// Trust & Security Report
DeepL SE
AI-powered language translation, writing assistance, voice, and document processing platform
Certifications held
5
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on deepl.com“DeepL has passed its independent SOC 2 Type II audit of its Pro service, conducted by a Certified Public Accountant (CPA). The Type II report proves that the predefined policies and procedures have been successfully followed for a reporting period of 12 months.”
Verify on deepl.safebase.us“ISO/IEC 27001:2022 is listed as an active compliance item in the DeepL Trust Center. The trust center compliance row reads: 'Compliance C5 GDPR HIPAA ISO/IEC 27001:2022 SOC 2 Type 2'.”
Verify on deepl.safebase.us“DeepL remains fully GDPR compliant. Our relationship with AWS is governed by a data processing agreement that ensures adherence to GDPR requirements, including the mandatory terms between Controllers and Processors under Article 28 of the GDPR.”
Verify on deepl.com“DeepL's Language AI platform is now fully HIPAA-compliant, supporting secure PHI workflows for healthcare, pharmaceutical, and life sciences teams.”
Verify on deepl.com“All of the new security certifications and accreditations that DeepL receives are in addition to the standards we hold such as ISO 27001, SOC 2 Type 2 and GDPR. Earning [C5 Type 2] involves meeting 114 separate information security criteria... It audits the effectiveness of these measures over a minimum six-month period.”
> Show 7 unconfirmed / not-held certifications
source: deepl.safebase.usNo public evidence that ISO 27017 is held by DeepL SE itself. The trust center references ISO 27017/27018 only in the context of AWS infrastructure certifications: 'By incorporating AWS, DeepL benefits from additional security certifications and compliance frameworks, including ISO 27001, 27017, 27018.' These are AWS host certifications, not DeepL's own.
source: deepl.safebase.usNo public evidence that ISO 27018 is held by DeepL SE itself. Referenced only as an AWS-level certification in the infrastructure update documentation on the trust center.
source: deepl.safebase.usNo public evidence of ISO 27701 certification found on any DeepL domain.
source: deepl.safebase.usNo public evidence of ISO 42001 certification found on any DeepL domain. A 'Responsible AI Statement' document is listed in the trust center but no ISO 42001 audit or certificate is claimed.
source: deepl.safebase.usNo public evidence of CSA STAR registration or certification found on any DeepL domain.
source: deepl.comNo public evidence of PCI DSS compliance found on any DeepL domain. Payment processing is handled via third-party processors (Stripe, Riskified) which carry their own PCI DSS certifications.
source: deepl.safebase.usNo public evidence of FedRAMP authorization found. DeepL SE is a German company headquartered in Cologne and does not appear to have pursued FedRAMP authorization.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Default (current): EU-only, proprietary data centers in Iceland and Sweden. From January 2026: hybrid model with AWS regions (EU, US, JP) for business and enterprise customers. Data Residency add-on (paid, sales-assisted enterprise contracts only) locks processing to one chosen region: EU, US, or JP. Free-tier users remain on proprietary EU infrastructure.
Significant tier difference: Free-tier users' content may be used to train and improve DeepL neural networks and algorithms. Pro and all paid tiers: 'Texts are never stored or used for model training without your consent' (per data security page). DeepL Agent explicitly maintains a 'no-LLM-training policy ensures your data is never used to train or update the underlying models.' Enterprise terms confirm customer training data (glossaries, example docs) is used exclusively for that customer's translations, not for general model improvement. Free-tier AI training opt-out is not publicly documented.
// Security controls
Encryption at rest
AES-256 device and data encryption; client-side encryption keys managed outside AWS infrastructure available
deepl.comBring Your Own Key (BYOK)
Available on Enterprise plan only; customers generate and control their own encryption keys with instant revocation capability
deepl.comAudit logging
3-month activity history across all plans; tracks login attempts, account changes, and unauthorized access
deepl.comNetwork access restrictions
Available on Pro Ultimate and Enterprise plans; restricts how and where DeepL is accessed
deepl.comData center infrastructure
Proprietary data centers in Iceland and Sweden (research, model training, free tier); AWS (EU, US, JP) for business and enterprise from January 2026
deepl.safebase.us// Products & data scope
data: Text and file translation input; content may be stored and used for model training improvement without explicit opt-out
500-character limit per translation in free browser use. Free-tier data training is the key risk flag for enterprise buyers.
data: Text, files, documents; NOT stored long-term and NOT used for model training. DPA available on request.
