// Trust & Security Report
Smartling, Inc.
AI-powered translation and localization platform (Translation Management System, Smartling Draft, Language Services with human linguists, 50+ integrations/connectors)
Certifications held
12
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on smartling.com“Smartling is certified to the following standards, Soc2Type2 of the American Institute of Public Accountants [...] Smartling has continuously maintained compliance with SOC 2 standards since 2013.”
Verify on dk.smartling.com“Certificate Number: ISMS-SM-101425. A-LIGN Compliance and Security, Inc. certifies that the organization [Smartling, Inc.] operates an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2022. [...] Original Certification Date: October 14, 2025; Issuance Date: October 14, 2025; Expiration Date: October 14, 2028. Scope: SaaS-based Translation Management Services environment; In-scope location HQ 244 Fifth Avenue, Suite 1471, New York.”
Verify on smartling.com“ISO/IEC 42001:2023 Certification [listed under ISO certifications]. Including our newest achievement: ISO/IEC 42001:2023, the world's first international standard for Artificial Intelligence Management Systems (AIMS).”
Verify on smartling.com“Certifies an external vendor's controls over privacy and security of certain health information covered by the law. Smartling has maintained HIPAA compliance since 2013.”
Verify on smartling.com“Protecting personal data in the EU, Smartling has met GDPR's strict security and privacy standards since its introduction in 2018.”
Verify on smartling.com“Smartling attained a HITRUST e1 certification for its Translation Management System residing at Amazon Web Services.”
Verify on smartling.com“Certifies presence of best security practices for secure processing and transmission of credit card data. Smartling has continuously maintained PCI Level 1 compliance since 2012.”
Verify on smartling.com“Smartling is committed to complying with the Data Privacy Framework Principles, which includes the EU-US Data Privacy Data Framework Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-US Data Privacy Framework.”
Verify on smartling.com“ISO 17100 Certification [listed under ISO certifications]. Smartling is certified to the following standards [...] ISO17100.”
Verify on smartling.com“ISO 9001:2015 Certification [listed under ISO certifications for translation quality management].”
Verify on smartling.com“ISO 13485 Certification [listed under ISO certifications, covers medical device translation compliance].”
Verify on smartling.com“ISO 18587 Certification [listed under ISO certifications, covers machine translation post-editing].”
> Show 3 unconfirmed / not-held certifications
source: smartling.comNo mention of FedRAMP on Smartling's own security page or legal pages. Not found in FedRAMP Marketplace search. Nudge Security profile listed 'FedRAMP Compliant' but this appears to be a third-party aggregation error, not a vendor claim.
source: smartling.comNo mention of CSA STAR on Smartling's own security page. Not found in CSA STAR Registry partial search. Nudge Security profile listed 'CSA Star Level 1 Compliant' but this appears to be a third-party aggregation error, not a vendor claim.
source: smartling.comNo public evidence on vendor's own domain. Smartling's security page lists ISO 42001, 27001, 17100, 13485, 9001, and 18587 but does not claim 27017, 27018, or 27701.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (AWS infrastructure, specific region not disclosed publicly). Smartling is US-incorporated. EU data transfers covered by EU-US Data Privacy Framework.
Nuanced posture. The privacy policy states that Smartling personnel in data science, engineering, client success, and AI deployment teams 'will have access to customers' data for the sole purpose of validation, modeling, and training' (under written NDA). Smartling also uses performance metadata (TER quality scores, on-time delivery, semantic relevance) from customer content to improve platform features. However, customer data submitted to third-party LLMs 'will not be used by such third party model providers to train their foundational models.' AI and ML features are optional and gated behind SLA execution. Customers can request anonymization or censoring of sensitive data before submission to third-party models. In practice, Smartling itself may train its own models on customer data, while third-party foundational models are restricted.
// Security controls
Encryption in transit
NIST standards applied to network. MFA on all services. No specific TLS version stated publicly.
smartling.comEncryption at rest
Audit logs encrypted on a separate log server. Broader at-rest encryption standard not explicitly stated in public pages.
smartling.comAccess control
Multifactor authentication (MFA) enforced. Network segmented with access restricted to permitted personnel only. Central SOC and SIEM monitoring. IDS with alerting.
smartling.comInfrastructure
Hosted on Amazon Web Services (AWS). HITRUST e1 certification scoped to Translation Management System on AWS.
smartling.comAudit logging
Audit logs collected on all servers, encrypted and stored on a separate dedicated log server.
smartling.comIncident response
IDS provides notification to operations team for potential incidents. Business continuity and disaster recovery (BC/DR) plans in place.
smartling.comPenetration testing / independent audits
SOC 2 Type 2 and ISO 27001 both require independent audits. Reports and documents available upon request.
smartling.comSub-processor handling
MSA section 9.4 allows Smartling to use subcontractors; list available via Software Services portal. Third-party LLMs used for translation will not train on customer data.
smartling.com// Products & data scope
data: Source content (web pages, product strings, documents, support articles), translation memories, glossaries, customer metadata. Customer content passed to third-party LLMs for translation, optimization, and quality estimation.
Core enterprise product. HITRUST e1 scoped to TMS on AWS. SOC 2 and ISO certifications apply to TMS.
data: Personal data collected when users interact with draft submission forms.
Mentioned in privacy policy as a distinct product surface. Detailed data handling per Draft not separately documented publicly.
data: Customer content reviewed by certified project managers and professional linguists under confidentiality agreements.
ISO 17100, ISO 9001, ISO 18587 certifications most relevant here. Satisfaction guarantee included.
// What to watch
- AI TRAINING NUANCE: Smartling personnel can access customer data for 'validation, modeling, and training' per the privacy policy. Performance metadata is used to improve platform AI features. Third-party foundational LLMs are contractually restricted from training on customer data, but Smartling's own AI models are not under the same restriction. Enterprise buyers with PHI/PII content should negotiate explicit prohibitions in the DPA.
- HITRUST LEVEL: Only HITRUST e1 (entry-level, ~44 controls). Marketing says 'HITRUST certified' without always specifying the tier. Buyers requiring HITRUST i1 or r2 should confirm scope before assuming full HITRUST compliance.
- ISO 42001 UNVERIFIED CERTIFICATE: ISO/IEC 42001:2023 is claimed prominently on the vendor's security page and in press releases, but no publicly available certificate document was found (unlike ISO 27001, which has a PDF at dk.smartling.com). Third-party ISO 42001 registry (aicompliancevendors.com) could not locate a named-CB source for Smartling's cert. Claim appears genuine but could not be independently confirmed against a registrar database.
- DPA NOT PUBLICLY POSTED: A data processing addendum is referenced in the MSA (section 2.2) but is not published as a standalone document on smartling.com/legal. Buyers must request the DPA separately.
- THIRD-PARTY AGGREGATOR INACCURACIES: Nudge Security's profile for Smartling lists 'FedRAMP Compliant' and 'CSA Star Level 1 Compliant' but neither appears on Smartling's own security page nor in the respective official registries. These are aggregation errors, not vendor over-claims.
- DATA RESIDENCY: Smartling is US-headquartered and hosted on AWS with no publicly documented EU or other regional data residency option. EU customers rely on EU-US Data Privacy Framework for cross-border transfer legitimacy.
// At a glance
Pricing model
Custom enterprise pricing (contact sales). Starting cost ~$0.005 per word for AI translation. Plans available; no public self-serve pricing tier.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Smartling, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
smartling.com