Revised: May 24, 2018
This policy applies to all employees, contractors, consultants, and other workers within the Lokalise organization.
All our servers (virtual machines and physical servers) are hosted on the cloud with administrative access limited to authorized personnel only. We encourage administrative tasks to be performed using in-house or third party automation software to safeguard user data, and revert to actual server access only when absolutely necessary. We’ve also implemented a set of security policies that is specific to the software and services running on VMs, and is reviewed regularly by our engineering and development teams.
Communication among our servers is always encrypted using SSL (Secure Sockets Layer), the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. Traffic served from our web apps to our users is always serviced via HTTPS. File and database backups are encrypted using AES (Advanced Encryption Standard) for its speed and reliability in encryption and decryption, key and algorithm setup time, and resistance to various attacks in both hardware and software-centric systems. Test systems use anonymized data, and for the security of our users, proper provisions have been implemented to prevent the reversal of anonymized data.
Our files and virtual machines are hosted with the largest managed cloud provider, Hetzner.de, trusted globally for its network designed and built for reliability. Hetzner adheres and is regularly audited for the DIN ISO/IEC 27001 certification standard.
We also distribute static content via Amazon S3. Amazon AWS complies with PCI- DSS Level1, SOC1, SOC2, SOC3, ISO 9000, FIPS-140-2, CJIS, CSA, FERPA, HIPAA, ISO 27001.
Certain aspects of our infrastructure require remote access in a very restricted way. For these components, authentication and access is coordinated through a Virtual Private Network that has been deployed specifically for this purpose. Traffic that flows through our VPN is always encrypted.
Email communication with Lokalise is handled by ‘Google Apps for Work’, which has a SOC3 Seal of Assurance and is ISO27001 certified.
Our development process includes extensive code reviews during the code development phase and before code is pushed to production. This is part of our effort to instill a proactive mindset in regards to security related issues. We also perform regular audits and checks against known security flaws including the OWASP Top Ten.
With the goal of minimizing system downtime, we apply operating and key software patches on a regular basis. Whenever downtime is expected, we notify our users well ahead of time. Critical system patches are applied immediately.
We have deployed a 24×7 monitoring system and provide a status page at status.lokalise.co for our users to verify the availability of our service.
Whether you have a security concern that you would like to discuss with us, or want to report any vulnerability regarding Lokalise services, please contact us at firstname.lastname@example.org. Make sure you provide as much context and information as you can so our team can understand the nature and severity of the problem and take the appropriate actions. We take all communications seriously, practicing responsible full disclosure and providing proper attribution of findings.
Users log into the Lokalise system either by using their social login information from other platforms (Github, Microsoft or Google+) or through a unique username and password that you decide. All user passwords are encrypted and we do not store any passwords in cleartext within Lokalise.
We do not store any credit card information. All our credit card processing is taken care of by Stripe, listed by Visa’s registry of providers as PCI Level 1 service provider.
Access to our offices is restricted and enforced by security personnel services. When sensitive data is physically stored on our premises, access is only available to authorized personnel (enforced via the use of appropriate means), with the presence of at least two persons required on site. Our organizational security practices include access to places and data on a need-to-know basis for all types of information.
Lokalise welcomes your comments regarding Security policy. Should you have any questions concerning it, please contact us by email email@example.com
Our postal address is
Suite 400, Wilmington,
Delaware DE 199808,