// Trust & Security Report
NAVER Corp.
Papago: AI-powered neural machine translation suite covering text, voice, image, document, and website translation in 17+ languages. Sub-products: Papago (consumer web/app, papago.naver.com), Papago Plus (enterprise SaaS, papago-plus.com), Papago Translation API (developer API via NAVER Cloud Platform).
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on policy.naver.com“국제 정보보호 인증인 ISO/IEC 27001...를 통해 외부 기관으로부터 정기적으로 네이버 정보보호 활동에 대해 검증을 받고 있습니다. (We receive regular verification of NAVER information security activities from external organizations through the international information security certification ISO/IEC 27001...)”
Verify on policy.naver.com“미국 공인회계사협회의 감사 기준에 따라 내부 서비스 통제 수준을 검증받고, 그 결과를 SOC 리포트로 발간하고 있습니다. (We receive verification of our internal service control levels according to the American Institute of Certified Public Accountants audit standards and publish the results as SOC reports.)”
Verify on policy.naver.com“국내 정보보호 인증인 ISMS-P·ISMS를 통해 외부 기관으로부터 정기적으로 네이버 정보보호 활동에 대해 검증을 받고 있습니다. (Through the domestic information security certifications ISMS-P and ISMS, NAVER regularly receives verification of its information security activities from external organizations.) On-domain claim made by NAVER Corp. itself.”
Verify on ncloud.com“NAVER Cloud provides GDPR-compatible DPA including EU Model Clauses. Papago Translation (API) listed under AI Services category on the GDPR compliance page. Consumer Papago (papago.naver.com) does not publish a standalone consumer DPA; EU data subject rights are referenced only in the general NAVER privacy policy.”
> Show 12 unconfirmed / not-held certifications
source: privacy.navercloudcorp.comNo evidence that NAVER Corp. or the Papago product holds SOC 1 in its own name. SOC 1 is held by NAVER Cloud Corp. (a separate subsidiary that hosts the Papago Translation API), scoped to 'NAVER Cloud Platform, DataCenter GAK Operation, IT Infra Operation Service.' Papago is not named on the NAVER Cloud certificate page. NAVER Corp.'s own privacy policy references generic 'SOC reports' without specifying SOC 1.
source: privacy.navercloudcorp.comNo evidence that NAVER Corp. or the Papago product holds SOC 3 in its own name. SOC 3 is held by NAVER Cloud Corp. (subsidiary / infrastructure host), scoped to 'NAVER Cloud Platform, DataCenter GAK Operation, IT Infra Operation Service.' Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary / infrastructure host), not by NAVER Corp. or the Papago product. Scope on the NAVER Cloud certificate page: 'NAVER Cloud Platform, NAVER WORKS, MYBOX(paid), CLOVA CareCall, IT platform services and operation of the DataCenters.' Papago is not named on this certificate page. The Papago Translation API runs on NAVER Cloud Platform and so sits on certified infrastructure, but the Papago application itself is not in the certificate's named scope.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary / infrastructure host), not by NAVER Corp. or Papago. Scope: 'NAVER Cloud Platform, NAVER WORKS, MYBOX(paid), CLOVA CareCall, IT platform services and operation of the DataCenters.' Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary / infrastructure host), listed alongside 27001/27017/27018/27799/22301 for NAVER Cloud Platform scope. Not held by NAVER Corp. or Papago in its own name; Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary / infrastructure host) for NAVER Cloud Platform and IT platform services scope. Not attributable to NAVER Corp. or Papago in its own name; Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary / infrastructure host). Scope: 'NAVER Cloud Platform, NAVER WORKS, MYBOX(paid), CLOVA CareCall, IT platform services.' Not held by NAVER Corp. or Papago in its own name; Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary) for 'NAVER Cloud Inc., an IT inter-platform operation service.' Not held by NAVER Corp. or Papago, and not relevant to a translation product that does not process cardholder data. Papago is not named on the certificate page.
source: privacy.navercloudcorp.comHeld by NAVER Cloud Corp. (subsidiary). Scope: 'NAVER CLOUD PLATFORM and NAVER WORKS.' Not held by NAVER Corp. or Papago in its own name; Papago is not named on the certificate page.
source: papago-plus.comNo public evidence of HIPAA compliance, attestation, or BAA offering for any Papago product tier. Not a healthcare-positioned product.
source: privacy.navercloudcorp.comNo public evidence of FedRAMP authorization for any Papago product.
source: policy.naver.comNo public evidence of ISO/IEC 42001 certification for NAVER Corp. or Papago.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
South Korea (primary, Seongnam-si, Gyeonggi Province). NAVER operates its own datacenters globally. Cross-border transfers governed by EU Model Clauses for EEA users using the API product.
