso_27001
    ISO 27001 and ISO 27017

    ISO/IEC 27001 is an international standard for information security management systems. We have been certified according to this standard, and its specially created extension for cloud service providers, ISO/IEC 27017, since November 2020. This assures that our security practices, data safeguards, and risk management processes meet the highest standards and comply with industry best practices.

  • icon_privaci
    Data Privacy Practices

    Lokalise, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the processing and transfer of personal data.

  • icon_gpr
    GDPR Compliance

    We know the role we have in protecting our customers’ privacy and personal data. That’s why we’ve appointed a Data Protection Officer to monitor our own compliance. Our DPO is available to our customers to discuss data privacy issues at privacy@lokalise.com

  • HIPAA_logo
    Lokalise and HIPAA

    There is no HIPAA certification for cloud service providers such as Lokalise. To meet HIPAA requirements, we align our HIPAA risk management program with SOC2 Type 2 certification. Any customer that qualifies as a “Covered Entity” or “Business Associate” under HIPAA may use our platform without signing a Business Associate Addendum. We do not knowingly process, store, or transmit any protected health information (PHI) of our customers and users. If you would like to process, store, or transmit any PHI through our platform, you should contact us at hello@lokalise.com

Modern and secure infrastructure

  • Location

    Lokalise uses ISO 27001 certified data center facilities.

    Our services are provided from the Amazon Web Services infrastructure where we are hosting the data in EU Regions.

    AWS ISO27001 certification
    AWS Compliance

  • Physical Security

    Lokalise uses ISO 27001 certified data center facilities and relies on the data center providers for physical access control matters.

Our application

  • Entry points

    Lokalise is a web-based translation and localization platform that adapts mobile apps, websites, games, and other digital content for international markets and in multiple languages. Lokalise was designed as an alternative to outdated and expensive tools, with a clear focus on content automation and integrations to stop unmanageable numbers of emails, spreadsheets, and unanswered questions.

      Lokalise Cloud App (app.lokalise.com) is the main UI entry point for our customers. It connects to the backend which is hosted in the AWS cluster, configured with multi-zone HA.   Lokalise API (api.lokalise.com) is the entry point for the external API calls. It is hosted in the AWS cloud and is running in a HA configuration.   Lokalise Worker Server is processing the internal task queue and is executing the cron jobs. It is hosted in the AWS cloud (HA to be implemented).

  • Access rights and user authentication

    Lokalise uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources.

    Different user roles and access rights are documented here: Teams and Roles

    Lokalise provides multiple ways of user authentication:

      Local user accounts:
    Users can sign-up with a valid email address and set their password. Optionally users can activate two-factor authentication. It is also possible to set password policies and enforce secure password settings: Secure password configuration
      Existing accounts:
    Users can also use their existing Github, Google, and Microsoft accounts to use the system with the single sign-on functionality.
      Single sign-on:
    It is also possible to use SAML for enterprise single sign-on.

    More information on how to manage teams, users, and roles can be found using our documentation: Manage teams, users, and groups.

  • Lokalise API

    To use the API functionality API tokens must be generated. API access uses the same RBAC model as the access using WEB UI.

  • Application audit logs

    From the application layer perspective there is a detailed audit log of all activities which are performed in the system. The log is available via the application GUI and can be exported to csv/excel. By default audit logs are retained for a minimum of 6 months with the exception of deleted projects and/or teams. For deleted projects and/or teams the audit data is wiped off the face of the earth after 30 days.

  • Internal audit logs

    Internally the audit logs from internal system components are collected in a separate environment with limited access only to authorized users. Depending on the log type, logs are retained from 6 months to several years.

  • Development environment

    Our development and testing environments are hosted separately, with separate access control, completely isolated from the production environment.

    We do have automatic integration tests, which check for system errors and bugs before making changes to the production environment. Integration tests are also used to identify security issues.

  • Change management

    The change management process is documented and regularly audited. Upon significant changes, customers are informed in advance via email. We have several stages of code review and quality assurance before changes are implemented in production.

  • Session management

    Sessions are managed server-side. Session management is implemented in core application code.

  • Reliability

    Lokalise application is built using a modern technology stack that embraces business continuity in multiple layers.

    Current system availability is more than 99.9% and the reports on the system availability are available by visiting our Status page.

Data security

  • PI processing

    Lokalise processes and stores a limited set of PI only to provide the user authentication and authorization process.
    • Name
    • Surname
    • Email address
    • IP address

  • Data handling

    Removable media is prohibited and as all laptop and server hard drives are encrypted, data disposal is automatic in case the server or a laptop is not in use anymore. 99% of data is maintained in electronic formats and usage of removable media is not allowed in the company. Data is destroyed by physical means (old laptop HDDs) or with secure erasure procedures.

