Lokalise security and compliance for enterprise teams
Lokalise holds SOC 2 Type II, ISO 27001, and ISO 27017 certifications and processes customer data on EU-based AWS infrastructure. Teams perform security controls and practices are continuously validated through annual SOC 2 Type II audit. Enterprise teams in healthcare, financial services, and regulated industries use Lokalise with SSO/SAML, role-based access control, and audit logs to meet internal security and procurement requirements.
Trusted by 1 million users across 3,000+ companies. From scale-ups to the Forbes Global 2000.
Lokalise holds the following certifications and compliance standards
SOC 2 Type II
Lokalise's security controls and practices are continuously validated through an annual SOC 2 Type II assessment. The SOC 2 Type II report confirms Lokalise's compliance with the AICPA Trust Services Criteria for security, availability, and confidentiality.
ISO 27001 and ISO 27017
Lokalise holds ISO/IEC 27001 certification for information security management and ISO/IEC 27017 certification for cloud service providers, both since November 2020. Lokalise maintains its certified status for ISO 27001 and ISO 27017.
HIPAA alignment
No cloud TMS can obtain formal HIPAA certification. Lokalise aligns its security and risk management program with HIPAA requirements through its SOC 2 Type II certification. Customers who qualify as a Covered Entity or Business Associate under HIPAA may use the platform.
GDPR
Lokalise has appointed a Data Protection Officer to monitor GDPR compliance. Customer data subject requests can be submitted to privacy@lokalise.com.
PCI DSS
Lokalise is not PCI DSS certified. Lokalise processes payments through Stripe, a PCI DSS-certified payment processor. Lokalise does not store credit card numbers or payment information in its systems.
SOC 2 Type II
Lokalise's security controls and practices are continuously validated through an annual SOC 2 Type II assessment. The SOC 2 Type II report confirms Lokalise's compliance with the AICPA Trust Services Criteria for security, availability, and confidentiality.
ISO 27001 and ISO 27017
Lokalise holds ISO/IEC 27001 certification for information security management and ISO/IEC 27017 certification for cloud service providers, both since November 2020. Lokalise maintains its certified status for ISO 27001 and ISO 27017.
HIPAA alignment
No cloud TMS can obtain formal HIPAA certification. Lokalise aligns its security and risk management program with HIPAA requirements through its SOC 2 Type II certification. Customers who qualify as a Covered Entity or Business Associate under HIPAA may use the platform.
GDPR
Lokalise has appointed a Data Protection Officer to monitor GDPR compliance. Customer data subject requests can be submitted to privacy@lokalise.com.
PCI DSS
Lokalise is not PCI DSS certified. Lokalise processes payments through Stripe, a PCI DSS-certified payment processor. Lokalise does not store credit card numbers or payment information in its systems.
Enterprise access controls
Lokalise supports the access control requirements of enterprise security teams.
Single sign-on (SSO) and SAML 2.0
Lokalise supports SAML-based single sign-on for enterprise teams. SSO configuration allows identity providers to manage user authentication centrally, so access to Lokalise is governed by the enterprise's existing IdP. Supported identity providers include Google, Microsoft Azure AD, Okta, OneLogin, Keycloak, PingFederate, and PingIdentity (all via SAML). SSO/SAML is available on the Enterprise plan.
Role-based access control (RBAC)
Lokalise uses a role-based security architecture. User roles and permissions are configured at the team and project level, so each user accesses only the content and functions they are permitted to see.
Two-factor authentication (2FA)
Users can activate two-factor authentication on individual accounts. Password policies and secure password enforcement are configurable by administrators.
Application audit logs
Lokalise maintains a detailed application audit log of all activities performed in the system. Logs are available through the application interface and exportable to CSV. Audit log data is retained for 12 months.
API access controls
API access requires token authentication and uses the same RBAC model as the web interface. Tokens are scoped to permissions and can be revoked at any time.
Data hosting and sovereignty
Data hosting and sovereignty
Lokalise processes and stores customer data on Amazon Web Services infrastructure in EU regions. AWS data centres used by Lokalise hold ISO 27001 certification. Lokalise does not process or store customer data in non-EU regions.
