// Trust & Security Report
Weglot SAS
No-code website translation and multilingual SEO platform (JavaScript widget/proxy), with a self-serve tier and a separate Weglot for Enterprise tier; also offers a developer API
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.weglot.com“We are pleased to announce that Weglot has successfully completed another System and Organization Controls (SOC) 2 Type II audit. This milestone, achieved in partnership with MJD Advisors, reflects our commitment to maintaining the highest standards of security, availability, and confidentiality. Our SOC 2 report is now available in the Weglot Trust Center.”
Verify on support.weglot.com“In 2022, Weglot has been certified as SOC 2 Type 2. [This] verifies that all the policies and processes listed in SOC 2 Type 1 are in continuous use.”
Verify on support.weglot.com“Yes, Weglot is GDPR-compliant. Weglot is committed to protecting the privacy and personal data of its users and complies with the GDPR. Weglot's servers are located in the European Union, within data centers that are compliant with EU data protection regulations.”
> Show 6 unconfirmed / not-held certifications
source: trust.weglot.comNo public evidence of an ISO 27001 certificate on any Weglot-owned domain. Weglot's own security page (weglot.com/security) and Trust Center (trust.weglot.com) list only SOC 2 Type II and GDPR under Compliance; ISO 27001 is not mentioned. A third-party aggregator (Nudge Security) lists ISO 27001 among Weglot's 'compliance' badges, but this appears to be an unverified/auto-generated inference, not a vendor claim, and is not corroborated by any weglot.com or trust.weglot.com page.
source: trust.weglot.comNo mention of HIPAA on weglot.com/security, support.weglot.com, or the Trust Center. Data collected per the Trust Center explicitly lists 'Personal health information' as a category tracked for disclosure purposes, but this does not equate to a HIPAA compliance program, and no BAA or HIPAA safeguards are documented anywhere on the vendor's own domain. The same third-party aggregator (Nudge Security) claims HIPAA compliance without vendor-domain support; treated as unverified.
source: weglot.comNo public evidence of PCI DSS on any Weglot domain. Payment/billing is handled through third-party processors; Weglot itself does not present a PCI DSS attestation.
source: trust.weglot.comTrust Center lists a completed '2025 Weglot CAIQv4.0.3' questionnaire (a CSA Consensus Assessments Initiative Questionnaire) under Resources, but this is a self-assessment questionnaire, not a CSA STAR Level 1/2 registry listing or certification. No CSA STAR badge or registry entry found.
source: trust.weglot.comNo public evidence of ISO 42001 certification on any Weglot domain.
source: trust.weglot.comNo public evidence of FedRAMP authorization. Weglot is a French SMB SaaS vendor with no indication of pursuing US federal authorization.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
EU by default. Privacy Policy: 'Your data is hosted by a secure professional service provider on servers located in the European Union.' Trust Center subprocessors: Amazon Web Services (Infrastructure Hosting, EU or US), Cloudflare (Global), Datadog (Logging & Monitoring, US), DeepL (Machine translations, EU).
Contradiction/nuance found across vendor-owned sources. (1) Terms Article 4.8.2 states Weglot's AI sub-processors 'do not use Client data to train their AI models' -- this is a commitment about third-party AI sub-processors (e.g. the machine-translation engine DeepL, per the Trust Center subprocessor list), not a blanket statement about Weglot itself. (2) Terms Article 13 separately grants Weglot 'a right to use translations data at no cost during the whole period of protection, in order to improve the quality of the Service,' applying to 'all translations files hosted on Weglot servers or one of its providers.' (3) The Privacy Policy says Weglot uses 'data related to the use of our translation services to evolve these products and services,' explicitly including 'content provided by our customers to be translated,' with no opt-out mechanism documented. (4) The marketing homepage advertises a per-customer 'Custom Translation Model... built around your brand... it learns your tone, terminology, and voice' -- consistent with a per-customer fine-tuned model rather than cross-customer pooling, but this is not confirmed or denied in the legal text. Net: sub-processor AI models reportedly do not train on client data, but Weglot itself retains a broad service-improvement license over translation content with no clear opt-out, so a definitive true/false on 'trains on customer data' cannot be responsibly assigned.
// Security controls
Data Processing Agreement (DPA)
Available; guaranteed for Enterprise package customers per support docs, and published as a standalone DPA document/PDF and Trust Center resource for other customers on request
support.weglot.comEncryption / remote access
Remote access encryption enforced; unique network system authentication enforced; network segmentation implemented (per Trust Center controls list)
trust.weglot.comPenetration testing
Performed; penetration test report published as a Trust Center resource
trust.weglot.comVulnerability / system monitoring
Vulnerability and system monitoring procedures established; anti-malware technology utilized
trust.weglot.comIncident response & continuity
Incident response plan tested and documented; continuity and disaster recovery plans established
trust.weglot.comCompliance monitoring platform
Compliance monitoring outsourced to Vanta, with a self-service Trust Center for security questionnaires and document requests
trust.weglot.comCyber/liability insurance
Certificate of Liability Insurance published as a Trust Center resource
trust.weglot.comData deletion
Customer data deleted upon leaving; inactive projects (6+ months) permanently deleted per Privacy Policy retention schedule
weglot.com// Products & data scope
data: Reads and stores original + translated website content (text strings, URLs); collects user Name, Email, IP per Trust Center data-collected list
Connects to 70+ platforms (WordPress, Shopify, Squarespace, custom sites) via JS snippet or reverse proxy. Free plan available; paid tiers by word count.
data: Same content scope as core product, plus advanced security controls and custom integrations
Marketed as adding 'advanced security, custom integrations, guaranteed uptime.' Support docs indicate a signed DPA is guaranteed at this tier; unclear whether lower/free tiers receive one automatically without request.
data: Programmatic access to translation content, same subprocessor chain (AWS, Cloudflare, Datadog, DeepL)
Used for custom/headless integrations; covered by the same Trust Center posture as the core product.
// What to watch
- THIRD-PARTY OVER-CLAIM RISK: A third-party aggregator (Nudge Security) lists Weglot as HIPAA, PCI, ISO 27001, FedRAMP, and CSA STAR compliant. None of these are supported by any statement on weglot.com, support.weglot.com, or trust.weglot.com, which name only SOC 2 Type II and GDPR under Compliance. Do not surface the aggregator's claims; they were excluded from this assessment as unverified.
- AI TRAINING CONTRADICTION NOT FULLY RESOLVED: Terms Article 4.8.2 promises AI sub-processors do not train on client data, but Terms Article 13 separately grants Weglot a broad, royalty-free license to use translation data 'to improve the quality of the Service,' and the Privacy Policy confirms customer-provided content is used to 'evolve products and services' with no documented opt-out. These are two different claims (sub-processor models vs. Weglot's own use) that a buyer could easily conflate; flagging for advisor review before publishing an AI-training claim either way.
- CAIQ QUESTIONNAIRE IS NOT CSA STAR: Trust Center lists a completed 2025 CAIQ v4.0.3 questionnaire. This is a self-assessment artifact, not a CSA STAR registry certification; do not list Weglot as 'CSA STAR' based on this alone.
- DPA GUARANTEE MAY BE TIER-GATED: Support documentation ties a guaranteed signed DPA to the Enterprise package; it is not fully clear whether free/self-serve customers get an executed DPA automatically vs. on request.
// At a glance
Pricing model
Freemium SaaS: free plan plus word-count-based paid tiers; custom-quoted Enterprise plan
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Weglot SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.weglot.com