Security

Your data stays yours

We built Langbly with a simple principle: translation content should be translated and forgotten. Here is exactly how we handle your data.

We never train on your data

Your translation content is never used to train, fine-tune, or improve any model. Not now, not in the future. This is a permanent commitment, not a policy we might revise later.

When you send text to our API, it gets translated and the content is discarded from memory. We do not store, log, cache, or retain translation content in any form. The only data we keep is your account information (email, name) and aggregated usage counts for billing.

No training on your data

We never use your translation content to train or improve models. Your text is translated and immediately discarded. No exceptions.

Zero content retention

Translation content exists only in memory during request processing. Nothing is written to disk, logged, or stored in any database.

TLS 1.3 everywhere

All API traffic is encrypted with TLS 1.3. Unencrypted connections are rejected at the edge. Your data is encrypted the entire way.

EU data residency

Our dedicated EU endpoint (eu.langbly.com) processes everything in Finland. Data never leaves the European Union.

Isolated infrastructure

Each API endpoint runs in its own isolated environment. No shared resources between customers. Databases are not publicly accessible.

Encrypted at rest

Account data and usage metrics are encrypted at rest using AES-256 via managed encryption. Encryption keys are rotated automatically.

Authentication and Access

Every API request requires an API key, sent via the X-API-Key header or as a query parameter. Keys are verified on each request through a dedicated key management service with built-in rate limiting. You can create multiple API keys per account and revoke them independently.

Production infrastructure follows the principle of least privilege. Only the operator has access to deployment systems. There are no shared credentials, and access is authenticated and logged.

Data Flow

Here is what happens when you make a translation request:

  1. Your request arrives over TLS 1.3 at our API endpoint.
  2. The API key is verified. If invalid, the request is rejected immediately.
  3. Usage is checked against your plan limits.
  4. The text is sent to the translation engine for processing.
  5. The translated text is returned to you in the response.
  6. The request content is discarded from memory. Nothing is persisted.

We log metadata (timestamp, language pair, character count, response time) for billing and monitoring. We do not log the actual text content of requests or responses.

GDPR Compliance

Langbly processes personal data in accordance with the General Data Protection Regulation (GDPR).

  • Legal basis: Contractual necessity (Article 6(1)(b)). We process data because you asked us to translate it.
  • Data minimization: We collect only what we need for billing and service delivery. Translation content is not retained.
  • Purpose limitation: Data is used exclusively for providing translation services and billing.
  • Storage limitation: Account data is kept for the duration of the account. Translation content retention is zero.
  • Your rights: You can request access, correction, deletion, or export of your personal data at any time by emailing us.

A formal Data Processing Agreement (DPA) is available for all customers.

View our Data Processing Agreement

Incident Response

If a security incident occurs:

  • Automated monitoring detects anomalies within minutes.
  • Affected customers are notified within 72 hours, as required by GDPR.
  • A post-incident report is made available with root cause analysis and remediation steps.

Because we do not store translation content, the blast radius of any potential breach is limited to account metadata. There is no corpus of customer translations that could be exposed.

Infrastructure Certifications

CSA STAR Level One - Self-Assessment

Langbly is listed on the CSA STAR Registry with a completed CAIQ v4.1 self-assessment covering all 283 cloud security controls.

Our infrastructure providers maintain rigorous third-party certifications. The physical servers, networks, and managed services that power Langbly are independently audited to the highest standards.

  • ISO 27001: All core infrastructure providers are certified under ISO/IEC 27001 for information security management.
  • SOC 2 Type II: Our hosting, database, and payment providers maintain SOC 2 Type II compliance, with annual third-party audits of security controls.
  • GDPR: All providers processing EU data are GDPR-compliant, with appropriate data processing agreements and, where needed, EU Standard Contractual Clauses.

For a full list of sub-processors and their locations, see our Data Processing Agreement.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. We take every report seriously and will respond within 48 hours.

security@langbly.com