On-premises and private cloud deployments are not supported. Lokalise uses sub-processors that may access customer data, and AI translation features are processed by third-party AI service providers.
Physical Security
Lokalise uses ISO 27001 certified data center facilities and relies on the data center providers for physical access control matters.
Data hosting and sovereignty
Lokalise processes and stores customer data on Amazon Web Services infrastructure in EU regions. AWS data centres used by Lokalise hold ISO 27001 certification. Lokalise does not process or store customer data in non-EU regions.
On-premises and private cloud deployments are not supported. Lokalise uses sub-processors that may access customer data, and AI translation features are processed by third-party AI service providers.
Physical Security
Lokalise uses ISO 27001 certified data center facilities and relies on the data center providers for physical access control matters.
Enterprise access controls
Entry points
Lokalise is a web-based translation and localization platform that adapts mobile apps, websites, games, and other digital content for international markets and in multiple languages. Lokalise was designed as an alternative to outdated and expensive tools, with a clear focus on content automation and integrations to stop unmanageable numbers of emails, spreadsheets, and unanswered questions.
- Lokalise Cloud App (app.lokalise.com) is the main UI entry point for our customers. It connects to the backend which is hosted in the AWS cluster, configured with multi-zone HA.
- Lokalise API (api.lokalise.com) is the entry point for the external API calls. It is hosted in the AWS cloud and is running in a HA configuration.
- Lokalise Worker Server is processing the internal task queue and is executing the cron jobs. It is hosted in the AWS cloud (HA to be implemented).
Deploy translation updates instantly
Lokalise uses role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources.
Different user roles and access rights are documented here: Teams and Roles.
Lokalise provides multiple ways of user authentication:
- Local user accounts: Users can sign-up with a valid email address and set their password. Optionally users can activate two-factor authentication. It is also possible to set password policies and enforce secure password settings: Secure password configuration
- Existing accounts: Users can also use their existing Github, Google, and Microsoft accounts to use the system with the single sign-on functionality.
- Single sign-on: It is also possible to use SAML for enterprise single sign-on.
More information on how to manage teams, users, and roles can be found using our documentation: Manage teams, users, and groups.
Secure payments
Lokalise does not store, process, or transmit credit card numbers or payment information within its platform. All payment processing is handled by Stripe, a PCI DSS-certified processor. Lokalise conducts an annual internal compliance assessment against PCI DSS requirements applicable to its role as a merchant.
We use a PCI DSS-certified third-party payment processor, Stripe, to process payments made to Lokalise securely. We do not retain any personally identifiable information or any financial information such as credit card numbers in our services. All such information is provided directly to a third-party processor engaged by Lokalise. In the meantime, we do a yearly internal compliance assessment against PCI DSS requirements to make sure that we meet those as much as they relate to us.
Corporate Security
Security team
Lokalise has an internal Security team that covers all aspects related to IT Security. The Security team works closely together with the Legal department on compliance and data protection matters.
Security Policies
Our security operations are aligned with ISO27001 principles and recommended processes. We have several processes in place and an extensive set of cybersecurity-related policies which help monitor security risks. Technical ones like log management, access management, and vulnerability scans, as well as continuous user education and assessment. All procedures are documented and in good standing as certified by SOC2 Type 2 certification.
Systems hardening
We use CIS guidelines for server/device and service hardening.
Malware protection
Employee equipment is protected by an enterprise-grade antivirus solution.
Performance and monitoring
We have several internal solutions in place that are used for monitoring our systems, application availability, and other critical parameters. We also have in place a solution that allows us to manage and monitor the performance of our application.
In addition to the above, we have implemented a log management tool and we are currently increasing our visibility by making sure that all critical logs are forwarded to the central tool.
Vulnerability management
There is an ongoing vulnerability and patch management process in place. Server operating systems are regularly patched and updated and we have multiple internal processes in place that help identify any potential vulnerabilities.
