AICPA SOC

Certification

Lokalise Inc. is SOC 2 Type 2 certified. The SOC 2 Type 2 compliance demonstrates that Lokalise’s security policies, measures, and procedures rigorously protect the consumer data managed by the Lokalise Translation Management Platform/System.

Privacy Shield Framework

Data Privacy Practices

Lokalise Inc. complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the processing and transferring personal data.

Data privacy

GDPR compliance

We know our part to play in protecting our customers’ privacy and personal data. Lokalise appointed a Data Protection Officer to monitoring our own compliance. DPO is available to our customers to discuss data privacy issues via privacy@lokalise.com

MonitoredMonitored 24/7/365
UptimeUptime 99.9% or higher
EthicsSound business ethics
Information security mangement

Information security management

Our information security policy defines the Lokalise approach to how systems and data are protected. To keep our policy, standards, and guidelines secure, each policy has an Owner who's responsible for managing the risk outlined in the Policy Objective. All policies are reviewed at least once a year to make sure they stay relevant and manage risk appropriately.

Human resources security

Human resources security

Lokalise has sound business ethics, which are maintained by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.

Access control

Access control

Lokalise uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. All resources are managed in the asset inventory system and each asset is assigned an owner. Owners are responsible for approving access to the resource and for performing periodic reviews of access by role.

Customer employees access the company services through the Internet using the SSL functionality of their web-browser. These customer employees must supply a valid google account to gain access to customer cloud resources.

On an annual basis, access rules for each role are reviewed by a security working group. In evaluating role access, group members consider job descriptions, duties requiring segregation, and risks associated with access. Completed rules are reviewed and approved by the CISO.

Cryptography controls

Cryptography controls

Lokalise uses encryption technologies to protect customer data both at rest and in transit and establishes operational requirements that support the achievement of security commitments, relevant laws and regulations, and other system requirements. Such requirements are communicated in Lokalise’s system policies and procedures, system design documentation, and contracts with customers.

Physical and environmental security

Physical and environmental security

Access to our offices is restricted and enforced by security personnel services. When confidential information is physically stored on our premises, access is only available to authorized personnel.

Encryption

Encryption

We use encryption technologies to protect customer data both at rest and in transit.

Operational security

Servers

Our files and virtual machines are hosted with the largest managed cloud provider Hetzner.de trusted globally for its reliable network. Hetzner adheres and is regularly audited for the DIN ISO/IEC 27001 certification standard. We also distribute content via Amazon S3.

Change management

All servers are updated in the monthly service window. That way we ensure the production servers do NOT have critical or important updates older than 30 days.

System monitoring and alerting

The Lokalise system is monitored 24/7/365 by different monitoring tools. Our uptime is 99.9% or higher. Critical alerts are immediately sent to the DevOps team and escalated to operations management and incident response procedure. Want to see for yourself? Check our past month statistics here: https://status.lokalise.com

Backups

We do full daily automated and encrypted backups of our databases. Customer data is backed up and monitored by operations personnel for completion and exceptions.

Data

Production customer data is encrypted in transit. We do not store any credit card information. All our credit card processing is taken care of by Stripe listed by Visa’s registry of providers as PCI Level 1 service provider.

System development and maintenance

System development and maintenance

Our software development process includes extensive code reviews during the code development phase and before code is pushed to production. We also perform regular audits and checks against known security flaws, including the OWASP Top Ten.

Supplier relations

Supplier relations

Lokalise has designed and implemented controls to monitor our vendors. In addition, Vendor agreements, including any security, availability, and confidentiality commitments, are reviewed by appropriate Lokalise management during the risk management process. Prior to services rendered, vendors are also required to sign the vendor agreements.

Business continuity management

Business continuity management

Redundancy is built into the system infrastructure to help ensure that there is no single point of failure – and this includes firewalls, routers, and servers. In the event that a primary system fails, the redundant hardware is configured to take its place.

Penetration testing is conducted to measure the security posture of a target system or environment. Every nine months, we perform a simulation to test the Lokalise disaster recovery plan.

Governance, Risks and Compliance

Governance, Risks and Compliance

Lokalise designs its processes and procedures related to meet its business objectives for its services. Those objectives are based on the service commitments that Lokalise makes to user entities, the laws and regulations that govern the provision of the services, and the financial, operational, and compliance requirements that Lokalise has established.

Security commitments to user entities are documented and communicated in Service Level Agreements (SLAs) and the general Terms of Service available at https://lokalise.com /terms, as well as in the description of the service offering provided online.

Security principles within the fundamental designs under GDPR that are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.

Incidents

What happens in case of incidents?

Incident response policies and procedures are in place to guide our team in reporting and responding to information system incidents. Lokalise monitors the capacity utilization of virtual to ensure that service delivery matches service level agreements.

Do you have a security concern you'd like to discuss with us or any vulnerability regarding Lokalise services you'd like to report? Don't hesitate to contact us at hello@lokalise.com