// Trust & Security Report

    Wordfast, LLC logo

    Wordfast, LLC

    Wordfast translation memory (TM) software family: Wordfast Classic (MS Word-based desktop plugin), Wordfast Pro (standalone multi-platform desktop tool), Wordfast Anywhere (free browser-based cloud TM tool), and Wordfast Server (server-based TM for agencies/enterprises)

    Certifications held

    0

    Maturity

    Startup

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence of a SOC 2 report or attestation. The candidate subdomains trust.wordfast.com, security.wordfast.com, and compliance.wordfast.com all resolve to the generic marketing homepage rather than a distinct trust/security page, and neither the privacy policy nor the 2011 'Wordfast Strengthens Policies Regarding Security and Privacy' notice references SOC 2.

    source: wordfast.com
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification anywhere on wordfast.com or wordfast.net; not mentioned in the privacy policy, security notice, or product pages.

    source: wordfast.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or Business Associate Agreement (BAA) availability. The company offers customer NDAs on request but does not reference HIPAA, PHI, or BAAs anywhere on its public site.

    source: wordfast.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS. Purchases are handled by license/store checkout; no PCI attestation is published. Not treated as a materially relevant cert for this product category beyond standard payment processing.

    source: wordfast.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on wordfast.com or wordfast.net.

    source: wordfast.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence found. Wordfast's machine-translation features are third-party MT engine integrations (e.g. connecting to external MT providers within Wordfast Pro); no AI governance certification is published.

    source: wordfast.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on wordfast.com.

    source: wordfast.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; Wordfast does not market to US federal government buyers on its public site.

    source: wordfast.com
    EU-US Privacy Shield (legacy claim, superseded)
    NOT CONFIRMED

    Privacy policy states: 'Wordfast is Privacy Shield certified and a regular user of EU Model Clauses. Both programs to transfer personal data from Europe to the U.S. will remain valid and available under the GDPR.' The EU-US Privacy Shield framework was invalidated by the CJEU's Schrems II ruling in July 2020 and replaced by the EU-US Data Privacy Framework (DPF) in 2023; no current Wordfast listing was found via search on the official DPF program. Treat this as a stale/outdated legal claim, not a currently valid certification.

    source: wordfast.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Privacy policy states personal data is stored 'in Wordfast's data centers in the United States and/or Europe' for account/service data; Wordfast Anywhere content lives on Wordfast's hosted servers, while Classic, Pro, and Server products do not send translation memory content off the customer's own computer or self-hosted server.

    No public statement on whether translation content uploaded to Wordfast Anywhere or processed via Wordfast Pro's machine-translation connectors is used to train Wordfast's own models. Wordfast Pro's MT features route text to third-party MT engines the customer configures (data handling then governed by that third party's policy); Wordfast Classic, Pro, and Server keep translation memories on the customer's own machine or self-hosted server and are not transmitted to Wordfast. Only Wordfast Anywhere is hosted by Wordfast, and its privacy policy does not address AI/ML training use of stored content. Absent explicit confirmation, this must be graded null/unknown rather than assumed either way.

    // Security controls

    Encryption in transit

    'To increase the security of data transmitted between the customer's browser and Wordfast's server, Wordfast has established an encrypted link by activating SSL (Secure Sockets Layer) on its server.' This statement is from a 2011 company notice; no more recent, dated confirmation of current TLS practices was found on the vendor's site.

    wordfast.com

    Confidentiality / NDA availability

    'Upon request, Wordfast will sign Non-Disclosure Agreements with any customer who wishes to have a written contract regarding the confidentiality of their data.'

    wordfast.com

    Account isolation (Wordfast Anywhere)

    Each Wordfast Anywhere user gets a private, password-protected workspace on the centralized server, described as never shared with third parties. This is sourced from the community wiki (wordfast.net), a Wordfast-operated but less formal channel than the main privacy policy, so treat as directional rather than an authoritative security control statement.

    wordfast.net

    Encryption at rest / infra hardening

    No public evidence found. No statement on data-at-rest encryption, key management, network segmentation, or vulnerability management program.

    wordfast.com

    Bug bounty / independent audits

    No public bug-bounty program or independent penetration-test/audit disclosure found.

    wordfast.com

    // Products & data scope

    Wordfast ClassicDesktop TM plugin (MS Word)

    data: Translation memories and glossaries reside on the customer's own computer; not transmitted to or stored by Wordfast.

    Lowest data-exposure product in the family; effectively no vendor-side data handling to assess.

    Wordfast ProDesktop TM tool (multi-platform)

    data: Runs locally; translation content stays on the customer's machine unless the customer configures a connection to a remote TM/glossary server or a third-party machine-translation engine.

    MT connectors route content to whichever third-party MT provider the customer configures; that provider's data policy then applies, not Wordfast's.

    Wordfast AnywhereFree browser-based cloud TM tool

    data: The only product where translation content and account data are hosted on Wordfast's own servers (US and/or EU data centers per the privacy policy).

    Free tier tool; the privacy policy's GDPR/data-storage language applies most directly here. No dedicated enterprise security documentation found for this product.

    Wordfast ServerServer-based TM for LSPs/enterprises

    data: Deployed on the customer's or agency's own infrastructure (quote-based licensing); not a Wordfast-hosted service.

    Self-hosted, so most infrastructure security controls are the customer's own responsibility rather than Wordfast's.

    // What to watch

    • No dedicated trust/security/compliance page exists: trust.wordfast.com, security.wordfast.com, and compliance.wordfast.com all resolve to the generic marketing homepage rather than distinct content, and no SOC 2, ISO 27001, or HIPAA material was found anywhere on wordfast.com or wordfast.net.
    • Stale/outdated legal claim: the current privacy policy still asserts Wordfast is 'Privacy Shield certified,' but the EU-US Privacy Shield framework was invalidated by the CJEU in 2020 and replaced by the EU-US Data Privacy Framework in 2023. This looks like unmaintained legal copy rather than an active certification and should not be surfaced as a current cert.
    • Multi-product data exposure varies sharply within the same vendor: Classic/Pro/Server keep customer content off Wordfast's infrastructure entirely, while Wordfast Anywhere (the free product) is the only one actually hosted by Wordfast. A single vendor-level security rating would be misleading; list per-product data scope.
    • No public Data Processing Agreement (DPA); GDPR data-subject requests are handled via an email address (privacyrequests@wordfast.com) rather than a self-serve DPA or trust portal.
    • No public statement on whether Wordfast Anywhere content or MT connector traffic is used to train any Wordfast-operated model; graded as unknown (null), not assumed absent.

    // At a glance

    Pricing model

    Perpetual/subscription licenses for Classic and Pro; quote-based licensing for Server; Wordfast Anywhere is free

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Wordfast, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    wordfast.com

    > Browse all vendor trust reports