  • Data anonymization

    Except for specific cases of advanced troubleshooting where we might need the actual data, all customer data is anonymized using a custom solution developed internally.

  • Data backups

    Backups are created daily and the backup data is automatically used for full backup testing and restore, so we are always sure that in case of a disaster, it will be possible to restore the system to a running state from the backup. All backup procedures are documented and kept up-to-date.

  • HTTPS and HSTS for secure connections

    Customers access Lokalise app services through the Internet using the SSL functionality of their web browser. Communication is encrypted using up-to-date algorithms such as TLS1.2. Additionally, we use HSTS to ensure that users are allowed to interact with our application only over HTTPS.

  • Data integrity

    Data integrity is ensured by built-in mechanisms in the core of the application and by the lower layers of infrastructure like database integrity checks and file system integrity. Regular snapshot and backup processes ensure that in the case of data corruption data can be restored to its original version.

  • Collected information

    We collect information represented by authorized individuals who are registered or permitted by a Customer to access a Team’s Workspace and/or use the Services (the “Authorized Users”). For example, localization managers, CTOs, CPOs or external translators working on a translation project in the Team’s Workspace. Detailed and up-to-date information about collected data and types can be retrieved in our Privacy Policy

  • Lokalise access to customer data

    Customer support and a limited number of members from our DevOps team might be able to get access to customer data for support and troubleshooting reasons.

  • Termination of contract

    Upon termination of the agreement all customer data except parts which are required by law are deleted from our systems and databases. The process is automatic and documented in our internal procedures.

  • Data subject requests

    Requests are handled manually. They can be submitted using in-application chat or directed to privacy@lokalise.com.

Secure payments

We use a PCI DSS-certified third-party payment processor, Stripe, to process payments made to Lokalise securely. We do not retain any personally identifiable information or any financial information such as credit card numbers in our services. All such information is provided directly to a third-party processor engaged by Lokalise. In the meantime, we do a yearly internal compliance assessment against PCI DSS requirements to make sure that we meet those as much as they relate to us.

Corporate Security

  • Security team

    Lokalise has an internal Security team that covers all aspects related to IT Security. The Security team works closely together with the Legal department on compliance and data protection matters.

  • Security Policies

    Our security operations are aligned with ISO27001 principles and recommended processes. We have several processes in place and an extensive set of cybersecurity-related policies which help monitor security risks. Technical ones like log management, access management, and vulnerability scans, as well as continuous user education and assessment. All procedures are documented and in good standing as certified by SOC2 Type 2 certification.

  • Systems hardening

    We use CIS guidelines for server/device and service hardening.

  • Malware protection

    Employee equipment is protected by an enterprise-grade antivirus solution.

  • Performance and monitoring

    We have several internal solutions in place that are used for monitoring our systems, application availability, and other critical parameters. We also have in place a solution that allows us to manage and monitor the performance of our application.

    In addition to the above, we have implemented a log management tool and we are currently increasing our visibility by making sure that all critical logs are forwarded to the central tool.

  • Vulnerability management

    There is an ongoing vulnerability and patch management process in place. Server operating systems are regularly patched and updated and we have multiple internal processes in place that help identify any potential vulnerabilities.

  • Internal risk management

    Lokalise has implemented risk management as an ongoing process in its key business processes so it organically aligns with day-to-day operations. This approach is intended to align the entity’s strategy more closely with its key stakeholders, assist the organizational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment.

    Lokalise identifies the underlying sources of risk, measures the impact on organizations, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor and manage the risks.

  • Third party risk management

    To support the delivery of our services, Lokalise, Inc. may engage and use data processors with access to certain Customer Data. This sub-processors page provides important information about the identity, location, and role of each Sub-processor.

    We evaluate every third party with which we are going into a business relationship. Evaluation includes - such points as Ownership, country of residence, security attestations, data protection measures, previous incidents, etc.

  • Incident response

    Lokalise has an established Incident Response policy.

    If we identify that customer data was affected as the result of an incident we will inform the affected customers within 48 hours. The provided information will depend on a case-by-case basis.

    All incidents can be reported to support at hello@lokalise.com or using the in-application chat functionality.

  • Human resources security

    Lokalise has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.

Bug bounty

We are continuously running a private bug bounty program with YesWeHack.

Responsible disclosure

Lokalise has implemented a vulnerability disclosure policy and discovered vulnerabilities can be reported following our policy guidelines.

Do you have a security concern you'd like to discuss with us, or do you want to report a vulnerability in Lokalise’s services? Please don't hesitate to contact us at hello@lokalise.com.

Close
See Lokalise in action

Get a free 30-minute consultation to find out how to make your localization and translation workflows more efficient.

Trusted by 3000+ global companies

Brand Brand Brand Brand