// Trust & Security Report

    LILT, Inc. logo

    LILT, Inc.

    Enterprise AI translation and localization platform. Sub-products: Translate (AI-assisted translation), Verify (quality verification), Connect (100+ integrations via MCP and API), Create (multilingual content generation), Evaluate (AI model benchmarking and audit). Serves enterprises, public sector (including U.S. DoD), and AI/ML builders.

    Certifications held

    8

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    LILT SOC 2 Type 2 + HIPAA Report (trust center document title); home page: 'SOC 2® Type II, ISO 9001, and ISO 17100 certified'; responsible-deployment page: 'SOC 2 Type II certification'. Annual audit conducted by A-LIGN (licensed CPA firm); report available to customers under NDA.

    Verify on trust.lilt.com
    SOC 3
    HELD

    Announcement: 'LILT Successfully Completes SOC 2 & SOC 3 Audit' (January 17, 2024, auditor: A-LIGN). SOC 3 is the public summary of the SOC 2 examination.

    Verify on labs.lilt.com
    HIPAA
    HELD

    Trust center lists document 'LILT SOC 2 Type 2 + HIPAA Report'. Security page lists 'HIPAA - Compliant'. Responsible-deployment page: 'HIPAA-aligned workflows'.

    Verify on trust.lilt.com
    ISO 9001
    HELD

    Home page: 'SOC 2® Type II, ISO 9001, and ISO 17100 certified.' Security-compliance page: 'certified by ATC Certification'. Trust center document: 'ATCC ISO 9001'.

    Verify on lilt.com
    ISO 17100 (Translation Services)
    HELD

    Home page explicitly lists ISO 17100. Trust center document 'ATCC ISO 17100' listed. Certified by ATC Certification. Note: this is a translation quality standard, not an information security certification.

    Verify on trust.lilt.com
    ISO 18587 (Machine Translation Post-Editing)
    HELD

    Trust center document 'ATCC ISO 18587'. Note: this is a translation quality standard covering machine translation post-editing processes, not an information security certification.

    Verify on trust.lilt.com
    Cyber Essentials (UK)
    HELD

    Trust center lists 'Cyber Essentials' with request-access document. Security-compliance page states it demonstrates 'user controls and train LILT employees to protect against common user-based cyber attacks'.

    Verify on lilt.com
    GDPR (compliance posture)
    HELD

    DPA publicly available at lilt.com/legal/dpa. DPA implements EU Standard Contractual Clauses (Module Two) for controller-processor relationships. Irish Data Protection Commission designated as supervisory authority. Security-compliance page: 'GDPR - Compliant'.

    Verify on lilt.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    LILT does not hold ISO 27001. The lilt.com/security-compliance page explicitly lists ISO 27001 under 'GCP Security Standards (LILT's Infrastructure Provider)' -- this is Google Cloud Platform's cert, not LILT's own. No vendor-domain source shows LILT holding its own ISO 27001 certificate.

    source: lilt.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on any LILT-domain page, despite the home page citing the U.S. Department of Defense as a customer. LILT offers on-premise and air-gapped deployments for government clients but no FedRAMP marketplace listing was found.

    source: lilt.com
    FDA CFR Part 11
    NOT CONFIRMED

    Listed as 'Certified' on lilt.com/products/security, but this certification does not appear in the trust center certifications list (which shows SOC 2 Type II + HIPAA, ISO 9001, ISO 17100, ISO 18587, Cyber Essentials). No certifying body or audit date is cited. Likely describes workflow support for FDA-regulated clients rather than a formal certification. Graded held=false until a trust center document or accreditation source is provided.

    source: lilt.com
    PCI DSS
    NOT CONFIRMED

    PCI DSS v3.0 is listed under 'GCP Security Standards (LILT's Infrastructure Provider)' on lilt.com/security-compliance. LILT does not itself hold a PCI DSS certification.

    source: lilt.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found on any LILT-domain page.

    source: lilt.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (Google Cloud Platform); EU and UK data transferred via Standard Contractual Clauses (Module Two) with UK Addendum

    LILT's core differentiator is that its contextual AI continuously retrains on customer translation data (uploaded TM/TMX files and human-verified translations) to build customer-specific model adapters (140M parameter adapters plugged into a 1.2B parameter shared background model). MSA Section 6.7 grants LILT a 'royalty-free, worldwide, perpetual, irrevocable, fully transferable and sublicensable right and license to use, disclose, reproduce, modify, create derivative works from, distribute, and display any Customer Materials integrated into the Machine Learning.' No opt-out mechanism exists in the MSA or DPA. The DPA separately states that processing is limited to 'performance of the Services pursuant to the Agreement,' which is potentially contradictory with the MSA's broad ML training grant and requires legal review. Customer data is used for customer-specific adapters and is not stored in the shared background model weights, per support documentation.

