Tolgee helps developers and product teams streamline localisation. We believe security doesn’t have to feel cold and distant – it can be approachable and even a little fun. Our mascot is a little mouse who loves to organise translations and protect its cheese! In the same way, we scurry around to keep your data safe.
Tolgee’s is ISO 27001 certified, and we invest heavily in people, processes and technology to safeguard the content our customers entrust to us. Below you’ll find a friendly overview of how we look after your data, with supporting examples from other open‑source SaaS providers. And if you’d like to read more about our journey to ISO 27001, check out our blog post "We're Now ISO 27001 Certified. Our Lessons Learned" for a more personal story.
What data Tolgee collects
We only collect the data we truly need to make Tolgee run smoothly and to support you when you need help. If you host Tolgee yourself, you stay in full control — we don’t see your projects, users or logs.
What data Tolgee Cloud collects
When you use our Cloud version, we process a small amount of data to keep things running:
Account data – your name, email, username and avatar to create and manage your account. Passwords are always stored as secure hashes. Two-factor authentication is optional but encouraged.
Billing data – company name, address and tax/VAT ID. Payment cards are handled safely by our payment partner; we never see or store full card numbers.
Project content & metadata – your translations, project names, screenshots and other localisation content.
Usage & device data – IP address, browser or device info and minimal logs to keep the platform reliable. We also use PostHog (EU) for anonymised product analytics and Sentry (EU) for error reporting.
Support communication – any messages or attachments you send to our support team. We keep them only until your issue is resolved.
What data Self-Hosted Tolgee collects
When you run Tolgee on your own, we can’t access your projects, accounts or logs.
License usage data – for licensed self-hosted instances, we receive key count, seat count and string count to validate the license.
Anonymous telemetry – optional stats (like number of projects, users or translations) that help us improve Tolgee. You can turn this off anytime in your settings.
That’s it — no other data leaves your server.
How we use and process your data
We use your data to deliver localization services, improve Tolgee, meet legal obligations and communicate with you. We never sell your data or share it with third parties for advertising. When we need to use sub‑processors, we only engage vendors that meet stringent security requirements and sign Data Processing Agreements. Tolgee’s privacy policy lists broad categories of service providers, such as:
Hosting and storage providers – We host the Tolgee SaaS on Microsoft Azure and Amazon Web Services (AWS) infrastructure. Azure provides our core compute and databases, while AWS is used for object storage and sending transactional emails. Both providers hold ISO 27001 and SOC 2 certifications, encrypt data at rest and in transit, and operate data centres in the EU and US. Self‑hosted customers store data on their own infrastructure.
Payment processors – to handle billing and subscriptions. Payment data is encrypted and processed according to PCI DSS standards. Tolgee uses Stripe, which stores and protects payment information.
Analytics and monitoring – We use privacy‑respecting tools to understand platform performance. PostHog records anonymised behaviour within the website (data is stored in the EU), and Sentry logs application errors (only the email, username and error description are sent, and data is stored in the EU). We also use privacy‑focused analytics solutions such as Plausible, which hashes visitor information.
Email and communication tools – We send transactional emails (e.g., password resets, project notifications) using Amazon SES and our own mail server. On a self-hosted instance, you configure your own SMTP server. We keep records of communications as required for compliance and support.
Machine translation providers – For optional machine‑translation features, we integrate ChatGPT, AWS Translate, Google Translate and DeepL. Each provider receives only the text you choose to translate, and all requests are encrypted in transit. You can disable (opt‑out of) any translation provider in your project settings at any time. These services may operate in the EU or the US, but they are only used when translation is requested.
Self‑hosted telemetry – self‑hosted instances can optionally send anonymous usage statistics (numbers of projects, languages, translations and users) to help us improve the software. This telemetry is minimal and can be disabled at any time. (opt-out)
How we protect your data
We treat your data like a mouse guards its cheese: always alert and never letting danger sneak in. Here’s how we keep it safe.
Encryption in transit and at rest
Tolgee encrypts all network traffic using HTTPS/TLS. Sensitive connections (e.g., machine‑translation API calls, OAuth tokens) also require certificate validation.
