// Trust & Security Report

    DeepL SE logo

    DeepL SE

    AI-powered language translation, writing assistance, voice, and document processing platform

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    DeepL has passed its independent SOC 2 Type II audit of its Pro service, conducted by a Certified Public Accountant (CPA). The Type II report proves that the predefined policies and procedures have been successfully followed for a reporting period of 12 months.

    Verify on deepl.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 is listed as an active compliance item in the DeepL Trust Center. The trust center compliance row reads: 'Compliance C5 GDPR HIPAA ISO/IEC 27001:2022 SOC 2 Type 2'.

    Verify on deepl.safebase.us
    GDPR
    HELD

    DeepL remains fully GDPR compliant. Our relationship with AWS is governed by a data processing agreement that ensures adherence to GDPR requirements, including the mandatory terms between Controllers and Processors under Article 28 of the GDPR.

    Verify on deepl.safebase.us
    HIPAA
    HELD

    DeepL's Language AI platform is now fully HIPAA-compliant, supporting secure PHI workflows for healthcare, pharmaceutical, and life sciences teams.

    Verify on deepl.com
    BSI C5 Type 2
    HELD

    All of the new security certifications and accreditations that DeepL receives are in addition to the standards we hold such as ISO 27001, SOC 2 Type 2 and GDPR. Earning [C5 Type 2] involves meeting 114 separate information security criteria... It audits the effectiveness of these measures over a minimum six-month period.

    Verify on deepl.com
    > Show 7 unconfirmed / not-held certifications
    ISO 27017 (cloud security controls)
    NOT CONFIRMED

    No public evidence that ISO 27017 is held by DeepL SE itself. The trust center references ISO 27017/27018 only in the context of AWS infrastructure certifications: 'By incorporating AWS, DeepL benefits from additional security certifications and compliance frameworks, including ISO 27001, 27017, 27018.' These are AWS host certifications, not DeepL's own.

    source: deepl.safebase.us
    ISO 27018 (PII in public cloud)
    NOT CONFIRMED

    No public evidence that ISO 27018 is held by DeepL SE itself. Referenced only as an AWS-level certification in the infrastructure update documentation on the trust center.

    source: deepl.safebase.us
    ISO 27701 (privacy information management)
    NOT CONFIRMED

    No public evidence of ISO 27701 certification found on any DeepL domain.

    source: deepl.safebase.us
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification found on any DeepL domain. A 'Responsible AI Statement' document is listed in the trust center but no ISO 42001 audit or certificate is claimed.

    source: deepl.safebase.us
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification found on any DeepL domain.

    source: deepl.safebase.us
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS compliance found on any DeepL domain. Payment processing is handled via third-party processors (Stripe, Riskified) which carry their own PCI DSS certifications.

    source: deepl.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found. DeepL SE is a German company headquartered in Cologne and does not appear to have pursued FedRAMP authorization.

    source: deepl.safebase.us

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Default (current): EU-only, proprietary data centers in Iceland and Sweden. From January 2026: hybrid model with AWS regions (EU, US, JP) for business and enterprise customers. Data Residency add-on (paid, sales-assisted enterprise contracts only) locks processing to one chosen region: EU, US, or JP. Free-tier users remain on proprietary EU infrastructure.

    Significant tier difference: Free-tier users' content may be used to train and improve DeepL neural networks and algorithms. Pro and all paid tiers: 'Texts are never stored or used for model training without your consent' (per data security page). DeepL Agent explicitly maintains a 'no-LLM-training policy ensures your data is never used to train or update the underlying models.' Enterprise terms confirm customer training data (glossaries, example docs) is used exclusively for that customer's translations, not for general model improvement. Free-tier AI training opt-out is not publicly documented.

    // Security controls

    Encryption in transit

    TLS 1.2/1.3 for all data transmission

    deepl.safebase.us

    Encryption at rest

    AES-256 device and data encryption; client-side encryption keys managed outside AWS infrastructure available

    deepl.com

    Bring Your Own Key (BYOK)

    Available on Enterprise plan only; customers generate and control their own encryption keys with instant revocation capability

    deepl.com

    SSO

    OIDC and SAML supported; available on Pro and Enterprise plans

    deepl.com

    MFA

    Multi-factor authentication available on all plans for non-SSO users

    deepl.com

    Audit logging

    3-month activity history across all plans; tracks login attempts, account changes, and unauthorized access

    deepl.com

    Network access restrictions

    Available on Pro Ultimate and Enterprise plans; restricts how and where DeepL is accessed

    deepl.com

    Penetration testing

    Both internal and external experts continually assess systems

    deepl.com

    Vulnerability disclosure policy

    Published on trust center

    deepl.safebase.us

    Cyber insurance

    Cyber insurance certificate publicly listed in trust center

    deepl.safebase.us

    Data center infrastructure

    Proprietary data centers in Iceland and Sweden (research, model training, free tier); AWS (EU, US, JP) for business and enterprise from January 2026

    deepl.safebase.us

    // Products & data scope

    DeepL Translator (Free)AI Translation

    data: Text and file translation input; content may be stored and used for model training improvement without explicit opt-out

    500-character limit per translation in free browser use. Free-tier data training is the key risk flag for enterprise buyers.

