Last revised on October 11, 2016
We would like to keep Crowdin safe and secure for everyone. If you have discovered a security vulnerability, we would greatly appreciate your help in disclosing it to us in a responsible manner.
Publicly disclosing a vulnerability can put the entire Crowdin community at risk. If you have discovered a possible vulnerability, we would greatly appreciate you emailing us at email@example.com. We will work with you to detect and assess the sphere of the issue and fully address any concerns. Any emails about security problems are treated with the highest priority because safety and security of our service are our primary concern.
Crowdin uses advantages of Amazon Web Services (AWS) for our computing infrastructure. AWS has ISO 27001 certification and has completed multiple SSAE 16 audits. If you want to more detail on AWS security, please refer to http://aws.amazon.com/security/.
Crowdin employs a team of 24/7/365 server specialists to keep our software and its dependencies up to date removing potential security vulnerabilities. We use a wide range of intrusion prevention and monitoring solutions for preventing and eliminating attacks to the site. Crowdin code written by our developers based on OWASP best practices and recommendations.
All private data exchanged with Crowdin is always transmitted over HTTPS (web-interface and command line client) using Crowdin username and password. The login credentials can not be used to access a shell or the filesystem. All users are virtual (meaning they have no user account on our machines) and are access controlled.
At the system layer, the servers are deployed with redundant network cards, redundant power supplies, and redundant disk storage. Secure data centers have generator backup systems and UPS for power and various entry points for key utilities and communication facilities. Regular backups are made and stored off-site in different Amazon AWS datacenter.
No Crowdin employees ever access private projects unless required to for support purposes according to system role-based model. Crowdin employees do not have physical access to any our production facilities, as whole our infrastructure is in the cloud.
The support staff may sign in to your account in order to solve and assist in resolving support inquiries. The support staff does not have direct access to customers data. Solving a support issue, support team only have access to the files and settings needed.
We protect your login from brute force attacks with rate limiting. We always send login information over SSL. All passwords are filtered from all our logs and are one-way encrypted in the database using reliable encryption algorithms.
We have security staff to help identify and prevent new attack vectors. We always test new features to rule out potential attacks, such as XSS-, SQL-injections protecting wikis and ensuring that Pages cannot access cookies.
We also make regular security tests and ongoing audits of Crowdin and its code. Security testing is a part of Crowdin code quality assurance.
When you sign up for a Crowdin’s paid account, we do not store any of your billing information on our servers. It’s handed off to FastSpring, Crowdin payment processing gateways. They are compliant with PCI Security Standard and audited daily for required security.
If you have any questions, concerns or comments about Crowdin security or would like to submit vulnerability report please, contact us at firstname.lastname@example.org.