// Trust & Security Report

    Phrase a.s. (formerly Memsource a.s.) and Phrase GmbH (formerly PhraseApp GmbH) logo

    Phrase a.s. (formerly Memsource a.s.) and Phrase GmbH (formerly PhraseApp GmbH)

    Phrase Localization Platform: enterprise translation/localization management (Phrase Platform / TMS), a translator workbench (Phrase Studio, on GCP), developer-focused in-context string management (Phrase Strings), and AI machine-translation engines (NextMT, Next GenMT, Custom NextMT) plus an AI quality-estimation feature (QPS).

    Certifications held

    5

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Phrase is SOC 2 Type I certified, with Type II certification expected in 2026.

    Verify on phrase.com
    ISO 27001:2022
    HELD

    Phrase a.s. has been certified for ISO 27001 which proves that the information security management system (ISMS) which we have introduced conforms to the ISO standard.

    Verify on phrase.com
    GDPR (compliance posture)
    HELD

    Privacy Notice describes Phrase acting as data controller and processor, use of Standard Contractual Clauses (SCCs) approved by the European Commission for international transfers, and data subject rights aligned to GDPR; trust center lists GDPR under Compliance.

    Verify on phrase.com
    HIPAA
    HELD

    We engaged an independent and recognized third-party auditor, CyberGRX, who verified our compliance with HIPAA through a comprehensive assessment of our privacy and security processes.

    Verify on phrase.com
    TISAX
    HELD

    Trust center Compliance list includes 'TISAX' and Resources include 'TISAX Assessment.pdf'.

    Verify on trust.phrase.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    Type II certification expected in 2026 (not yet issued at time of review).

    source: phrase.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification; trust center lists 'EU AI ACT' as a compliance topic (a regulation, not a certification) but no AI management-system certificate is referenced.

    source: trust.phrase.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found.

    PCI DSS
    NOT CONFIRMED

    Phrase itself is not PCI DSS certified; the security page states payment processing is handled by 'a third-party payment provider that is PCI DSS compliant.' Phrase markets alignment with PCI DSS 'Principles and Security Statements' on its homepage but holds no PCI DSS certification of its own.

    source: phrase.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found.

    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    Not listed on trust center or security page; only ISO 27001:2022 is referenced.

    source: trust.phrase.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Phrase Platform is hosted on Amazon Web Services (AWS); Phrase Studio is hosted on Google Cloud Platform (GCP). No explicit customer-selectable data-residency region (e.g. EU-only) was found in public documentation; not verified.

    Varies by feature. QPS (quality estimation): 'We use Customer Content to train and periodically retrain the AI... Customer Content that is used to train QPS is also not retained; we implement a regular deletion of training data.' Phrase NextMT and Next GenMT: 'We do not use any Customer Content, content or translations in the training or retraining of this AI model.' Custom NextMT (opt-in custom engine): 'Customer Content is used in the training and periodic retraining of the AI feature.' No explicit opt-out mechanism is described for QPS training.

    // Security controls

    Encryption in transit

    TLS 1.2

    phrase.com

    Encryption at rest

    Linux LUKS (aes-xts-plain64:sha256) or AWS encryption (AES256)

    phrase.com

    Penetration testing

    Annual third-party penetration tests conducted in accordance with the OWASP ASVS standard; '2025 Pentest' report listed in trust center.

    trust.phrase.com

    Hosting infrastructure

    Phrase Platform on AWS; Phrase Studio on Google Cloud Platform data centers.

    phrase.com

    Multi-factor authentication

    Listed as a Product security control in the trust center.

    trust.phrase.com

    Subprocessor disclosure

    Public subprocessor list maintained and linked from the privacy policy.

    phrase.com

    // Products & data scope

    Phrase Platform (TMS)Enterprise localization / translation management

    data: Source content, translation memories, terminology, style guides stored on AWS.

    Core enterprise product; used by Uber, Zendesk, Volkswagen per vendor homepage.

    Phrase StudioTranslator workbench

    data: Translation content and project data, hosted on GCP.

    Separate hosting provider (GCP) from the main platform (AWS).

    Phrase StringsDeveloper string/localization management

    data: Software UI strings, CI/CD integration data.

    Has its own self-serve signup flow distinct from the enterprise demo-request flow.

    NextMT / Next GenMT (machine translation)AI translation engine

    data: Source text submitted for translation.

    Vendor states customer content is not used to train or retrain these base MT models.

    Custom NextMTAI translation engine (customer-trained)

    data: Customer-provided translation data, opted in for custom model training.

    Customer content IS used to train/retrain this specific opt-in engine.

    QPS (Quality Performance Score)AI quality estimation

    data: Customer content used transiently to train/retrain scoring model.

    Vendor states training data is regularly deleted and not retained; output is a 0-100 score, not retrievable customer content.

    // What to watch

    • SOC 2 is Type I only; Type II is not yet issued (vendor states expected 2026) — do not display as a blanket 'SOC 2' badge without the Type I qualifier.
    • HIPAA 'compliance' is based on a third-party assessment by CyberGRX, not a government-issued or industry-standard HIPAA certification (none exists for SaaS vendors) — list as 'HIPAA compliance assessed by third party' rather than a formal certification.
    • AI training posture is feature-specific and easy to overclaim: QPS and Custom NextMT do use Customer Content for training (QPS not retained; Custom NextMT retained/retrained), while NextMT and Next GenMT do not. A blanket 'does not train on your data' claim would be inaccurate.
    • Primary certificate/report documents (ISO 27001 certificate, SOC 2 report, pentest report) are gated behind an NDA request in the trust center; grading relies on the trust center's own document titles plus corroborating statements on phrase.com/security, not on viewing the raw certificates.
    • Trust center groups 'EU AI ACT' under the same 'Compliance' heading as GDPR/SOC2/ISO, which could read as an implied certification; EU AI Act is a regulation, not a certifiable standard, and no ISO/IEC 42001 AI-management certification was found.

    // At a glance

    Pricing model

    Primarily enterprise quote/demo-request for the core Platform; Phrase Strings offers self-serve signup/trial.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Phrase a.s. (formerly Memsource a.s.) and Phrase GmbH (formerly PhraseApp GmbH)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-05. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.phrase.com

    > Browse all vendor trust reports