    DeepL ProAI Translation (paid subscription)

    data: Text, files, documents; NOT stored long-term and NOT used for model training. DPA available on request.

    Tiers: Pro Starter, Pro Advanced, Pro Ultimate. Advanced and Ultimate add network restrictions, domain capture. All Pro tiers get no-training guarantee.

    DeepL APITranslation API

    data: Programmatic text and document translation; same no-training guarantee as Pro tiers; transient processing only

    Pay-as-you-go and subscription pricing. Data residency add-on not available for API-only accounts; only for sales-assisted contracts.

    DeepL VoiceAI Voice Translation / Real-time Speech

    data: Real-time speech and audio translation; covered under same trust center security posture

    Listed in trust center as a distinct product with its own security section. Supports meetings (Zoom, Teams) and conversations.

    DeepL WriteAI Writing Assistant

    data: Text input for grammar, tone, and style improvement; same data handling policy as Pro

    Included in Pro subscription plans.

    DeepL AgentAgentic AI Assistant

    data: Task automation, web browsing, document management, code execution in sandboxed environment; all data within EU AWS regions

    Holds its own ISO 27001:2022 certification. Explicit no-LLM-training policy. Task isolation architecture prevents cross-customer data contamination. Ephemeral data processing with no retention.

    // What to watch

    • FREE TIER TRAINS ON DATA: Free-tier users' content can be used to train and improve DeepL's neural networks. This is a hard blocker for enterprise use-cases involving confidential data on the free tier. Paid tiers (Pro and above) are explicitly exempt.
    • INFRASTRUCTURE TRANSITION IN PROGRESS: As of January 2026, data for business/enterprise customers shifts from EU-only proprietary data centers to AWS (EU/US/JP by default). The existing privacy policy at /en/privacy still states 'exclusively within the EEA' and may not yet reflect the AWS transition. Buyers should request updated DPA language.
    • DATA RESIDENCY IS A PAID ADD-ON: Staying in a specific region (EU, US, or JP) requires purchasing a Data Residency add-on, available only to sales-assisted enterprise customers on yearly plans. API-only and self-service customers cannot guarantee regional data processing after the January 2026 transition.
    • ISO 27017/27018 BELONG TO AWS, NOT DEEPL: The trust center references ISO 27017/27018 only as AWS infrastructure certifications that DeepL inherits via its cloud provider relationship. DeepL SE does not hold its own ISO 27017 or 27018 certificates.
    • HIPAA: NO BAA DETAILS PUBLICLY CONFIRMED: DeepL claims HIPAA compliance (May 2025) but Business Associate Agreement (BAA) availability is not publicly documented. Healthcare buyers must request BAA terms directly from DeepL.
    • BYOK IS ENTERPRISE-ONLY: Bring Your Own Key encryption is limited to the top Enterprise plan tier; lower Pro tiers use DeepL-managed encryption keys.
    • NO ISO 42001 OR CSA STAR: No AI-specific management system certification (ISO 42001) or CSA STAR registration found. DeepL does publish a Responsible AI Statement on the trust center.
    • CERTIPEDIA SHOWS ISO/IEC 27001:2013 SCOPE: TUV Rheinland Certipedia (cert 9000024755) shows 2013 version of the standard while the trust center claims 2022. SOA Version 32 is dated 25/09/2025. Buyers should request the current certificate directly from the trust center to confirm the active standard version.
    • SOC 3 / ISO 27017 / ISO 27018 NOT LISTED AS DEEPL-HELD CERTS: An automated trust-center scan surfaced SOC 3, ISO 27017, and ISO 27018, but the DeepL Trust Center compliance row lists only C5, GDPR, HIPAA, ISO/IEC 27001:2022, and SOC 2 Type 2. ISO 27017/27018 are AWS infrastructure certifications DeepL inherits via its cloud provider, not DeepL's own. No on-domain verbatim evidence of a DeepL-held SOC 3 report was found, so it is not listed as held.

    // At a glance

    Pricing model

    Freemium: Free tier (limited), Pro subscriptions (monthly/annual), API (pay-as-you-go or subscription), Enterprise (custom, sales-assisted)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on DeepL SE's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    deepl.safebase.us

    > Browse all vendor trust reports