// Trust & Security Report
Crowdin
AI-powered localization and translation management platform
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on crowdin.com“Crowdin's Information Security Management System is certified under ISO/IEC 27001, ensuring strong protection and risk management for sensitive data.”
Verify on crowdin.com“Crowdin complies with GDPR, protecting personal data of EU residents in line with European privacy standards.”
Verify on crowdin.com“Customers that are subject to HIPAA and want to utilize Crowdin in connection with Protected Health Information (PHI) must sign Crowdin's Business Associate Agreement”
> Show 1 unconfirmed / not-held certifications
source: crowdin.comWhen you sign up for a paid Crowdin account, we do not store any of your billing information on our servers. All payments made to Crowdin are processed through our partner, FastSpring, which complies with the PCI Security Standard.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (default, AWS us-east-1 N. Virginia) and EU (AWS eu-west-1 Ireland) available for Crowdin Enterprise customers. Data region must be chosen at organization creation and cannot be changed later.
Crowdin does not use customer translation data (Client Data) to train general AI or ML models. The privacy policy states Client Data is only processed per client instructions and may only be used in anonymized or aggregated form for product improvements. Terms explicitly state: 'Supplier respects your right to exclusive ownership of your Client Data' and 'Supplier may not otherwise use or display Client Data without Client's written consent.' When using Crowdin's AI translation features, customers can use their own API keys for AI providers (OpenAI, Anthropic, Azure AI, DeepL) to keep data handling within their own accounts, or opt into Crowdin's managed AI service.
// Security controls
Bug Bounty Program
HackerOne (private, invitation-only). Launched July 17, 2024. Follows HackerOne Standard Program guidelines.
crowdin.comPenetration Testing
Annual third-party penetration testing by independent security audit company. No customer data exposed during testing. Summary available to enterprise customers on request.
crowdin.comInfrastructure
Amazon Web Services (AWS). AWS holds ISO 27001 and has completed multiple SSAE 16 audits.
crowdin.comZero Trust Architecture
ISMS built on Zero Trust Architecture (ZTA) with 'never trust, always verify' principle. Context-aware access, mandatory hardware 2FA keys, binary authorization.
crowdin.comAuthentication
SAML 2.0 SSO, two-factor authentication (2FA) with hardware keys, device verification, biometric authentication, TOTP.
crowdin.comAccess Control
Role-based permissions, IP allowlist, granular REST API token permissions, principle of least privilege, access audits.
crowdin.comIncident Response
Documented incident response plan reviewed and tested annually. 24/7/365 server monitoring team.
crowdin.comEmployee Security
Background checks on all employees/contractors. Mandatory security awareness training for all personnel. Hardware-encrypted devices, MDM, BYOD restrictions.
support.crowdin.comBusiness Continuity
Disaster Recovery Plan and Business Continuity Plan maintained and regularly tested. Service availability target >99.95% yearly. Status at status.crowdin.com.
support.crowdin.comPayments
No billing data stored on Crowdin servers. Payments processed via FastSpring (PCI-compliant).
crowdin.com// Products & data scope
data: Translation strings, source files, glossaries, translation memory. Data stored in US (AWS us-east-1) by default. No dedicated EU data residency. Free plan available; paid plans above.
Includes freemium tier. Integrates with GitHub, GitLab, Bitbucket, Figma, WordPress, Notion, and 700+ other apps. AI suggestions via OpenAI, Anthropic, Azure AI, DeepL (user-provided API keys or Crowdin-managed). No data residency selection available.
data: Same content types as Crowdin.com plus extended org management data. Customer selects US or EU data region at setup (permanent, cannot be changed). Enterprise-level SAML SSO, IP allowlist, custom workflows, advanced project management, and BAA for HIPAA.
Starts at $450/month. 30-day free trial available. Includes dedicated data residency (US or EU), custom authorization methods, SLA agreements available. Pen test summary available on request. Used by Strava, GitLab, GitHub (Electron project), Cal.com, Pipedrive.
// What to watch
- SOC 2 Type II not publicly documented; notable gap for enterprise procurement teams that require it
- HackerOne bug bounty is private (invitation-only), not open to all researchers
- EU data residency is restricted to Crowdin Enterprise (from $450/month); standard Crowdin.com users default to US storage only
- Data region for Crowdin Enterprise cannot be changed after initial organization setup; customers must choose correctly at onboarding
- HIPAA compliance requires signing a BAA separately; not automatic
- ISO 27001 first certified December 2021; now certified under updated ISO/IEC 27001:2022 standard per security policy documentation
// At a glance
Pricing model
Freemium (Crowdin.com: free plan available, paid tiers above). Enterprise starts at $450/month. 30-day Enterprise trial, no credit card required.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Crowdin's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
crowdin.com