// Trust & Security Report

    Smartling, Inc. logo

    Smartling, Inc.

    AI-powered translation and localization platform (Translation Management System, Smartling Draft, Language Services with human linguists, 50+ integrations/connectors)

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Smartling is certified to the following standards, Soc2Type2 of the American Institute of Public Accountants [...] Smartling has continuously maintained compliance with SOC 2 standards since 2013.

    Verify on smartling.com
    ISO 27001
    HELD

    Certificate Number: ISMS-SM-101425. A-LIGN Compliance and Security, Inc. certifies that the organization [Smartling, Inc.] operates an Information Security Management System that conforms to the requirements of ISO/IEC 27001:2022. [...] Original Certification Date: October 14, 2025; Issuance Date: October 14, 2025; Expiration Date: October 14, 2028. Scope: SaaS-based Translation Management Services environment; In-scope location HQ 244 Fifth Avenue, Suite 1471, New York.

    Verify on dk.smartling.com
    ISO/IEC 42001:2023
    HELD

    ISO/IEC 42001:2023 Certification [listed under ISO certifications]. Including our newest achievement: ISO/IEC 42001:2023, the world's first international standard for Artificial Intelligence Management Systems (AIMS).

    Verify on smartling.com
    HIPAA
    HELD

    Certifies an external vendor's controls over privacy and security of certain health information covered by the law. Smartling has maintained HIPAA compliance since 2013.

    Verify on smartling.com
    GDPR
    HELD

    Protecting personal data in the EU, Smartling has met GDPR's strict security and privacy standards since its introduction in 2018.

    Verify on smartling.com
    HITRUST e1
    HELD

    Smartling attained a HITRUST e1 certification for its Translation Management System residing at Amazon Web Services.

    Verify on smartling.com
    PCI DSS Level 1
    HELD

    Certifies presence of best security practices for secure processing and transmission of credit card data. Smartling has continuously maintained PCI Level 1 compliance since 2012.

    Verify on smartling.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Smartling is committed to complying with the Data Privacy Framework Principles, which includes the EU-US Data Privacy Data Framework Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-US Data Privacy Framework.

    Verify on smartling.com
    ISO 17100
    HELD

    ISO 17100 Certification [listed under ISO certifications]. Smartling is certified to the following standards [...] ISO17100.

    Verify on smartling.com
    ISO 9001:2015
    HELD

    ISO 9001:2015 Certification [listed under ISO certifications for translation quality management].

    Verify on smartling.com
    ISO 13485
    HELD

    ISO 13485 Certification [listed under ISO certifications, covers medical device translation compliance].

    Verify on smartling.com
    ISO 18587
    HELD

    ISO 18587 Certification [listed under ISO certifications, covers machine translation post-editing].

    Verify on smartling.com
    > Show 3 unconfirmed / not-held certifications
    FedRAMP
    NOT CONFIRMED

    No mention of FedRAMP on Smartling's own security page or legal pages. Not found in FedRAMP Marketplace search. Nudge Security profile listed 'FedRAMP Compliant' but this appears to be a third-party aggregation error, not a vendor claim.

    source: smartling.com
    CSA STAR
    NOT CONFIRMED

    No mention of CSA STAR on Smartling's own security page. Not found in CSA STAR Registry partial search. Nudge Security profile listed 'CSA Star Level 1 Compliant' but this appears to be a third-party aggregation error, not a vendor claim.

    source: smartling.com
    ISO 27017 / ISO 27018 / ISO 27701
    NOT CONFIRMED

    No public evidence on vendor's own domain. Smartling's security page lists ISO 42001, 27001, 17100, 13485, 9001, and 18587 but does not claim 27017, 27018, or 27701.

    source: smartling.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (AWS infrastructure, specific region not disclosed publicly). Smartling is US-incorporated. EU data transfers covered by EU-US Data Privacy Framework.

    Nuanced posture. The privacy policy states that Smartling personnel in data science, engineering, client success, and AI deployment teams 'will have access to customers' data for the sole purpose of validation, modeling, and training' (under written NDA). Smartling also uses performance metadata (TER quality scores, on-time delivery, semantic relevance) from customer content to improve platform features. However, customer data submitted to third-party LLMs 'will not be used by such third party model providers to train their foundational models.' AI and ML features are optional and gated behind SLA execution. Customers can request anonymization or censoring of sensitive data before submission to third-party models. In practice, Smartling itself may train its own models on customer data, while third-party foundational models are restricted.