    // Security controls

    Encryption in transit

    TLS 1.2

    lilt.com

    Encryption at rest

    AES-256

    lilt.com

    Multi-factor authentication

    Two-factor authentication required for admin accounts

    lilt.com

    Single sign-on

    SSO integration supported

    trust.lilt.com

    Role-based access control

    Least-privilege RBAC with periodic access reviews

    trust.lilt.com

    Penetration testing

    Annual third-party penetration testing

    lilt.com

    Audit logging

    Immutable audit logging across infrastructure levels

    lilt.com

    Data backups

    Daily automated snapshots stored geographically separate from production

    lilt.com

    Security incident notification

    72-hour notification window

    lilt.com

    Deployment options

    Public cloud (GCP), private cloud, on-premise, and air-gapped environments

    lilt.com

    Vulnerability disclosure

    security@lilt.com and vulnerability report link in trust center

    trust.lilt.com

    // Products & data scope

    LILT TranslateAI-assisted translation

    data: Source and translated text, translation memories (TMX), customer content submitted for translation

    Core product. Contextual AI retrains on customer translation data continuously. Customer-specific model adapters are built from this data. Used by enterprises, DoD, and regulated industries.

    LILT VerifyTranslation quality assurance

    data: Translated content submitted for review and verification by human linguists

    Expert human verification layer for high-consequence multilingual content.

    LILT ConnectIntegration platform

    data: Content flowing through 100+ connectors; depends on integrated business systems

    Connects to enterprise systems via MCP and API. Data scope extends to whatever systems are integrated.

    LILT CreateMultilingual content generation

    data: Brand assets, campaigns, and content in source language used to generate multilingual output

    Supports brand-consistent multilingual creation at scale.

    LILT EvaluateAI model evaluation and benchmarking

    data: AI model outputs and benchmark datasets

    Closed-benchmark evaluation and oracle judgements for AI/ML developers. Also marketed to the broader AI/ML builder segment.

    // What to watch

    • AI TRAINING - NO OPT-OUT: MSA Section 6.7 grants LILT a 'royalty-free, worldwide, perpetual, irrevocable, fully transferable and sublicensable' license to use customer content for machine learning. No opt-out is available in the MSA or DPA. Enterprise customers submitting sensitive, confidential, or regulated content should negotiate bespoke data isolation or deletion rights before signing.
    • ISO 27001 HOST-VS-VENDOR RISK: ISO 27001 is held by LILT's infrastructure provider (Google Cloud Platform), not by LILT itself. lilt.com/security-compliance distinguishes these under 'GCP Security Standards (LILT's Infrastructure Provider).' Some marketing copy may imply LILT holds ISO 27001, which is a host-cert conflation. AIFOXX should not list LILT as ISO 27001 certified.
    • FDA CFR PART 11 OVER-CLAIM: lilt.com/products/security lists FDA CFR Part 11 as 'Certified' but this certification is absent from the trust center certifications list. No certifying body or audit date is provided. This is likely marketing framing for FDA-regulated workflow support rather than a formal accreditation. Graded held=false.
    • DPA vs MSA TRAINING RIGHTS CONFLICT: The DPA limits processing to 'performance of the Services pursuant to the Agreement' suggesting no independent training rights, while MSA Section 6.7 grants broad perpetual ML training rights. These provisions appear contradictory and could create ambiguity about the legal basis for AI training. Legal review recommended for enterprise buyers.

    // At a glance

    Pricing model

    Enterprise subscription; contact sales for pricing. No self-serve pricing page. Custom contracts for public sector.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on LILT, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.lilt.com

    > Browse all vendor trust reports