This security statement applies to the products, services and applications offered by Memsource. The protection and reliability of customer data is our utmost priority. Our security system is based on the principles of high resilience, transparency and third-party evaluation in accordance with the globally recognized security standards. We believe that Memsource architecture based on a public cloud service with multi-tenant model and logical access controls provides the best value and protection to confidential data of our customers such as translations, translation memory files, etc.
Memsource has been certified for ISO 27001 which proves that the information security management system (ISMS) which we have introduced conforms to the ISO standard. The ISO certificate was renewed for years 2020-2023.
We use Amazon web services (AWS) as our cloud provider. AWS is compliant with a wide range of security standards including SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, and ISO 27018.
We use a third-party payment provider that is PCI DSS compliant and uses additional security mechanisms such as MasterCard SecureCode, Verified by VISA and SafeKey.
Memsource services pass through third-party penetration tests each year. The tests are conducted in accordance with the OWASP ASVS standard.
We operate a third-party hosted vulnerability disclosure program allowing independent researchers to responsibly disclose any vulnerabilities they may find in our applications and services.
We use a third-party service for monthly automated vulnerability scans.
Our information security management system is subject to annual internal audits and third-party audits verifying our compliance with the ISO 27001 standard.
Data that you upload to Memsource is completely private. It is only reserved for you and your organization's users which you create and allow to have access to the data. The privacy of your data is guaranteed by technical means as well as by Memsource Terms of Service.
Memsource’s approach to customer data is fully compliant with governmental regulations such as GDPR and CCPA. Memsource will only interact with customer data if having an explicit customer consent for data processing. We will not use your content for any purpose other than to keep you informed, provide you with Memsource services and enhance our services and product offerings.
Transactional and marketing communication from Memsource from which users can unsubscribe.
Providing customers with the Memsource services that they have subscribed to, such as upload a file for translation, export a TMX file, etc..
This consent is related to machine learning in Memsource. Let us explain in more detail below.
Memsource uses data for training the artificial intelligence (AI) algorithms to provide better service to our customers. Use of data by the AI team is guided by the following principles:
Full GDPR compliance
All aspects of Memsource machine learning - from data training to implementation - is fully GDPR and CCPA compliant. Memsource treats all training data as potentially including personal data. Therefore, any training data is discarded within 90 days in line with GDPR guidelines.
Internal use only
Memsource provides AI-powered features to Memsource customers and does not sell them to third-parties.
No training data reconstruction
We use aggregate data to train machine learning models that do not output text. The output is metadata such as an MTQE score (50%, 75%, 100%). This approach rules out the possibility of data leak through the AI models and also prevents training data reconstruction.
No mingling of customer data for features that output text
For any AI features that outputs text (machine translation, translation hints, autocomplete, etc.) Memsource does not mingle customer data. Models are trained per customer and only from customer data or potentially complemented with publicly available data.
The data in your Memsource account is protected. Only users that you have provided appropriate user rights have access to your content. Instead of emailing data, users access data upon authentication in Memsource (see Access Control) and all user actions are logged.
All stored data is encrypted using Linux LUKS (aes-xts-plain64:sha256) or AWS encryption (AES256).
Memsource service is hosted on Amazon Web Services (AWS) platform. The physical servers are located in AWS data centers. User content can also be found in backups, stored in AWS S3.
We maintain separate and distinct development, QA, pre-production and production environments.
To access the Memsource production environment, authorized and trained members of the Memsource Engineering team members use VPN and authenticate using unique strong passwords and 2FA.
Memsource uses a formalized IT change management process designed to ensure that changes are authorized and operate as intended.
The change management system in Memsource follows these principles:
All software development follows the best practices documented in Memsource policies and documentation of particular components.
All changes are documented and approved by the relevant team lead.
All changes are tested in the QA and pre-production environments prior to deployment to the production environment. Changes are approved only if they fulfill predetermined criteria. The development and QA environments use testing data and do not include real customer data.
All changes which affect applied security measures or risk profile of the Memsource service are assessed form the security standpoint.
In case of a major change, penetration tests and/or vulnerability tests are performed.
