traxlate

Security & privacy

Built for the work that has stakes.

Legal filings, medical records, asylum support packets, leadership videos, voice clones — the documents that matter most are also the ones that demand the most. Here is exactly how we handle them.

Request DPAPrivacy policyStatus page →
Six commitments

Privacy
without theatre.

These are deliberate architectural choices, not marketing checkboxes. They shape every line of the platform and we will not undo them.

  • 01

    Encrypted in transit and at rest

    TLS 1.3 for every byte that crosses the network. AES-256 for every byte we store. Keys are managed by the platform and rotated on a published schedule.

  • 02

    Never used for training

    Your source text, video footage, voice references, glossaries and translated output are never used as training data. Never sent to third-party AI providers. Never become someone else's data point.

  • 03

    Configurable retention

    Default 30 days. Configurable down to 7 days, up to 1 year. Immediate deletion on completion is available on every plan — source and output purged the moment you download the result.

  • 04

    GDPR end-to-end

    Full GDPR compliance with Article 28 DPAs available on Business and enterprise plans. EU data residency option for regulated workloads. SCCs in place where applicable.

  • 05

    Documented sub-processors

    A short, audited list of sub-processors handles infrastructure, payments and transactional email. The full list — including jurisdictions and data categories — is provided under DPA.

  • 06

    Role-based access control

    Organisation accounts with owner / editor / commenter / viewer roles. SSO via SAML and provisioning via SCIM on enterprise plans. Per-API-key spend caps and per-key audit trails.

Security posture

How the platform defends itself.

  • Authentication

    Email + password with mandatory hashing. Passkey (FIDO2 / WebAuthn) support via Touch ID, Face ID, Windows Hello and hardware keys. SSO via SAML on enterprise plans.

  • API authorisation

    Bearer-key authentication, per-key monthly spend caps, per-key audit trail, instant revocation. Rotate keys without affecting the rest of your integration.

  • Webhook signing

    Every webhook delivery is signed with HMAC-SHA-256 over the body using your webhook secret. Replay protection via a timestamp header — reject events older than 5 minutes.

  • Database isolation

    Per-tenant row-level scoping enforced at the data layer. Application code never queries jobs without an authenticated user identity. Penetration tested annually.

  • Backups

    Encrypted database snapshots. Point-in-time recovery within retention. Restoration drills run on a published schedule. Customer-controlled data deletions propagate to backups within 30 days.

  • Incident response

    24-hour acknowledgement for any security report. PGP-encrypted disclosure channel. Status page at status.traxlate.com with subscribe-by-email and webhook for incident notifications.

Compliance & contracts

Documents your legal team can sign.

Redlineable MSA, DPA, security supplement, sub-processor list and BAA available on request for Business plan and enterprise customers. We answer most legal-review questions within five business days.

Request DPA
Privacy policy
Common questions

Security, answered.

Real questions from buyers, real answers. If something isn't covered here, the full FAQ lives at /faq and you can always open a ticket.

  • Is my data used to train AI models?

    +

    No. Your source text, video footage, voice references and translated output are never used as training data and are never sent to third-party AI providers for processing.

  • Where is data processed?

    +

    Primary processing happens in EU data centres. EU data residency is available on enterprise plans for workloads that require it. We never route customer data through US-based AI vendors that retain or train on input.

  • Can I get a Data Processing Agreement?

    +

    Yes — for Business plan and enterprise customers. Contact sales@traxlate.com. The DPA covers Article 28 obligations, sub-processor disclosure, SCCs for international transfers, and breach notification timelines.

  • What about HIPAA?

    +

    We offer HIPAA Business Associate Agreements (BAAs) on enterprise plans for customers handling protected health information. Contact sales for the BAA template and current PHI-handling restrictions.

  • What certifications do you hold?

    +

    GDPR compliance is end-to-end across the platform. SOC 2 Type II audit is in progress. ISO 27001 on the roadmap. Specific certifications and attestation letters are provided under NDA — contact sales.

  • How do I report a vulnerability?

    +

    Email security@traxlate.com with the details. PGP key available on request. We acknowledge every report within 24 hours and run a responsible disclosure programme — no legal action against good-faith research within the policy bounds.

  • What happens when I delete a job?

    +

    Deletion propagates to primary storage immediately. Encrypted backups roll out within 30 days. Caches purge on the standard rotation. After 30 days, the data is unrecoverable from any system we operate.

  • Are my voice clones private?

    +

    Yes. Cloned voices stay private to your account, never shared, never used to train anything, never licensed out. You can delete the clone any time and we discard the underlying reference.

  • What about CLOUD Act exposure?

    +

    Primary processing happens in EU data centres outside US jurisdiction. Specific guarantees and architecture documentation are provided under DPA for regulated industries that need to document their data processing chain.

Have a procurement
checklist?

Send it. We answer most questionnaires inside five business days. DPA template, sub-processor list and certification status available under NDA.

Talk to securityEnterprise overview