Three-tier distinction: (1) Consumer Papago (papago.naver.com): NAVER Corp.'s privacy policy explicitly states 'Personal information is also used for AI technology development' applied across NAVER Services, with no carve-out exempting Papago translation content. Treat consumer-tier training as plausible/ambiguous, not confirmed-off. (2) Papago Plus (papago-plus.com): verified on-domain text states 'Papago Plus does not save translation content' and 'does not store translation data on its servers and immediately destroys it unless customers have requested that their data be saved.' (3) Papago Translation API (NAVER Cloud docs): verified on-domain text states 'Papago Translation은 원문 데이터를 저장하거나 학습 데이터로 활용하지 않습니다' (Papago Translation does not store original data or use it as training data). Net: Plus and API explicitly do not train on customer data; the free consumer tier is the privacy-relevant outlier where AI-development use of personal information is explicitly claimed and the opt-out's default behavior is not publicly clear.
// Security controls
Encryption in transit
HTTPS (TLS) in transit confirmed. NAVER Corp. privacy policy states 'encrypted communication' is used for safe transmission of personal information over networks.
policy.naver.comEncryption at rest
NAVER Corp. privacy policy states passwords, unique identifiers, account and card numbers, email addresses, and mobile numbers are encrypted at rest. NAVER Cloud offers KMS for key management.
policy.naver.comAccess controls
Access rights to personal information processing systems are granted, changed, and revoked per formal policy. Network firewall and intrusion detection systems are in place. Staff accessing personal data are minimized.
policy.naver.comPhysical security
Systems installed in restricted access zones. Entry and exit control procedures established and operated.
policy.naver.comAudit logging
Access logs for personal data processing systems are retained and managed. Periodic reviews for misuse, loss, falsification, and alteration prevention.
policy.naver.comIncident response
Crisis response guidelines including detailed action plans for disaster and emergency situations. Dedicated data protection team (Data Protection & Privacy), CPO/DPO appointed (Lee Jin-gyu).
policy.naver.comNetwork separation
Internal and external networks are separated for employee PCs that can download personal information, reducing data exfiltration risk.
policy.naver.comAnti-virus and backup
Latest antivirus programs in use; regular data backups performed.
policy.naver.com// Products & data scope
data: Text, image, voice, document, and website translation content; IP address, device info, cookies, access logs, usage records. For logged-in users: account data.
Free tier with 17+ language pairs. NAVER Corp.'s privacy policy explicitly states personal information is used for AI technology development across NAVER Services; a 'Consent to improving quality' setting exists in the footer/settings but its default state is not publicly documented, so consumer-tier AI-training use cannot be confirmed as off-by-default. No DPA for consumers. Data processed by NAVER Corp. in South Korea.
data: Translation content NOT saved by default; immediately destroyed unless customer explicitly requests storage. Saved content is encrypted.
Paid enterprise product. Claims compliance with Personal Information Protection Act and international standards. No explicit list of certifications on the product page. Operated by NAVER Corp.; ISO/IEC 27001, ISMS-P, and SOC reporting are claimed at the NAVER Corp. level. Translation content not saved by default and not used for AI training (verified on-domain).
data: API inputs (text) processed in real time; not stored or used for model training per documentation.
Covered under NAVER Cloud Corp. certifications (ISO 27001, SOC 2, ISMS-P). GDPR DPA available. Scope explicitly listed on NAVER Cloud GDPR page as an AI Service.
// What to watch
- NAVER Corp. vs NAVER Cloud Corp. cert attribution: Only ISO/IEC 27001, ISMS-P/ISMS, and generic AICPA 'SOC reports' are claimed by NAVER Corp. on its own domain (policy.naver.com, Section 12) and are graded held=true on that basis. The broader stack (ISO/IEC 27017/27018/27701/22301, SOC 1, SOC 3, CSA STAR, PCI DSS, CBPR) appears ONLY on the NAVER Cloud Corp. compliance page (a separate subsidiary that also hosts the Papago Translation API), scoped to 'NAVER Cloud Platform / IT platform services,' and Papago is not named on that certificate page. Those host/subsidiary certs were down-graded to held=false to avoid crediting the Papago product with its cloud host's certifications. The Papago Translation API does run on certified NAVER Cloud infrastructure, but that is infrastructure-level coverage, not a Papago-scoped certificate.
- AI training tier inconsistency: Papago Plus and the Translation API explicitly do NOT store or train on customer data (verified on-domain). The free consumer tier (papago.naver.com) is the outlier: NAVER Corp.'s privacy policy explicitly states personal information is used for AI technology development across NAVER Services, and a 'Consent to improving quality' setting exists but its default state is not publicly documented, so the consumer tier should be treated as plausibly training on user content rather than confirmed-private. AIFOXX should flag this cross-tier difference for visitors.
- SOC 2 report not publicly available: NAVER Cloud's SOC 1 and SOC 2 reports are restricted to a limited audience and not disclosed publicly, so independent verification is not possible for third parties.
- No GDPR DPA for consumer Papago users (papago.naver.com): GDPR-compatible DPA with EU Model Clauses is offered only for NAVER Cloud enterprise/API customers. EEA consumers relying on papago.naver.com have no public DPA to reference.
- No HIPAA coverage: No BAA, attestation, or HIPAA readiness documentation found. Papago should not be used for protected health information.
- No dedicated public trust center: No single URL consolidates Papago's security posture, certifications, and compliance docs for prospective customers.
// At a glance
Pricing model
Freemium (consumer Papago free; Papago Plus subscription; Papago API pay-per-character via NAVER Cloud)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on NAVER Corp.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
policy.naver.com