// Trust & Security Report

    Transifex, Inc. logo

    Transifex, Inc.

    AI-powered localization and translation management platform; products include Transifex TMS (translation management system), Transifex AI (LLM-driven translation with ZDR), Transifex Native (SDK for in-app localization), and TQI (Translation Quality Index)

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Transifex's SOC 2 Type I report did not have any noted exceptions and therefore was issued with a 'clean' audit opinion from SSF. The examination was performed by Sensiba San Filippo, LLP (SSF) and covered security, availability, processing integrity, confidentiality and privacy.

    Verify on transifex.com
    SOC 2 Type II
    HELD

    We have successfully completed a System and Organization Controls (SOC) 2 Type II audit performed by Sensiba San Filippo, LLP (SSF). Transifex's SOC 2 Type II report did not have any noted exceptions and therefore was issued with a 'clean' audit opinion from SSF. Official Transifex blog post published September 28, 2022 (echoed on the Transifex community forum October 4, 2022).

    Verify on transifex.com
    GDPR (posture)
    HELD

    Transifex publishes a Data Processing Agreement, Standard Contractual Clauses, and a Sub-Processors list. The DPA states: 'We will act as a Processor of any Protected Data provided to Us in delivering the Services to You' and commits to 72-hour breach notification.

    Verify on transifex.com
    > Show 7 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification on any Transifex-domain page. Note: Transifex's security page lists AWS's ISO 27001 certification as their hosting provider's attribute, not Transifex's own.

    source: transifex.com
    HIPAA
    NOT CONFIRMED

    No HIPAA compliance claim on any Transifex-domain page. Transifex's security page mentions AWS hosting complies with HIPAA, but that is the host's certification, not Transifex's own posture.

    source: transifex.com
    PCI DSS
    NOT CONFIRMED

    Transifex does not store or process card data directly: 'We do not store any credit card information. All our credit card processing is taken care of by Chargebee and Stripe.' PCI DSS scope therefore lies with those processors, not Transifex.

    source: transifex.com
    ISO/IEC 27701
    NOT CONFIRMED

    No public evidence of ISO 27701 (privacy information management) certification on any Transifex-domain page.

    source: transifex.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence of ISO 42001 or any AI governance certification on any Transifex-domain page.

    source: transifex.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration or certification on any Transifex-domain page.

    source: transifex.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any Transifex-domain page.

    source: transifex.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS Ireland (EU) for primary hosting per security page; however the privacy policy states data 'may be viewed and hosted anywhere in the world' with no formal residency lock. No EU-only data residency option is documented publicly.

    Transifex AI FAQ states: 'your data remains your data and is not used to train public models.' The platform uses Zero Data Retention (ZDR) with external AI providers (OpenAI, Anthropic, Google Gemini listed as sub-processors), meaning customer content is not retained by those providers for training purposes. Per-customer fine-tuning and RAG are described as the personalization mechanism. The privacy policy (last modified November 2024) does not contradict this but does not explicitly address AI training on customer data in its text.

    // Security controls

    Encryption in transit

    SSL/TLS for all server-to-server and web app traffic; HTTPS enforced for all app-facing endpoints

    transifex.com

    Encryption at rest

    File and database backups encrypted with AES (Advanced Encryption Standard)

    transifex.com

    Password storage

    User passwords hashed with PBKDF2; no plaintext passwords stored

    transifex.com

    Infrastructure hosting

    Amazon Web Services Ireland (EU region); all VMs on cloud with administrative access limited to authorized personnel

    transifex.com

    VPN

    VPN required for restricted infrastructure access; VPN traffic always encrypted

    transifex.com

    Incident monitoring

    24x7 monitoring with a public status page at status.transifex.com; Twitter/X status handle @TransifexStatus

    transifex.com

    Vulnerability disclosure

    Responsible disclosure via security@transifex.com with PGP encryption option; active bug bounty/researcher acknowledgment program

    transifex.com

    Credit card data handling

    No card data stored; payment processing delegated to Chargebee and Stripe (PCI Level 1 service providers)

    transifex.com

    Access controls

    Role-based access; physical office access restricted with security personnel; need-to-know policy

    transifex.com

    Code security

    Code reviews before production deployment; regular audits against OWASP Top Ten; critical patches applied immediately

    transifex.com

    Authentication options

    SSO (SAML), Two-Factor Authentication (2FA), social login (GitHub, LinkedIn, Google)

    help.transifex.com

    Data deletion post-termination

    30-day extraction window after contract termination; deletion within a reasonable period after that window

    transifex.com

    Audit rights

    Customers may conduct annual audits of Transifex's security controls with 14 days notice; cost borne by customer unless material failure found

    transifex.com

    // Products & data scope

    Transifex TMSTranslation Management System

    data: Source strings and translated content uploaded by users; user account data; project metadata

    Core platform used by product, marketing, and dev teams. Integrates with 40+ tools. Content stored on AWS Ireland.

    Transifex AI (TX AI)AI-powered translation

    data: Customer content passed to external AI sub-processors (OpenAI, Anthropic, Google Gemini) with ZDR agreements; brand glossary and voice data stored per-customer

    ZDR feature ensures content is not retained by LLM providers for model training. Per-customer fine-tuning using customer's own content. RAG used for brand-context injection.

    Transifex NativeSDK / in-app localization

    data: Strings served dynamically from Transifex CDN; no user PII processed by Native SDK itself

    Developer SDK enabling over-the-air translation updates without app release.

    TQI (Translation Quality Index)AI quality evaluation

    data: Translated strings evaluated by AI quality scoring models

    Automates human review triage; allows AI translations to publish without human intervention when quality threshold met.

    // What to watch

    • HOST-CERT CONFLATION: Transifex's own security page lists AWS's certifications (SOC 1/2/3, ISO 27001, HIPAA, PCI-DSS Level 1, FIPS-140-2, CSA, FERPA, FISMA Moderate) in a way that could mislead readers into thinking these are Transifex's own certifications. These are AWS's certs, not Transifex's. AIFOXX should not list these as Transifex-held.
    • SOC 2 TYPE II RENEWAL STATUS UNKNOWN: The SOC 2 Type II announcement dates to September 2022 (official Transifex blog, September 28, 2022; community-forum echo October 4, 2022). SOC 2 Type II is typically renewed annually. No public evidence of renewal reports beyond 2022 was found as of June 2026. The cert may still be current (many vendors maintain it privately) but cannot be confirmed from public sources.
    • NO ISO 27001: Despite serving large enterprise clients (HubSpot, Celonis), Transifex has no publicly evidenced ISO 27001 certification. Procurement teams expecting ISO 27001 should request evidence directly.
    • AI SUB-PROCESSOR ZDR VERIFICATION: Transifex claims ZDR with OpenAI, Anthropic, and Google Gemini. Whether formal ZDR API agreements are in place with each provider was not independently verified; this claim relies solely on Transifex marketing pages.
    • DATA RESIDENCY AMBIGUITY: Security page implies AWS Ireland (EU) hosting, but privacy policy states data may be hosted 'anywhere in the world.' No formal EU data residency commitment or customer-selectable region is documented.

    // At a glance

    Pricing model

    Tiered SaaS (Starter free trial, growth/professional plans by volume of words/strings; enterprise pricing on request)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Transifex, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    transifex.com

    > Browse all vendor trust reports