// Trust & Security Report

    Crowdin logo

    Crowdin

    AI-powered localization and translation management platform

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Crowdin's Information Security Management System is certified under ISO/IEC 27001, ensuring strong protection and risk management for sensitive data.

    Verify on crowdin.com
    GDPR Compliance
    HELD

    Crowdin complies with GDPR, protecting personal data of EU residents in line with European privacy standards.

    Verify on crowdin.com
    HIPAA (BAA Available)
    HELD

    Customers that are subject to HIPAA and want to utilize Crowdin in connection with Protected Health Information (PHI) must sign Crowdin's Business Associate Agreement

    Verify on crowdin.com
    SOC 2 Type II
    HELD
    > Show 1 unconfirmed / not-held certifications
    PCI DSS
    NOT CONFIRMED

    When you sign up for a paid Crowdin account, we do not store any of your billing information on our servers. All payments made to Crowdin are processed through our partner, FastSpring, which complies with the PCI Security Standard.

    source: crowdin.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (default, AWS us-east-1 N. Virginia) and EU (AWS eu-west-1 Ireland) available for Crowdin Enterprise customers. Data region must be chosen at organization creation and cannot be changed later.

    Crowdin does not use customer translation data (Client Data) to train general AI or ML models. The privacy policy states Client Data is only processed per client instructions and may only be used in anonymized or aggregated form for product improvements. Terms explicitly state: 'Supplier respects your right to exclusive ownership of your Client Data' and 'Supplier may not otherwise use or display Client Data without Client's written consent.' When using Crowdin's AI translation features, customers can use their own API keys for AI providers (OpenAI, Anthropic, Azure AI, DeepL) to keep data handling within their own accounts, or opt into Crowdin's managed AI service.

    // Security controls

    Bug Bounty Program

    HackerOne (private, invitation-only). Launched July 17, 2024. Follows HackerOne Standard Program guidelines.

    crowdin.com

    Penetration Testing

    Annual third-party penetration testing by independent security audit company. No customer data exposed during testing. Summary available to enterprise customers on request.

    crowdin.com

    Infrastructure

    Amazon Web Services (AWS). AWS holds ISO 27001 and has completed multiple SSAE 16 audits.

    crowdin.com

    Zero Trust Architecture

    ISMS built on Zero Trust Architecture (ZTA) with 'never trust, always verify' principle. Context-aware access, mandatory hardware 2FA keys, binary authorization.

    crowdin.com

    Authentication

    SAML 2.0 SSO, two-factor authentication (2FA) with hardware keys, device verification, biometric authentication, TOTP.

    crowdin.com

    Access Control

    Role-based permissions, IP allowlist, granular REST API token permissions, principle of least privilege, access audits.

    crowdin.com

    Incident Response

    Documented incident response plan reviewed and tested annually. 24/7/365 server monitoring team.

    crowdin.com

    Employee Security

    Background checks on all employees/contractors. Mandatory security awareness training for all personnel. Hardware-encrypted devices, MDM, BYOD restrictions.

    support.crowdin.com

    Business Continuity

    Disaster Recovery Plan and Business Continuity Plan maintained and regularly tested. Service availability target >99.95% yearly. Status at status.crowdin.com.

    support.crowdin.com

    Payments

    No billing data stored on Crowdin servers. Payments processed via FastSpring (PCI-compliant).

    crowdin.com

    // Products & data scope

    Crowdin.comSaaS localization platform for individuals and small/mid-size teams

    data: Translation strings, source files, glossaries, translation memory. Data stored in US (AWS us-east-1) by default. No dedicated EU data residency. Free plan available; paid plans above.

    Includes freemium tier. Integrates with GitHub, GitLab, Bitbucket, Figma, WordPress, Notion, and 700+ other apps. AI suggestions via OpenAI, Anthropic, Azure AI, DeepL (user-provided API keys or Crowdin-managed). No data residency selection available.

    Crowdin EnterpriseEnterprise SaaS localization platform for large organizations

    data: Same content types as Crowdin.com plus extended org management data. Customer selects US or EU data region at setup (permanent, cannot be changed). Enterprise-level SAML SSO, IP allowlist, custom workflows, advanced project management, and BAA for HIPAA.

    Starts at $450/month. 30-day free trial available. Includes dedicated data residency (US or EU), custom authorization methods, SLA agreements available. Pen test summary available on request. Used by Strava, GitLab, GitHub (Electron project), Cal.com, Pipedrive.

    // What to watch

    • SOC 2 Type II not publicly documented; notable gap for enterprise procurement teams that require it
    • HackerOne bug bounty is private (invitation-only), not open to all researchers
    • EU data residency is restricted to Crowdin Enterprise (from $450/month); standard Crowdin.com users default to US storage only
    • Data region for Crowdin Enterprise cannot be changed after initial organization setup; customers must choose correctly at onboarding
    • HIPAA compliance requires signing a BAA separately; not automatic
    • ISO 27001 first certified December 2021; now certified under updated ISO/IEC 27001:2022 standard per security policy documentation

    // At a glance

    Pricing model

    Freemium (Crowdin.com: free plan available, paid tiers above). Enterprise starts at $450/month. 30-day Enterprise trial, no credit card required.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Crowdin's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    crowdin.com

    > Browse all vendor trust reports