// Trust & Security Report
SYSTRAN S.A. (SYSTRAN by ChapsVision)
Machine translation software family: free web translator (SYSTRAN Translate), paid Pro tier, Enterprise/API translation platform, on-premise/air-gapped Server deployment, Model Studio for custom model training, and Anonymizer for GDPR-oriented PII redaction. Owned by French data-processing group ChapsVision (acquired SYSTRAN S.A. in January 2024).
Certifications held
3
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on systransoft.com“Certified for compliance: ISO 27001 | GDPR Compliant | HIPAA Ready”
Verify on systransoft.com“Our facilities, teams, policies, and procedures have been audited to guarantee strict adherence to prominent security standards.”
Verify on systransoft.com“Data-sovereignty page lists "GDPR Compliant" as part of "Certified for compliance: ISO 27001 | GDPR Compliant | HIPAA Ready". Note: the privacy-policy URL resolves to a ChapsVision legal notice stating only "Chapsvision is committed to complying with applicable regulations regarding personal data protection" and links out to a separate ChapsVision Data Protection Policy; no SYSTRAN-domain page verified in this pass contains a standalone sentence asserting GDPR + French-law compliance verbatim, so GDPR posture rests on the 'GDPR Compliant' marketing badge rather than a detailed policy statement.”
> Show 8 unconfirmed / not-held certifications
source: systransoft.comFAQ: 'We already have SOC 2 Type II vendors. Isn't that enough?' Answer: 'SOC 2 is a baseline, not a ceiling. Many generic AI tools hold SOC 2 but still operate on multi-tenant public clouds...' -- SYSTRAN's own FAQ frames SOC 2 as something competitors/other vendors hold, and does not claim SOC 2 for SYSTRAN itself anywhere on the vendor domain.
source: systransoft.comListed only as 'HIPAA Ready' (not 'HIPAA certified' or 'HIPAA compliant'). No BAA (Business Associate Agreement) language or independent HIPAA certification evidence found on the vendor domain. HIPAA has no official third-party certification body, so 'Ready' is a self-declared design posture, not a certification.
source: systransoft.comNo public evidence -- not mentioned on the security page, data sovereignty page, or privacy policy.
source: systransoft.comNo public evidence -- not mentioned on any vendor-domain page reviewed.
source: systransoft.comNo public evidence -- SYSTRAN's public pages do not reference ISO 42001 or any AI-governance-specific certification.
source: systransoft.comNo public evidence found on the vendor domain.
source: systransoft.comNo public evidence found; SYSTRAN's translation product does not appear to process cardholder data directly, and no PCI claim is made on the vendor domain.
source: systransoft.comNo public evidence found on the vendor domain. Third-party marketing aggregator sites reference 'DoD-ready' but this is not corroborated by a vendor-domain page and is not treated as evidence per the verification rules.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Configurable by deployment: air-gapped on-premise, private cloud, or 'sovereign SaaS' positioned to match customer compliance/region requirements. Company headquartered in Paris, France (EU). No single fixed default data region is stated on the pages reviewed.
Marketing headline states 'zero data retention' and that customer data is 'never used to train our base models.' The Enterprise Terms of Service corroborate this for general model training and confirm Content/Final Content is deleted once the service is complete (with a 72-hour exception for automated error-pattern QA). However, the same ToS state 'Linguistic Data are stored on the Platform for an indefinite period of time,' and permit SYSTRAN to reuse Customer Content only to customize a customer's own dedicated Model at that customer's request -- this is a narrower, opt-in exception, not general base-model training. AIFOXX should present the 'zero data retention' marketing line alongside this ToS nuance rather than as an unqualified blanket claim.
// Security controls
Penetration testing
Regular penetration tests conducted during major and minor releases.
systransoft.comInfrastructure hardening
Partitioned cloud infrastructure, firewalls, and IP-based access restrictions.
systransoft.comSecure development practices
States alignment with OWASP cybersecurity best practices.
systransoft.comDeployment isolation options
Air-gapped on-premise, private cloud, or sovereign SaaS deployment, allowing data to stay entirely within the customer's security perimeter.
systransoft.comFile retention controls
For file translations (e.g. PDFs), automatic deletion after a configurable period; Content/Final Content deleted once the Enterprise service completes, with a 72-hour exception for error-pattern QA.
systransoft.comEncryption at rest
Not explicitly documented on vendor pages reviewed; only infrastructure-level protections (partitioned cloud, firewalls) are described. Not confirmed either way.
systransoft.com// Products & data scope
data: Short text snippets (public, multi-tenant service)
Privacy policy explicitly instructs users not to submit personal data via the online tools; SYSTRAN disclaims liability for GDPR issues arising from user-submitted personal data on this tier.
data: Documents and text via SaaS
Paid tier with its own Terms of Service page; not separately verified beyond the general privacy/security posture.
data: Enterprise content, documents, and 'Linguistic Data' (glossaries/translation memory)
Marketing claims zero data retention and zero base-model training; ToS confirms Content deletion post-service (72-hour QA exception) but 'Linguistic Data' is retained indefinitely on the platform -- a nuance AIFOXX should surface.
data: Fully within customer's own infrastructure; can run with zero internet connection
Positioned for legal, life sciences, and defense/government customers requiring maximum data confidentiality.
data: Customer-provided glossaries/translation memory used to fine-tune the customer's own private model
ToS explicitly limits SYSTRAN's reuse of customer content to customizing that customer's own dedicated model, not SYSTRAN's general base models.
data: Detects and redacts personal data within translated text
Marketed as a compliance aid for customers handling sensitive/personal data through translation workflows.
// What to watch
- SOC 2 is NOT held by SYSTRAN -- the vendor's own FAQ frames SOC 2 as something other vendors/prospects already have and argues it is 'a baseline, not a ceiling,' which confirms SYSTRAN does not claim it. Do not list SOC 2 as a SYSTRAN certification.
- 'HIPAA Ready' is a self-declared marketing phrase bundled visually with the genuine ISO 27001 certification under a 'Certified for compliance' banner -- risk of a listing implying HIPAA is a certification on par with ISO 27001. List separately with a caveat.
- Retention contradiction: top-of-page marketing promises 'zero data retention,' but the Enterprise Terms of Service state 'Linguistic Data are stored on the Platform for an indefinite period of time' and allow a 72-hour retention window for QA. This should be shown to buyers, not smoothed over.
- ISO 27001 claim is corroborated on two vendor-domain pages but could not be independently verified against a public ISO certification registry/certificate number in this pass; treat as vendor-attested until a certificate/scope document is obtained.
- Parent company is ChapsVision (acquired SYSTRAN S.A. in Jan 2024); the corporate legal notice and privacy policy route partly through chapsvision.com. Confirmed this is the genuine SYSTRAN (machine translation, founded 1968, HQ Paris) and not a different, similarly named entity.
// At a glance
Pricing model
Tiered: free web translator, paid Pro subscription, Enterprise with fixed annual pricing for translation volume, plus on-premise Server licensing.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SYSTRAN S.A. (SYSTRAN by ChapsVision)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
systransoft.com