Lokalise’s industry-leading security

We set the standard for translation and localization data security, no matter the size of your business. Here you can find details of our policies and protocols.

Compliance and certifications

  • iso_27001
    ISO 27001 and ISO 27017

    ISO/IEC 27001 is an international standard for information security management systems. We have been certified according to this standard, and its specially created extension for cloud service providers, ISO/IEC 27017, since November 2020. This assures that our security practices, data safeguards, and risk management processes meet the highest standards and comply with industry best practices.

  • icon_certificate
    SOC 2 Type 2

    Lokalise, Inc. is SOC 2 Type 2 certified. This SOC 2 Type 2 compliance demonstrates that our security policies, measures, and procedures rigorously protect the consumer data managed by the Lokalise translation management platform/system.

  • icon_gpr
    GDPR compliance

    We know the role we have in protecting our customers’ privacy and personal data. That’s why we’ve appointed a Data Protection Officer to monitor our own compliance. Our DPO is available to our customers to discuss data privacy issues at

  • PCI_DSS_logo
    Lokalise and PCI DSS

    We use a PCI DSS-certified third-party payment processor, Stripe, to process payments made to Lokalise securely. We do not retain any personally identifiable information or any financial information such as credit card numbers in our services. All such information is provided directly to a third-party processor engaged by Lokalise. In the meantime, we do a yearly internal compliance assessment against PCI DSS requirements to make sure that we meet those as much as they relate to us.

  • HIPAA_logo
    Lokalise and HIPAA

    There is no HIPAA certification for cloud service providers such as Lokalise. To meet HIPAA requirements, we align our HIPAA risk management program with SOC2 Type 2 certification. Any customer that qualifies as a “Covered Entity” or “Business Associate” under HIPAA may use our platform without signing a Business Associate Addendum. We do not knowingly process, store, or transmit any protected health information (PHI) of our customers and users. If you would like to process, store, or transmit any PHI through our platform, you should contact us at

  • Lokalise_Pricing_Sound_business_ethics

    Sound business ethics

  • Lokalise_Pricing_Uptime

    Uptime 99.5% or higher

  • Lokalise_Pricing_monitored

    Monitored 24/7/365

Our policies

Human resources security

Lokalise has sound business ethics, which we maintain by hiring and retaining high-quality personnel. All employees know their responsibilities and roles in connection with information security and undergo regular security awareness training. That way, we minimize the risk of human error such as theft, fraud, and misuse of information assets.

Access control

Lokalise uses a role-based security architecture and requires users of the system to be identified and authenticated prior to the use of any system resources. For enhanced security, we support enabling 2-factor authentication for every user and also support login with social accounts like Google, GitHub, and Microsoft. Customers also can use SAML to authenticate users from their enterprise directory. Your employees can access the company services through the Internet using the SSL functionality of their web-browser. The employees must supply a valid Google account to gain access to customer cloud resources.


We use encryption technologies to protect customer data both at rest and in transit.

Information security management

Our Information Security Policy is based on the guidelines of ISO/IEC 27001. It outlines Lokalise's approach to the protection of our systems and data. Each policy, standard, and guideline has an Owner to ensure information security at Lokalise. Owners are responsible for managing the risks outlined in the Policy Objective. We carry out regular internal and external audits to examine our compliance with general requirements of ISO 27001, SOC2, HIPAA, and PCI DSS.

Physical and environmental security

Access to our offices is restricted and enforced by security personnel services. When confidential information is physically stored on our premises, access is only available to authorized personnel.

Operational security

  • Servers

    We use and AWS Cloud European data centers to host our services. AWS is certified according to multiple security standards and Hetzner adheres to and is regularly audited for the ISO/IEC 27001 certification.

  • System monitoring and alerting

    The Lokalise system is monitored 24/7/365 by different monitoring tools. Our historical uptime is 99.9% or higher. Critical alerts are immediately sent to the DevOps team and escalated to operations management and the incident response procedure. Want to see for yourself? Check our past month’s statistics here

  • Backups

    We do full daily automated and encrypted backups of our databases. Customer data is backed up and monitored by operations personnel for completion and exceptions.

  • Change management

    We follow industry best practices and modern DevOps techniques to maintain the Lokalise application. The change management process is documented and regularly audited for non-conformities. Upon significant changes, customers are informed in a timely manner in advance via email. We have several stages of code review and quality assurance before changes are implemented in production.

  • Data

    Production customer data is encrypted in transit and at rest. We use up-to-date SSL/TLS versions to secure the data. At-rest data is encrypted using AES algorithms. Production data is anonymized before use in development or test environments.

Governance, Risks and Compliance

We design our processes and procedures to meet the business objectives of our services. Those objectives are based on the service commitments that we make to user entities, the laws and regulations that govern the provision of the services, and the financial, operational, and compliance requirements that we have established. Security commitments to user entities are documented and communicated in service-level agreements (SLAs) and the general Terms of Service available at, as well as in the description of the service offering provided online. Security principles within the fundamental designs under GDPR are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role. Security commitments to user entities are documented and communicated in Service Level Agreements (SLAs) and the general Terms of Service available at /terms, as well as in the description of the service offering provided online. Security principles within the fundamental designs under GDPR that are designed to permit system users to access the information they need based on their role in the system while restricting them from accessing information not needed for their role.

What happens in case of incidents

We continuously monitor our system and infrastructure for security incidents. Incident response policies and procedures are in place and regularly reviewed to guide our team in reporting and responding properly to information system incidents.

Business continuity management

Redundancy is built into the Lokalise application in multiple layers of the system to help ensure that there is no single point of failure. In the event of a component failure, it will recover automatically without, or with very minimal, interruption. Penetration testing is conducted to measure the security posture of our system at least annually. Penetration testing is conducted to measure the security posture of a target system or environment. Every nine months, we perform a simulation to test the Lokalise disaster recovery plan.

System development and maintenance

Our software development process includes extensive code reviews during the code development phase and before code is pushed to production. We also perform regular audits and checks against known security flaws, including the OWASP Top Ten.

Supplier relations

We have designed and implemented controls to monitor our vendors. In addition, we perform due diligence on any vendor before signing the agreement. We review and make sure that our vendors meet the same or higher standards regarding security, availability, and confidentiality as we do for our customers.

Do you have a security concern you'd like to discuss with us or do you want to report a vulnerability in Lokalise’s services? Please do so by visiting Lokalise’s Responsible Vulnerability Disclosure Program at: or contact us at .

Localization made easy. Why wait?

Try for free or let us show you how it works.