// Trust & Security Report

    Weglot SAS logo

    Weglot SAS

    No-code website translation and multilingual SEO platform (JavaScript widget/proxy), with a self-serve tier and a separate Weglot for Enterprise tier; also offers a developer API

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    We are pleased to announce that Weglot has successfully completed another System and Organization Controls (SOC) 2 Type II audit. This milestone, achieved in partnership with MJD Advisors, reflects our commitment to maintaining the highest standards of security, availability, and confidentiality. Our SOC 2 report is now available in the Weglot Trust Center.

    Verify on trust.weglot.com
    SOC 2 Type I
    HELD

    In 2022, Weglot has been certified as SOC 2 Type 2. [This] verifies that all the policies and processes listed in SOC 2 Type 1 are in continuous use.

    Verify on support.weglot.com
    GDPR (compliance posture, not a certification)
    HELD

    Yes, Weglot is GDPR-compliant. Weglot is committed to protecting the privacy and personal data of its users and complies with the GDPR. Weglot's servers are located in the European Union, within data centers that are compliant with EU data protection regulations.

    Verify on support.weglot.com
    > Show 6 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence of an ISO 27001 certificate on any Weglot-owned domain. Weglot's own security page (weglot.com/security) and Trust Center (trust.weglot.com) list only SOC 2 Type II and GDPR under Compliance; ISO 27001 is not mentioned. A third-party aggregator (Nudge Security) lists ISO 27001 among Weglot's 'compliance' badges, but this appears to be an unverified/auto-generated inference, not a vendor claim, and is not corroborated by any weglot.com or trust.weglot.com page.

    source: trust.weglot.com
    HIPAA
    NOT CONFIRMED

    No mention of HIPAA on weglot.com/security, support.weglot.com, or the Trust Center. Data collected per the Trust Center explicitly lists 'Personal health information' as a category tracked for disclosure purposes, but this does not equate to a HIPAA compliance program, and no BAA or HIPAA safeguards are documented anywhere on the vendor's own domain. The same third-party aggregator (Nudge Security) claims HIPAA compliance without vendor-domain support; treated as unverified.

    source: trust.weglot.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS on any Weglot domain. Payment/billing is handled through third-party processors; Weglot itself does not present a PCI DSS attestation.

    source: weglot.com
    CSA STAR
    NOT CONFIRMED

    Trust Center lists a completed '2025 Weglot CAIQv4.0.3' questionnaire (a CSA Consensus Assessments Initiative Questionnaire) under Resources, but this is a self-assessment questionnaire, not a CSA STAR Level 1/2 registry listing or certification. No CSA STAR badge or registry entry found.

    source: trust.weglot.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on any Weglot domain.

    source: trust.weglot.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization. Weglot is a French SMB SaaS vendor with no indication of pursuing US federal authorization.

    source: trust.weglot.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    EU by default. Privacy Policy: 'Your data is hosted by a secure professional service provider on servers located in the European Union.' Trust Center subprocessors: Amazon Web Services (Infrastructure Hosting, EU or US), Cloudflare (Global), Datadog (Logging & Monitoring, US), DeepL (Machine translations, EU).

    Contradiction/nuance found across vendor-owned sources. (1) Terms Article 4.8.2 states Weglot's AI sub-processors 'do not use Client data to train their AI models' -- this is a commitment about third-party AI sub-processors (e.g. the machine-translation engine DeepL, per the Trust Center subprocessor list), not a blanket statement about Weglot itself. (2) Terms Article 13 separately grants Weglot 'a right to use translations data at no cost during the whole period of protection, in order to improve the quality of the Service,' applying to 'all translations files hosted on Weglot servers or one of its providers.' (3) The Privacy Policy says Weglot uses 'data related to the use of our translation services to evolve these products and services,' explicitly including 'content provided by our customers to be translated,' with no opt-out mechanism documented. (4) The marketing homepage advertises a per-customer 'Custom Translation Model... built around your brand... it learns your tone, terminology, and voice' -- consistent with a per-customer fine-tuned model rather than cross-customer pooling, but this is not confirmed or denied in the legal text. Net: sub-processor AI models reportedly do not train on client data, but Weglot itself retains a broad service-improvement license over translation content with no clear opt-out, so a definitive true/false on 'trains on customer data' cannot be responsibly assigned.