Access management in Memsource is guided by the following principles:
Principle of Least Privilege
Access privileges for any user should be limited to resources absolutely essential for completion of assigned duties or functions, and nothing more.
Principle of Segregation of Duties
Whenever practical, no single person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.
Whenever possible, user accounts are personalized, e.g. tied to the identity of one specific user.
Wherever possible, user accounts use a single authentication provider (such as Google ID) and single credentials. Multi-factor authentication is enabled when supported by the authentication provider.
The user is responsible for the protection of the authentication means (username, password, means of multi-factor authentication) and all actions performed under their account. The administrator of the IT system / application is responsible for the use and protection of technical accounts.
Our audit logs meet NIST SP800-53 AU-3 requirements. We store logs related to system and applications events and also related to any user activity within their Memsource account. We have centralized log management in the form of a third-party service.
Audit logs are available to Memsource engineers and can be provided upon request.
Login history (including IP address, country and user agent identification) is available to each user and accessible via the UI.
All communication is encrypted in Memsource by default. This includes communication between Memsource servers and the user's web browser as well as the Memsource Editor for Desktop and the Memsource Mobile application.
The connection to Memsource is encrypted using the latest security standards and best practices. The connection uses TLS 1.2. The identity of the connection to Memsource is verified by a secure certification authority.
Redundant architecture ensures a high service up-time. All data is kept in several redundant database instances. All data is backed up through near real-time incremental backups as well as daily full backups to a highly durable storage hosted in AWS S3. Backups are encrypted using Linux LUKS (aes-xts-plain64:sha256) or AWS encryption (AES256).
We apply disaster recovery and incident response policies that ensure timely and effective reactions to incidents. Thanks to redundant architecture and rapid incident response we were able to reach 99.99% availability long-term. Thanks to a robust backup system, we are able to guarantee swift recovery and minimal data loss. The performance of our disaster recovery is measured by Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
RTO is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. Memsource guarantees an 8 hour RTO for all components of its service.
RPO is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs. RPO covers incidents that require complete recovery of all database instances. In case only one database instance is affected by the incident, the production environment seamlessly switches to another instance. Memsource guarantees a 4 hour RPO even in case of a catastrophic failure.
Although most of the assets of Memsource are cloud-based, company policy ensures the protection of the physical premises as well as the information assets stored herein.
Our premises are protected by a security service that is present 24/7. The entrance to the building is monitored by CCTV camera. Security controls all access points to the building including emergency doors.
In general, Memsource premises are only accessible to Memsource employees and long-term contractors. These persons are holders of tokens granting access to the general office area, excluding restricted areas.
Visitors are registered at the reception desk that operates 24/7. Based on their registration, they are only given access to the lift area. To access Memsource premises, they must be accompanied at all times by a Memsource employee. All Memsource employees are responsible for keeping their visitors accompanied at all times during their visit and not granting them any unnecessary access to any information assets belonging to Memsource.
Hard copies of classified information may be stored only in locked closets located in the Memsource office. Access to those documents is granted only to employees who require it for the performance of their duties.
Classified IT assets are stored in the server room. Access to the server room is only granted following confirmation by a designated Memsource employee. Memsource’s information assets are stored separately from the equipment of other tenants in locked racks.
Users are obliged to act in line with legislation, rules and procedures described in this and related policy documents. They are responsible for the security of assets entrusted to them by Memsource. Any misconduct or violation of the aforementioned obligations may lead to disciplinary measures according to applicable labor legislation.
A centrally managed and automatically updated anti-malware solution is installed on all computers. All devices have full disc encryption enabled and are protected by strong password and/or biometrics. Memsource users have to follow these policies even when using their own devices. Clean desk policy provides rules for securing the devices when not attended and for safe storage of internal and classified information only in the designated protected areas.
Users have to create unique, complex and not guessable passwords for all work-related accounts. Remote access to the internal Memsource network is only possible through company managed VPN.
All prospective Memsource employees and contractors are subject to background checks in line with privacy legislation. Security awareness training is part of our on-boarding process and is repeated annually. All employees and contractors have a signed NDA as part of their contract.
Contact Memsource Support if you have any additional questions about security.