    // Security controls

    Encryption in transit

    NIST standards applied to network. MFA on all services. No specific TLS version stated publicly.

    smartling.com

    Encryption at rest

    Audit logs encrypted on a separate log server. Broader at-rest encryption standard not explicitly stated in public pages.

    smartling.com

    Access control

    Multifactor authentication (MFA) enforced. Network segmented with access restricted to permitted personnel only. Central SOC and SIEM monitoring. IDS with alerting.

    smartling.com

    Infrastructure

    Hosted on Amazon Web Services (AWS). HITRUST e1 certification scoped to Translation Management System on AWS.

    smartling.com

    Audit logging

    Audit logs collected on all servers, encrypted and stored on a separate dedicated log server.

    smartling.com

    Incident response

    IDS provides notification to operations team for potential incidents. Business continuity and disaster recovery (BC/DR) plans in place.

    smartling.com

    Penetration testing / independent audits

    SOC 2 Type 2 and ISO 27001 both require independent audits. Reports and documents available upon request.

    smartling.com

    Sub-processor handling

    MSA section 9.4 allows Smartling to use subcontractors; list available via Software Services portal. Third-party LLMs used for translation will not train on customer data.

    smartling.com

    // Products & data scope

    Translation Management System (TMS)Enterprise SaaS, Localization Platform

    data: Source content (web pages, product strings, documents, support articles), translation memories, glossaries, customer metadata. Customer content passed to third-party LLMs for translation, optimization, and quality estimation.

    Core enterprise product. HITRUST e1 scoped to TMS on AWS. SOC 2 and ISO certifications apply to TMS.

    Smartling DraftAI Writing / Translation Tool

    data: Personal data collected when users interact with draft submission forms.

    Mentioned in privacy policy as a distinct product surface. Detailed data handling per Draft not separately documented publicly.

    Language Services (Human Translation)Managed Translation Service

    data: Customer content reviewed by certified project managers and professional linguists under confidentiality agreements.

    ISO 17100, ISO 9001, ISO 18587 certifications most relevant here. Satisfaction guarantee included.

    // What to watch

    • AI TRAINING NUANCE: Smartling personnel can access customer data for 'validation, modeling, and training' per the privacy policy. Performance metadata is used to improve platform AI features. Third-party foundational LLMs are contractually restricted from training on customer data, but Smartling's own AI models are not under the same restriction. Enterprise buyers with PHI/PII content should negotiate explicit prohibitions in the DPA.
    • HITRUST LEVEL: Only HITRUST e1 (entry-level, ~44 controls). Marketing says 'HITRUST certified' without always specifying the tier. Buyers requiring HITRUST i1 or r2 should confirm scope before assuming full HITRUST compliance.
    • ISO 42001 UNVERIFIED CERTIFICATE: ISO/IEC 42001:2023 is claimed prominently on the vendor's security page and in press releases, but no publicly available certificate document was found (unlike ISO 27001, which has a PDF at dk.smartling.com). Third-party ISO 42001 registry (aicompliancevendors.com) could not locate a named-CB source for Smartling's cert. Claim appears genuine but could not be independently confirmed against a registrar database.
    • DPA NOT PUBLICLY POSTED: A data processing addendum is referenced in the MSA (section 2.2) but is not published as a standalone document on smartling.com/legal. Buyers must request the DPA separately.
    • THIRD-PARTY AGGREGATOR INACCURACIES: Nudge Security's profile for Smartling lists 'FedRAMP Compliant' and 'CSA Star Level 1 Compliant' but neither appears on Smartling's own security page nor in the respective official registries. These are aggregation errors, not vendor over-claims.
    • DATA RESIDENCY: Smartling is US-headquartered and hosted on AWS with no publicly documented EU or other regional data residency option. EU customers rely on EU-US Data Privacy Framework for cross-border transfer legitimacy.

    // At a glance

    Pricing model

    Custom enterprise pricing (contact sales). Starting cost ~$0.005 per word for AI translation. Plans available; no public self-serve pricing tier.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Smartling, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    smartling.com

    > Browse all vendor trust reports