Information security and GDPR

The EU General Data Protection Regulation (GDPR) is a regulation designed to harmonize data processing and privacy across the EU. Transfluent respects your privacy and right to your data. Confidentiality is one of the cornerstones of our business and, therefore, we are on good terms with GDPR. Our NDA and Terms of Service exceed the minimum requirements of the GDPR. You can rest assured that your data belongs to you and we are committed to keeping it confidential.

Transfer, storage and processing of data between the EU and the United States
In order to comply with the GDPR, data processing and storage must take place inside the EU or countries that ensure an adequate level of data protection and privacy. Companies in the US that enforce the EU-US Privacy Shield are considered to be GDPR compliant.

All data is transferred securely between our EU and US data centers. The data centers we employ are operated by industry-leading service providers that comply with various standards and the industry’s best practices for secure cloud computing. Our EU data centers are located in Ireland and the Netherlands. Our US data center is operated by Amazon Web Services (hereinafter “AWS”). AWS is Privacy Shield compliant. For data redundancy and failover purposes, all data is replicated between the EU and US data centers.

Ownership of data
Your data belongs to you. We are committed to exporting your data to you or deleting your data upon request. However, please be aware that a complete deletion of data may not always be possible, for example due to mandatory legislation regarding financial transactions. To request an export of your data or the complete deletion of your data, please contact our customer support. Data deletion requests must be authorized by the account owner. The data is exported into a sanitized JSON-formatted encrypted ZIP file. Upon data deletion, a similar export file is provided before the data is deleted, if requested. As proof of deletion, the customer will receive a time-coded log of the itemized actions for each data entity and a list of the data that is still stored (for example, due to mandatory legislation).

Data deletion requests are processed within 2 weeks. Transfluent will erase the information and provide the proof of deletion within 6 weeks after user has sent the notice. In case of any open disputes or unresolved cases (including, but not limited to, ongoing translation projects, unpaid account balance and legal actions) between the customer company and Transfluent, Transfluent reserves the right to delay the deletion or refuse to delete the information.

Data encryption
All confidential data is encrypted at rest, and all transfers take place over a secure connection.

Information security and risk mitigation
The risks applicable to Transfluent’s operations are constantly evaluated, and security policies and processes are accordingly revised. We ensure that our vendors follow the best security practices and procedures and train and instruct our employees to do the same.

Transfluent has active and passive intrusion detection systems in place in its production and development environments. Furthermore, there is no access from the development environments to the production environment and any production data used in the development environments is sanitized to contain a minimal amount of confidential information.

Transfluent has in place extensive logging of all actions that automatically excludes sensitive information, such as passwords. The logging system operates independently and cannot be altered in case of a system intrusion. Unexpected events and suspicious activity are automatically reported to system administrators for review. The logs are regularly audited for finding anomalies that are not automatically detected.

There are system-wide security rules in place. For example, failed logins that exceed a certain threshold automatically lock the account in question in order to prevent brute-forcing access.

Transfluent encourages independent security researchers to participate in Transfluent’s HackerOne program in order to find vulnerabilities and report them responsibly. In case of security breaches, system outages or information disclosure, Transfluent is committed to notify the authorities and disclose the incident publicly, as appropriate.

Availability and data persistence
All information is duplicated across multiple data centers, backed up or both duplicated and backed up. The stored backups are encrypted, validated frequently and erased securely after expiration. The expiration periods range from hours to several years, with the latter period applied, for example, to financial transaction data for which there is a mandatory legal retention requirement.

Transfluent acknowledges that our service might be business critical to you. Consequently, we constantly work toward keeping the service always available. However, achieving 100% availability is a tremendous task and requires constant evaluation and improvement. Should any downtime or a service interruption occur, we will review the circumstances closely and plan carefully how to avoid such incidents in the future.

Transfluent has a developer mailing list (developer-notifications@transfluent.com) for notifications about service interruptions, planned maintenance periods or any upcoming changes to the API or our services. To join the mailing list, please contact our developer support.

Automatically collected information
The following information is automatically collected for every request submitted to Transfluent’s platform infrastructure and logging system.

Data entity Purpose of collection
IP address (& proxies [if applicable])
  • Account security tracking, e.g. password resets, failed logins
  • Abuse identification and prevention, e.g. denial of service attempts
  • Providing technical support and resolving issues, e.g. in case of failed customer requests
  • Detecting the user’s country, e.g. in order to provide service prices in the correct currency
User language&locale Used in order to automatically serve the most suitable content, e.g. for displaying a page in the user’s native language
Browser (User-Agent header)
  • Serving the most suitable content for the requesting device, e.g. mobile content
  • Providing technical support and resolving issues, e.g. problems with a customer request relating to a specific browser
  • Aggregated into anonymous statistical data for steering development and testing in order to support the most used browsers
User session
XFRS token
Session metadata
  • Providing the logged-in functionality and the service itself
  • Providing technical support and resolving issues, e.g. problems with a customer request relating to a specific user
  • Maintaining the security of the account with the XFRS token
  • Adapting the service to the user’s needs based on session metadata, e.g. by displaying appropriate settings and options in the translation widget
Requested resource, relevant headers and request payload (if applicable)
  • Performing the requested action, e.g. account creation
  • The request payload is usually discarded after the request is processed, but in case of an error or certain circumstances (e.g. security exception), the system will attempt to sanitize the request payload of any sensitive information and log it for manual review; this is carried out in order to keep the service secure and to provide support with issues, e.g. translation requests
Referrer header (if applicable)
Entry URI (if applicable)
  • Tracking marketing performance, e.g. the performance of a campaign landing page
  • Analyzing the origin of traffic based on the referrer header

In addition, Transfluent uses the following services that automatically collect anonymized information on requests sent to our web services: Google Analytics, Google AdWords, Google+ login, Hubspot, Pingdom, AdRoll, Facebook login, Facebook comments, and Facebook platform library (for like & share actions). Some of this information is used for targeted advertising, but the targeted entity remains anonymous. To prevent targeted advertising, please change your browser settings to reject third-party cookies. If requested by the user, some of these services, such as Google+ login and Facebook login, process your personal data according to their terms of service and cookie policies in order to provide the third-party authentication service. Read more about our cookie policy.

GDPR compliance
The current status of Transfluent’s GDPR compliance is described below.

Compliance topic Current status
Translation projects
+ metadata
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements
  • Verified compliance
Company accounts
+ metadata
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements
  • Verified compliance
User accounts
+ metadata
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements
  • Verified compliance
Miscellaneous, such as:
– HTTP requests
– non-specific metadata
– logging
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements
  • Verified compliance
Communication
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements
  • Verified compliance
Marketing
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements

The processes are being modified for compliance with the GDPR by May

Analytics and tracking
  • Analyzed associated data and permission to process
  • Acknowledged user data ownership requirements

The processes are being modified for compliance with the GDPR by May