Security at Crowdin

Organizational Security

Crowdin Information Security Policy requirements apply to the entire Crowdin organization and are mandatory for all employees and those involved in these business processes. ISMS is built on three pillars: people, processes, and technology, with an extensive implementation of a Zero Trust Architecture (ZTA). Zero Trust Architecture operates on the principle of "never trust, always verify", meaning that access to resources is never implicitly trusted based on the location of the user or the device. Instead, strict identity verification and continuous authentication are required for every access attempt, regardless of whether it originates from inside or outside the network perimeter. A Chief Information Security Officer (CISO) is responsible for ensuring the proper protection of information assets and technologies.

Security Training and Awareness

At Crowdin, we have All employees complete ongoing security and awareness training throughout the year. Each new team member completes basic security training within the first month of hire. We conduct regular access audits, password updates and operate on the principle of the least privilege. Role-specific security training is also required.

Hardware Security

All employee devices have encrypted hard drives. Only the appointed system administrator conducts hardware and software installation, configuration, or alteration. Delivery, removal of equipment to/from the data center facility is authorized, logged, and monitored. User-specific access credentials (e.g., user ID/password pair, etc.) are required to access workstation equipment, services, and applications.

• BYOD (Bring Your Own Device) is limited. Sensitive data is processed only on company-managed devices.
• Сompany-managed devices are equipped with MDM, binary authorization and monitoring systems, antivirus software, and controlled software updates.
• Mandatory Hardware Keys - Access to company data is controlled by mandatory hardware-based 2FA keys.
• Context-Aware Access - Access to corporate data is only allowed from company-managed devices.
• Location-based access restrictions are enforced.
• Binary Authorization and Monitoring - Only allowlisted binary files can be executed on employee devices.

Physical Security

Crowdin’s office is monitored and protected by an alarm system and equipped with fire alarm systems. Closed-circuit (CCTV) cameras are installed across the office and capture entrances, exits, and other designated areas. Crowdin employees do not have physical access to any of our production facilities, as our whole infrastructure is in the cloud. Secure areas are protected with entry controls, so only authorized personnel is allowed access.

Network Security

Our internal network is restricted, segmented, password-protected, and all network security-related events are logged.

Software Security

Crowdin zaměstnává tým 24/7/365 serverových specialistů, aby udržoval náš software a jeho závislosti aktuální a odstraňoval potenciální zranitelnosti zabezpečení. K prevenci a eliminaci útoků na stránky používáme monitorovací řešení.

• Software Allowlisting - Only approved software and browser plugins are allowed on company devices.
• OAuth App Control - OAuth apps with access to corporate data are continuously controlled and monitored.
• Cloud services access is through SAML with context-aware access.

Incident Response

Crowdin implementuje protokol pro zpracování bezpečnostních událostí, který zahrnuje eskalační procedury, rychlé zmírnění a post mortem. Všichni zaměstnanci jsou informováni o našich zásadách.

Employee Vetting

Crowdin performs background checks on all new employees, contractors, or other individuals who have access to systems or the network or physical data center facilities in accordance with local laws.

Zabezpečení třetích stran a dodavatelů

Crowdin maintains vendor risk management practices to ensure third parties are scrutinized and maintain expected levels of security controls. View our List of Sub-processors.

Secure, reliable infrastructure

Crowdin uses Amazon Web Services (AWS) data centers for our computing infrastructure, with geographical restrictions in place to ensure data processing is limited to specific countries to enhance security. AWS has ISO 27001 certification and has completed multiple SSAE 16 audits. For more information on their security measures, visit AWS Cloud Security page. AWS Cloud Security page.

In addition to the benefits provided by AWS, our application has additional built-in security features:

• Dvoufázové ověření
• Single Sign-On via SAML 2.0
• REST API Authentication - API token with granular permission control
• Role-based permissions
• Backups and versioning
• Crowdin prosazuje standard složitosti hesla
• Device Verification feature provides an additional layer of security, protecting accounts in case a password is compromised

PCI Obligations

When you sign up for a paid Crowdin account, we do not store any of your billing information on our servers. All payments made to Crowdin go through our partner, FastSpring. They are compliant with PCI Security Standard. More details about their security setup can be found on Stripe's Risk Management + Compliance page.

Uptime

Check our past month stats at https://status.crowdin.com/. You can request an SLA agreement as a separate service, for this contact us at onboarding@crowdin.com

Přístup k datům

Přístup k údajům zákazníků je omezen na oprávněné zaměstnance, kteří je potřebují ke své práci. Příkladem toho je náš tým podpory. Zástupci týmu podpory mohou mít přístup pouze k souborům nebo nastavením potřebným k řešení problémů předložených zákazníky.

Kontinuita podnikání a obnova po havárii

We have developed, regularly test and update both a Disaster Recovery Plan and a Business Continuity Plan.

Penetration Testing

Crowdin performs annual penetration testing conducted by an independent, third-party security audit company. No customer data is exposed to the company during testing. A summary of the penetration test results is available to enterprise customers upon request.

If you have any questions about security at Crowdin or would like to submit a vulnerability report, please contact us at support@crowdin.com.

We will work with you to assess the issue and fully address any concerns. Emails about security issues are treated with the highest priority. Safety and security of our service are our top priorities.