Security at Crowdin

Organizational Security

Crowdin Information Security Policy requirements apply to the entire Crowdin organization and are mandatory for all employees and those involved in these business processes. ISMS is built on three pillars: people, processes, and technology, with an extensive implementation of a Zero Trust Architecture (ZTA). Zero Trust Architecture operates on the principle of "never trust, always verify", meaning that access to resources is never implicitly trusted based on the location of the user or the device. Instead, strict identity verification and continuous authentication are required for every access attempt, regardless of whether it originates from inside or outside the network perimeter. A Chief Information Security Officer (CISO) is responsible for ensuring the proper protection of information assets and technologies.

Security Training and Awareness

At Crowdin, we have All employees complete ongoing security and awareness training throughout the year. Each new team member completes basic security training within the first month of hire. We conduct regular access audits, password updates and operate on the principle of the least privilege. Role-specific security training is also required.

Hardware Security

All employee devices have encrypted hard drives. Only the appointed system administrator conducts hardware and software installation, configuration, or alteration. Delivery, removal of equipment to/from the data center facility is authorized, logged, and monitored. User-specific access credentials (e.g., user ID/password pair, etc.) are required to access workstation equipment, services, and applications.

• BYOD (Bring Your Own Device) is limited. Sensitive data is processed only on company-managed devices.
• Сompany-managed devices are equipped with MDM, binary authorization and monitoring systems, antivirus software, and controlled software updates.
• Mandatory Hardware Keys - Access to company data is controlled by mandatory hardware-based 2FA keys.
• Context-Aware Access - Access to corporate data is only allowed from company-managed devices.
• Location-based access restrictions are enforced.
• Binary Authorization and Monitoring - Only allowlisted binary files can be executed on employee devices.

Physical Security

Crowdin's office is monitored and protected by an alarm system and equipped with fire alarm systems. Closed-circuit (CCTV) cameras are installed across the office and capture entrances, exits, and other designated areas. Crowdin employees do not have physical access to any of our production facilities, as our whole infrastructure is in the cloud. Secure areas are protected with entry controls, so only authorized personnel is allowed access.

Network Security

Our internal network is restricted, segmented, password-protected, and all network security-related events are logged.

Software Security

Crowdin employs a team of 24/7/365 server specialists to keep our software and its dependencies up to date, removing potential security vulnerabilities. We use monitoring solutions to prevent and eliminate site attacks.

• Software Allowlisting - Only approved software and browser plugins are allowed on company devices.
• OAuth App Control - OAuth apps with access to corporate data are continuously controlled and monitored.
• Cloud services access is through SAML with context-aware access.

Incident Response

Crowdin implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Employee Vetting

Crowdin performs background checks on all new employees, contractors, or other individuals who have access to systems or the network or physical data center facilities in accordance with local laws.

Third-Party & Supplier Security

Crowdin maintains vendor risk management practices to ensure third parties are scrutinized and maintain expected levels of security controls. View our List of Sub-processors.

Secure, reliable infrastructure

Crowdin uses Amazon Web Services (AWS) data centers for our computing infrastructure, with geographical restrictions in place to ensure data processing is limited to specific countries to enhance security. AWS has ISO 27001 certification and has completed multiple SSAE 16 audits. For more information on AWS security measures, visit AWS Cloud Security page.

In addition to the benefits provided by AWS, our application has additional built-in security features:

• Двухфактарная праверка сапраўднасці
• Single Sign-On via SAML 2.0
• REST API Authentication - API token with granular permission control
• Role-based permissions
• Backups and versioning
• Crowdin enforces a password complexity standard
• Device Verification feature provides an additional layer of security, protecting accounts in case a password is compromised

PCI Obligations

When you sign up for a paid Crowdin account, we do not store any of your billing information on our servers. All payments made to Crowdin are processed through our partner, FastSpring, which complies with the PCI Security Standard. For more information, please visit FastSpring's Risk Management + Compliance page.

Uptime

Check our past month stats at https://status.crowdin.com/. You can request an SLA agreement as a separate service, for this contact us at onboarding@crowdin.com

Access to Data

Access to customer data is limited to authorized employees who require it for their job. An example of this is our Support team. The support team representatives may only have access to the files or settings needed to solve issues submitted by customers.

Business Continuity & Disaster Recovery

We have developed, regularly test and update both a Disaster Recovery Plan and a Business Continuity Plan.

Penetration Testing

Crowdin performs annual penetration testing conducted by an independent, third-party security audit company. No customer data is exposed to the company during testing. A summary of the penetration test results is available to enterprise customers upon request.

Bug Bounty Program

Crowdin uses HackerOne to host its Bug Bounty Program, which officially launched on July 17th, 2024. The program follows HackerOne's Standard Program guidelines to ensure a structured and effective vulnerability management process. Currently, the program is private, inviting a select group of security researchers to participate.

If you have any questions about security at Crowdin or would like to submit a vulnerability report, please contact us at support@crowdin.com.

We will work with you to assess the issue and fully address any concerns. Emails about security issues are treated with the highest priority. Safety and security of our service are our top priorities.