Internal risk management
Lokalise has implemented risk management as an ongoing process in its key business processes so it organically aligns with day-to-day operations. This approach is intended to align the entity’s strategy more closely with its key stakeholders, assist the organizational units with managing uncertainty more effectively, minimize threats to the business, and maximize its opportunities in the rapidly changing market environment.
Lokalise identifies the underlying sources of risk, measures the impact on organizations, establishes acceptable risk tolerance levels, and implements appropriate measures to monitor and manage the risks.
Third party risk management
To support the delivery of our services, Lokalise, Inc. may engage and use data processors with access to certain Customer Data. This sub-processors page provides important information about the identity, location, and role of each Sub-processor.
We evaluate every third party with which we are going into a business relationship. Evaluation includes - such points as Ownership, country of residence, security attestations, data protection measures, previous incidents, etc.
Incident response
Lokalise has an established Incident Response policy.
If we identify that customer data was affected as the result of an incident we will inform the affected customers within 48 hours. The provided information will depend on a case-by-case basis.
All incidents can be reported to support at hello@lokalise.com or using the in-application chat functionality.
Human resources security
Lokalise has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.
Bug bounty
We are continuously running a private bug bounty program with YesWeHack.
Responsible disclosure
Lokalise has implemented a vulnerability disclosure policy and discovered vulnerabilities can be reported following our policy guidelines.
Frequently asked questions
What security certifications does Lokalise hold?
What security certifications does Lokalise hold?
Lokalise holds ISO/IEC 27001 and ISO/IEC 27017 certifications and is SOC 2 Type II compliant. Lokalise complies with GDPR and has appointed a Data Protection Officer. Lokalise aligns its security and risk management program with HIPAA requirements through its SOC 2 Type II certification.
Where is Lokalise customer data hosted?
Where is Lokalise customer data hosted?
Lokalise processes and stores customer data on Amazon Web Services infrastructure in EU regions. AWS data centres used by Lokalise hold ISO 27001 certification. Customer data is not stored outside EU regions.
Does Lokalise support single sign-on and SAML?
Does Lokalise support single sign-on and SAML?
Yes. Lokalise supports SAML 2.0-based single sign-on for enterprise teams. SSO is configurable with the enterprise's existing identity provider, allowing centralized authentication management. Role-based access control and two-factor authentication are also available.
Can Lokalise be used in healthcare or regulated industries?
Can Lokalise be used in healthcare or regulated industries?
Lokalise is used by enterprise teams in healthcare, financial services, and pharmaceuticals. Its SOC 2 Type II compliance, ISO 27001 certification, RBAC, and audit logs meet the vendor security requirements of regulated-industry procurement teams. No cloud TMS can obtain formal HIPAA certification. Lokalise aligns its program with HIPAA requirements through SOC 2 Type II.
How does Lokalise manage access to customer data internally?
How does Lokalise manage access to customer data internally?
Lokalise limits internal access to customer data to authorised support and DevOps personnel only, for support and troubleshooting purposes. Upon contract termination, all customer data is automatically deleted from Lokalise systems, except where retention is required by law.
What is Lokalise's audit log retention policy?
What is Lokalise's audit log retention policy?
Lokalise maintains a detailed application audit log of all system activities. Logs are exportable via the application interface. Audit log data is retained for 12 months. For deleted projects or teams, audit data is removed after 30 days.
Does Lokalise have a vulnerability disclosure or bug bounty program?
Does Lokalise have a vulnerability disclosure or bug bounty program?
Yes. Lokalise runs a private bug bounty program through YesWeHack. Security vulnerabilities can be reported through Lokalise's vulnerability disclosure policy.
Do you have a security concern you'd like to discuss with us, or do you want to report a vulnerability in Lokalise’s services? Please don't hesitate to contact us at hello@lokalise.com.
Case studies
Behind the scenes of localization with one of Europe’s leading digital health providers
Read more Case studiesSupport
Company
Follow
Localization workflow for your web and mobile apps, games and digital content.
©2017-2026
All Rights Reserved.