    // Security controls

    Data Processing Agreement (DPA)

    Available; guaranteed for Enterprise package customers per support docs, and published as a standalone DPA document/PDF and Trust Center resource for other customers on request

    support.weglot.com

    Encryption / remote access

    Remote access encryption enforced; unique network system authentication enforced; network segmentation implemented (per Trust Center controls list)

    trust.weglot.com

    Penetration testing

    Performed; penetration test report published as a Trust Center resource

    trust.weglot.com

    Vulnerability / system monitoring

    Vulnerability and system monitoring procedures established; anti-malware technology utilized

    trust.weglot.com

    Incident response & continuity

    Incident response plan tested and documented; continuity and disaster recovery plans established

    trust.weglot.com

    Compliance monitoring platform

    Compliance monitoring outsourced to Vanta, with a self-service Trust Center for security questionnaires and document requests

    trust.weglot.com

    Cyber/liability insurance

    Certificate of Liability Insurance published as a Trust Center resource

    trust.weglot.com

    Data deletion

    Customer data deleted upon leaving; inactive projects (6+ months) permanently deleted per Privacy Policy retention schedule

    weglot.com

    // Products & data scope

    Weglot (self-serve / core widget)No-code website translation & multilingual SEO

    data: Reads and stores original + translated website content (text strings, URLs); collects user Name, Email, IP per Trust Center data-collected list

    Connects to 70+ platforms (WordPress, Shopify, Squarespace, custom sites) via JS snippet or reverse proxy. Free plan available; paid tiers by word count.

    Weglot for EnterpriseWebsite translation, enterprise tier

    data: Same content scope as core product, plus advanced security controls and custom integrations

    Marketed as adding 'advanced security, custom integrations, guaranteed uptime.' Support docs indicate a signed DPA is guaranteed at this tier; unclear whether lower/free tiers receive one automatically without request.

    Weglot Developers / APITranslation API

    data: Programmatic access to translation content, same subprocessor chain (AWS, Cloudflare, Datadog, DeepL)

    Used for custom/headless integrations; covered by the same Trust Center posture as the core product.

    // What to watch

    • THIRD-PARTY OVER-CLAIM RISK: A third-party aggregator (Nudge Security) lists Weglot as HIPAA, PCI, ISO 27001, FedRAMP, and CSA STAR compliant. None of these are supported by any statement on weglot.com, support.weglot.com, or trust.weglot.com, which name only SOC 2 Type II and GDPR under Compliance. Do not surface the aggregator's claims; they were excluded from this assessment as unverified.
    • AI TRAINING CONTRADICTION NOT FULLY RESOLVED: Terms Article 4.8.2 promises AI sub-processors do not train on client data, but Terms Article 13 separately grants Weglot a broad, royalty-free license to use translation data 'to improve the quality of the Service,' and the Privacy Policy confirms customer-provided content is used to 'evolve products and services' with no documented opt-out. These are two different claims (sub-processor models vs. Weglot's own use) that a buyer could easily conflate; flagging for advisor review before publishing an AI-training claim either way.
    • CAIQ QUESTIONNAIRE IS NOT CSA STAR: Trust Center lists a completed 2025 CAIQ v4.0.3 questionnaire. This is a self-assessment artifact, not a CSA STAR registry certification; do not list Weglot as 'CSA STAR' based on this alone.
    • DPA GUARANTEE MAY BE TIER-GATED: Support documentation ties a guaranteed signed DPA to the Enterprise package; it is not fully clear whether free/self-serve customers get an executed DPA automatically vs. on request.

    // At a glance

    Pricing model

    Freemium SaaS: free plan plus word-count-based paid tiers; custom-quoted Enterprise plan

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Weglot SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.weglot.com

    > Browse all vendor trust reports