Security Policy

Revised: May 24 2018

This policy applies to all employees, contractors, consultants, and other workers within the Lokalise organization.

Hosted Services

Virtual Machines (VMs), Physical Servers and Cloud Files

All our servers (virtual machines and physical servers) are hosted on the cloud with administrative access limited to authorized personnel only. We encourage administrative tasks to be performed using in-house or third party automation software to safeguard user data, and revert to actual server access only when absolutely necessary. We’ve also implemented a set of security policies that is specific to the software and services running on VMs, and is reviewed regularly by our engineering and development teams.

Communication among our servers is always encrypted using SSL (Secure Sockets Layer), the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. Traffic served from our web apps to our users is always serviced via HTTPS. File and database backups are encrypted using AES (Advanced Encryption Standard) for its speed and reliability in encryption and decryption, key and algorithm setup time, and resistance to various attacks in both hardware and software-centric systems. Test systems use anonymized data, and for the security of our users, proper provisions have been implemented to prevent the reversal of anonymized data.

Hosting

Our files and virtual machines are hosted with the largest managed cloud provider, Hetzner.de, trusted globally for its network designed and built for reliability. Hetzner adheres and is regularly audited for the DIN ISO/IEC 27001 certification standard.

We also distribute static content via Amazon S3. Amazon AWS complies with PCI- DSS Level1, SOC1, SOC2, SOC3, ISO 9000, FIPS-140-2, CJIS, CSA, FERPA, HIPAA, ISO 27001.

VPN

Certain aspects of our infrastructure require remote access in a very restricted way. For these components, authentication and access is coordinated through a Virtual Private Network that has been deployed specifically for this purpose. Traffic that flows through our VPN is always encrypted.

Email communication

Email communication with Lokalise is handled by ‘Google Apps for Work’, which has a SOC3 Seal of Assurance and is ISO27001 certified.

Operational Efforts

Code Development

Our development process includes extensive code reviews during the code development phase and before code is pushed to production. This is part of our effort to instill a proactive mindset in regards to security related issues. We also perform regular audits and checks against known security flaws including the OWASP Top Ten.

Software Maintenance

With the goal of minimizing system downtime, we apply operating and key software patches on a regular basis. Whenever downtime is expected, we notify our users well ahead of time. Critical system patches are applied immediately.

Incident Response

We have deployed a 24×7 monitoring system and provide a status page at status.lokalise.co for our users to verify the availability of our service.

Vulnerability Reporting

Whether you have a security concern that you would like to discuss with us, or want to report any vulnerability regarding Lokalise services, please contact us at hello@lokalise.co. Make sure you provide as much context and information as you can so our team can understand the nature and severity of the problem and take the appropriate actions. We take all communications seriously, practicing responsible full disclosure and providing proper attribution of findings.

User Privacy

User Login

Users log into the Lokalise system either by using their social login information from other platforms (Github, Microsoft or Google+) or through a unique username and password that you decide. All user passwords are encrypted and we do not store any passwords in cleartext within Lokalise.

Credit card information

We do not store any credit card information. All our credit card processing is taken care of by Stripe, listed by Visa’s registry of providers as PCI Level 1 service provider.

Privacy

User privacy is a serious concern at Lokalise. We do not sell personal information of our customers to third parties. Legally, we are bound to protect the privacy of our users by EU and international laws, and are subject to inspection by the appropriate Information and Data Protection authorities. We need some of your personal information so that we can interact with each other and enter in to legal relationships. We may collect some additional information about you, but we will make it clear to you when it happens with appropriate notice. For more information, please refer to our Privacy Policy (https://lokalise.co/privacy).

Physical Security

Access to our offices is restricted and enforced by security personnel services. When sensitive data is physically stored on our premises, access is only available to authorized personnel (enforced via the use of appropriate means), with the presence of at least two persons required on site. Our organizational security practices include access to places and data on a need-to-know basis for all types of information.

Contact Us

Lokalise welcomes your comments regarding Security policy. Should you have any questions concerning it, please contact us by email privacy@lokalise.co

Our postal address is

Lokalise, Inc.,
Suite 400, Wilmington,
Delaware DE 199808,
USA.