Tolgee’s SaaS uses AES‑256 encryption for databases, file storage and backups, and we manage keys using industry‑standard key‑management systems. All web requests must use HTTPS/TLS. Self‑hosted operators should configure a reverse proxy (e.g., Nginx, Caddy) with TLS certificates to protect API endpoints and should enable encryption at rest (e.g., encrypted volumes). Environment variables allow you to specify a unique secret for JWT tokens and other sensitive keys; never reuse defaults.
Authentication, access control & identity management
Single Sign‑On & SAML – Tolgee supports OAuth 2.0 for single sign‑on.
Multi‑Factor Authentication (MFA) – MFA reduces the risk of account takeover. Tolgee provides optional TOTP‑based 2FA and recommends enabling it for all accounts.
Role‑Based Access Control (RBAC) – Tolgee implements fine‑grained project and organization‑level permissions. Only users with appropriate roles may manage translations, projects or billing.
Least privilege & internal controls – Employee access is restricted to what is necessary for their role. We log administrative actions and review permissions regularly.
Data deletion
When you delete a project or account, data is permanently removed from production systems within 7 days and from backups within Y days.”
Secure development & vulnerability management
Our engineering mice follow strict rules to make sure no unwanted guests sneak into our code.
Secure coding & peer review – All code changes undergo peer review and automated security checks before deployment.
Dependency scanning & patch management – We use Snyk to scan dependencies for vulnerabilities and promptly apply security patches.
Penetration testing – We use automated tools for penetration testing and partner with penetration testers who test the Tolgee platform.
Network & infrastructure security
We build strong walls around our mouse hole. No cat can walk in uninvited!
Isolated environments – Tolgee’s production instance is separated from development and staging.
Backups & disaster recovery – Tolgee continuously backs up data in geographically diverse locations. We retain backups for at least 7 days; data can be restored quickly after a disaster.
Monitoring, logging & incident response
We keep our whiskers twitching and our ears perked for anything unusual. If something does happen, we pounce on it quickly.
We maintain extensive logging of system events, API calls and administrative actions. Logs are stored securely and monitored for anomalies.
Guidance for self‑hosted Tolgee
If you run Tolgee on your own, think of yourself as the mouse in charge of your own pantry.
Many enterprises run Tolgee on their own infrastructure. When self‑hosting, you are responsible for the security of the environment. We recommend:
Use HTTPS/TLS – front your Tolgee instance with a reverse proxy (e.g., Nginx, Caddy, Traefik) and obtain TLS certificates. Tools like Let’s Encrypt make this easy.
Set strong secrets – generate unique values for jwt-secret, encryption keys and any API credentials.
Limit network exposure – place your Tolgee instance behind a firewall or VPN. Only expose necessary ports to trusted networks. Use infrastructure‑level security groups to restrict access.
Enable backups – implement your own backup strategy (e.g., automated daily backups to encrypted storage). Document how to restore quickly.
Patch & update – keep the Tolgee server, database and dependencies up to date. Monitor security advisories and apply patches promptly.
Compliance & certifications
ISO 27001 – Tolgee’s information security management system is certified to ISO 27001.
GDPR – Tolgee complies with the EU General Data Protection Regulation. We minimise personal data, honour user rights (access, rectification, deletion and data portability) and store data in EU data centres whenever feasible.
Vulnerability disclosure programme – We welcome security researchers. To report a vulnerability, please contact security@tolgee.io with details.
How you can help keep your account secure
Security is a shared responsibility. You can strengthen your Tolgee account by:
Use a strong, unique password and store it in a password manager.
Enabling two‑factor authentication (2FA) for your account.
Reviewing user roles and permissions in your projects regularly.
Keeping your devices and browsers updated.
Being cautious with third‑party integrations and verifying their trustworthiness.
In short, don’t leave your cheese unattended! Lock it away, check on it often, and only share with friends you trust.
Contact & additional resources
For security or privacy questions, contact security@tolgee.io. We aim to respond promptly. For more information, refer to:
Privacy Policy – details on data collection, usage and rights.
Data Processing Agreement – available on request for enterprise customers.
Responsible Disclosure Policy – guidelines for reporting vulnerabilities.
ISO 27001 Certification blog post – a personal story of our certification journey (link to our blog).
Your trust is paramount. By following these practices and continuously improving our security posture, we endeavour to protect your data and provide a localization platform you can depend on.