// Trust & Security Report
Phrase a.s. (formerly Memsource a.s.) and Phrase GmbH (formerly PhraseApp GmbH)
Phrase Localization Platform: enterprise translation/localization management (Phrase Platform / TMS), a translator workbench (Phrase Studio, on GCP), developer-focused in-context string management (Phrase Strings), and AI machine-translation engines (NextMT, Next GenMT, Custom NextMT) plus an AI quality-estimation feature (QPS).
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on phrase.com“Phrase is SOC 2 Type I certified, with Type II certification expected in 2026.”
Verify on phrase.com“Phrase a.s. has been certified for ISO 27001 which proves that the information security management system (ISMS) which we have introduced conforms to the ISO standard.”
Verify on phrase.com“Privacy Notice describes Phrase acting as data controller and processor, use of Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers, and data subject rights aligned to GDPR; trust center lists GDPR under Compliance.”
Verify on phrase.com“We engaged an independent and recognized third-party auditor, CyberGRX, who verified our compliance with HIPAA through a comprehensive assessment of our privacy and security processes.”
Verify on trust.phrase.com“Trust center Compliance list includes 'TISAX' and Resources include 'TISAX Assessment.pdf'.”
> Show 6 unconfirmed / not-held certifications
source: phrase.comType II certification expected in 2026 (not yet issued at time of review).
source: trust.phrase.comNo public evidence of ISO/IEC 42001 certification; trust center lists 'EU AI ACT' as a compliance topic (a regulation, not a certification) but no AI management-system certificate is referenced.
No public evidence found.
source: phrase.comPhrase itself is not PCI DSS certified; the security page states payment processing is handled by 'a third-party payment provider that is PCI DSS compliant.' Phrase markets alignment with PCI DSS 'Principles and Security Statements' on its homepage but holds no PCI DSS certification of its own.
No public evidence found.
source: trust.phrase.comNot listed on trust center or security page; only ISO 27001:2022 is referenced.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Phrase Platform is hosted on Amazon Web Services (AWS); Phrase Studio is hosted on Google Cloud Platform (GCP). No explicit customer-selectable data-residency region (e.g. EU-only) was found in public documentation; not verified.
Varies by feature. QPS (quality estimation): 'We use Customer Content to train and periodically retrain the AI... Customer Content that is used to train QPS is also not retained; we implement a regular deletion of training data.' Phrase NextMT and Next GenMT: 'We do not use any Customer Content, content or translations in the training or retraining of this AI model.' Custom NextMT (opt-in custom engine): 'Customer Content is used in the training and periodic retraining of the AI feature.' No explicit opt-out mechanism is described for QPS training.
// Security controls
Penetration testing
Annual third-party penetration tests conducted in accordance with the OWASP ASVS standard; '2025 Pentest' report listed in trust center.
trust.phrase.comHosting infrastructure
Phrase Platform on AWS; Phrase Studio on Google Cloud Platform data centers.
phrase.comMulti-factor authentication
Listed as a Product security control in the trust center.
trust.phrase.comSubprocessor disclosure
Public subprocessor list maintained and linked from the privacy policy.
phrase.com// Products & data scope
data: Source content, translation memories, terminology, style guides stored on AWS.
Core enterprise product; used by Uber, Zendesk, Volkswagen per vendor homepage.
data: Translation content and project data, hosted on GCP.
Separate hosting provider (GCP) from the main platform (AWS).
data: Software UI strings, CI/CD integration data.
Has its own self-serve signup flow distinct from the enterprise demo-request flow.
data: Source text submitted for translation.
Vendor states customer content is not used to train or retrain these base MT models.
data: Customer-provided translation data, opted in for custom model training.
Customer content IS used to train/retrain this specific opt-in engine.
data: Customer content used transiently to train/retrain scoring model.
Vendor states training data is regularly deleted and not retained; output is a 0-100 score, not retrievable customer content.
// What to watch
- SOC 2 is Type I only; Type II is not yet issued (vendor states expected 2026) — do not display as a blanket 'SOC 2' badge without the Type I qualifier.
- HIPAA 'compliance' is based on a third-party assessment by CyberGRX, not a government-issued or industry-standard HIPAA certification (none exists for SaaS vendors) — list as 'HIPAA compliance assessed by third party' rather than a formal certification.
- AI training posture is feature-specific and easy to overclaim: QPS and Custom NextMT do use Customer Content for training (QPS not retained; Custom NextMT retained/retrained), while NextMT and Next GenMT do not. A blanket 'does not train on your data' claim would be inaccurate.
- Primary certificate/report documents (ISO 27001 certificate, SOC 2 report, pentest report) are gated behind an NDA request in the trust center; grading relies on the trust center's own document titles plus corroborating statements on phrase.com/security, not on viewing the raw certificates.
- Trust center groups 'EU AI ACT' under the same 'Compliance' heading as GDPR/SOC2/ISO, which could read as an implied certification; EU AI Act is a regulation, not a certifiable standard, and no ISO/IEC 42001 AI-management certification was found.
// At a glance
Pricing model
Primarily enterprise quote/demo-request for the core Platform; Phrase Strings offers self-serve signup/trial.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Phrase a.s. (formerly Memsource a.s.) and Phrase GmbH (formerly PhraseApp GmbH)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.phrase.com