Security Updated on: October 11, 2016

Notice

We would like to keep Crowdin safe and secure for everyone. If you have discovered a security vulnerability, we would greatly appreciate your help in disclosing it to us in a responsible manner.

Publicly disclosing a vulnerability can put the entire Crowdin community at risk. If you have discovered a possible vulnerability, we would greatly appreciate you emailing us at support@crowdin.com. We will work with you to detect and assess the sphere of the issue and fully address any concerns. Any emails about security problems are treated with the highest priority because safety and security of our service are our primary concern.

Vulnerability Reporting Policy

Crowdin uses advantages of Amazon Web Services (AWS) for our computing infrastructure. AWS has ISO 27001 certification and has completed multiple SSAE 16 audits. If you want to more detail on AWS security, please refer to http://aws.amazon.com/security/.


Physical Security

  • Production environment is hosted in ISO27001 and SSAE16 certified secure data centers.
  • Data centers are equipped with digital recorders, CCTV systems and manned by security guards on a 24x7 basis.
  • Crowdin employees do not have physical access to any our production facilities, as whole our infrastructure is in the cloud.
  • Biometric scanning and a secret PIN-code is used to access development area.
  • Security camera monitoring is at all development area.

System Security

  • Dedicated VPN services and firewall are used to block unauthorized system access.
  • System installation is using hardened, patched OS.
  • Intrusion Prevention System is used to defend system services.

Operational Security

  • Internal processes in our data centers comply with the Multi-Tier Cloud Security Standard (MTCS SS 584) Level-3 (CSP) certification requirements.
  • Our software regularly audited by security specialists.
  • Systems access is admitted and tracked for auditing purposes.
  • Fully documented change-management procedures.
  • Secure document-destruction policies are used for all sensitive information.

Software Security

Crowdin employs a team of 24/7/365 server specialists to keep our software and its dependencies up to date removing potential security vulnerabilities. We use a wide range of intrusion prevention and monitoring solutions for preventing and eliminating attacks to the site. Crowdin code written by our developers based on OWASP best practices and recommendations.


Communications

All private data exchanged with Crowdin is always transmitted over HTTPS (web-interface and command line client) using Crowdin username and password. The login credentials can not be used to access a shell or the filesystem. All users are virtual (meaning they have no user account on our machines) and are access controlled.


File System and Backups

At the system layer, the servers are deployed with redundant network cards, redundant power supplies, and redundant disk storage. Secure data centers have generator backup systems and UPS for power and various entry points for key utilities and communication facilities. Regular backups are made and stored off-site in different Amazon AWS datacenter.


Employee Access

No Crowdin employees ever access private projects unless required to for support purposes according to system role-based model. Crowdin employees do not have physical access to any our production facilities, as whole our infrastructure is in the cloud.

The support staff may sign in to your account in order to solve and assist in resolving support inquiries. The support staff does not have direct access to customers data. Solving a support issue, support team only have access to the files and settings needed.


Maintaining Security

We protect your login from brute force attacks with rate limiting. We always send login information over SSL. All passwords are filtered from all our logs and are one-way encrypted in the database using reliable encryption algorithms.

We have security staff to help identify and prevent new attack vectors. We always test new features to rule out potential attacks, such as XSS-, SQL-injections protecting wikis and ensuring that Pages cannot access cookies.

We also make regular security tests and ongoing audits of Crowdin and its code. Security testing is a part of Crowdin code quality assurance.


Credit Card Safety

When you sign up for a Crowdin's paid account, we do not store any of your billing information on our servers. It's handed off to PayPro Global, Crowdin payment processing gateway. PayPro Global is compliant with PCI Security Standard and audited daily for required security.


Contact Us

If you have any questions, concerns or comments about Crowdin security or would like to submit vulnerability report please, contact us at support@crowdin.com.