Tiers: Pro Starter, Pro Advanced, Pro Ultimate. Advanced and Ultimate add network restrictions, domain capture. All Pro tiers get no-training guarantee.
data: Programmatic text and document translation; same no-training guarantee as Pro tiers; transient processing only
Pay-as-you-go and subscription pricing. Data residency add-on not available for API-only accounts; only for sales-assisted contracts.
data: Real-time speech and audio translation; covered under same trust center security posture
Listed in trust center as a distinct product with its own security section. Supports meetings (Zoom, Teams) and conversations.
data: Text input for grammar, tone, and style improvement; same data handling policy as Pro
Included in Pro subscription plans.
data: Task automation, web browsing, document management, code execution in sandboxed environment; all data within EU AWS regions
Holds its own ISO 27001:2022 certification. Explicit no-LLM-training policy. Task isolation architecture prevents cross-customer data contamination. Ephemeral data processing with no retention.
// What to watch
- FREE TIER TRAINS ON DATA: Free-tier users' content can be used to train and improve DeepL's neural networks. This is a hard blocker for enterprise use-cases involving confidential data on the free tier. Paid tiers (Pro and above) are explicitly exempt.
- INFRASTRUCTURE TRANSITION IN PROGRESS: As of January 2026, data for business/enterprise customers shifts from EU-only proprietary data centers to AWS (EU/US/JP by default). The existing privacy policy at /en/privacy still states 'exclusively within the EEA' and may not yet reflect the AWS transition. Buyers should request updated DPA language.
- DATA RESIDENCY IS A PAID ADD-ON: Staying in a specific region (EU, US, or JP) requires purchasing a Data Residency add-on, available only to sales-assisted enterprise customers on yearly plans. API-only and self-service customers cannot guarantee regional data processing after the January 2026 transition.
- ISO 27017/27018 BELONG TO AWS, NOT DEEPL: The trust center references ISO 27017/27018 only as AWS infrastructure certifications that DeepL inherits via its cloud provider relationship. DeepL SE does not hold its own ISO 27017 or 27018 certificates.
- HIPAA: NO BAA DETAILS PUBLICLY CONFIRMED: DeepL claims HIPAA compliance (May 2025) but Business Associate Agreement (BAA) availability is not publicly documented. Healthcare buyers must request BAA terms directly from DeepL.
- BYOK IS ENTERPRISE-ONLY: Bring Your Own Key encryption is limited to the top Enterprise plan tier; lower Pro tiers use DeepL-managed encryption keys.
- NO ISO 42001 OR CSA STAR: No AI-specific management system certification (ISO 42001) or CSA STAR registration found. DeepL does publish a Responsible AI Statement on the trust center.
- CERTIPEDIA SHOWS ISO/IEC 27001:2013 SCOPE: TUV Rheinland Certipedia (cert 9000024755) shows 2013 version of the standard while the trust center claims 2022. SOA Version 32 is dated 25/09/2025. Buyers should request the current certificate directly from the trust center to confirm the active standard version.
- SOC 3 / ISO 27017 / ISO 27018 NOT LISTED AS DEEPL-HELD CERTS: An automated trust-center scan surfaced SOC 3, ISO 27017, and ISO 27018, but the DeepL Trust Center compliance row lists only C5, GDPR, HIPAA, ISO/IEC 27001:2022, and SOC 2 Type 2. ISO 27017/27018 are AWS infrastructure certifications DeepL inherits via its cloud provider, not DeepL's own. No on-domain verbatim evidence of a DeepL-held SOC 3 report was found, so it is not listed as held.
// At a glance
Pricing model
Freemium: Free tier (limited), Pro subscriptions (monthly/annual), API (pay-as-you-go or subscription), Enterprise (custom, sales-assisted)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on DeepL SE's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
deepl.safebase.us