{"id":28330,"date":"2022-09-21T12:02:15","date_gmt":"2022-09-21T12:02:15","guid":{"rendered":"https:\/\/phrase.com\/?page_id=28330"},"modified":"2024-11-11T15:00:28","modified_gmt":"2024-11-11T14:00:28","slug":"security","status":"publish","type":"page","link":"https:\/\/phrase.com\/security\/","title":{"rendered":"Security"},"content":{"rendered":"\n<div id=\"acf\/text-block_81ee22e0681f38ce612b8ca4ff7dec27\" class=\"pxblock pxblock--text alignfull spacing--default bg--white\">\n\n\t\n\t<div class=\"container\">\n\t\t<div class=\"wysiwyg animate-in block-center\">\n\t\t\t<p class=\"subhead\" style=\"text-align: center;\">Phrase<\/p>\n<div class=\"hero--header\">\n<h1 class=\"secondary \" style=\"text-align: center;\">Security<\/h1>\n<\/div>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n\n\n\n<div id=\"acf\/text-block_d11699f298c44b304d8d6b28c3730edd\" class=\"pxblock pxblock--text alignfull spacing--default bg--white\">\n\n\t\n\t<div class=\"container\">\n\t\t<div class=\"wysiwyg animate-in block-center\">\n\t\t\t<h2>Phrase Security Statement<\/h2>\n<h3><span style=\"font-weight: 400;\">Introduction<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">This security statement applies to the products, services and applications offered by Phrase. The protection and reliability of customer data is our utmost priority. Our security system is based on the principles of high resilience, transparency and third-party evaluation in accordance with the globally recognized security standards. We believe that Phrase architecture based on a public cloud service with multi-tenant model and logical access controls provides the best value and protection to confidential data of our customers such as translations, translation memory files, etc.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Certifications<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Phrase a.s. (formerly Memsource a.s.) has been<\/span> <a href=\"https:\/\/phrase.com\/wp-content\/uploads\/2024\/11\/2024-AS-ISO-27001-Certificate-1.pdf\"><span style=\"font-weight: 400;\">certified for ISO 27001<\/span><\/a><span style=\"font-weight: 400;\"> which proves that the information security management system (ISMS) which we have introduced conforms to the ISO standard. The ISO certificate was renewed for years 2020-2023.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We use Amazon web services (AWS) as our cloud provider. AWS <\/span><a href=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-overview\/security-and-compliance.html\"><span style=\"font-weight: 400;\">is compliant<\/span><\/a><span style=\"font-weight: 400;\"> with a wide range of security standards including SOC 1\/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, and ISO 27018.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We use a third-party payment provider that is PCI DSS compliant and uses additional security mechanisms such as MasterCard SecureCode, Verified by VISA and SafeKey.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Audits and Vulnerability Detection<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Phrase services undergo third-party penetration tests each year. The tests are conducted in accordance with the OWASP ASVS standard.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We operate a third-party hosted vulnerability disclosure program allowing independent researchers to responsibly disclose any vulnerabilities they may find in our applications and services.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">We use a third-party service for monthly automated vulnerability scans.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Our information security management system is subject to annual internal audits and third-party audits verifying our compliance with the ISO 27001 standard.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Data Control<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">The data in your Phrase account is protected. Only users who you have provided appropriate user rights to have access to your content. Instead of emailing data, users access data upon authentication in Phrase (see <\/span><a href=\"https:\/\/help.memsource.com\/hc\/en-us\/articles\/115003830391-Security-Statement#UUID-4242d1d1-a65d-4dfc-115e-c90c9fd95a81_UUID-d3ef6b14-ad62-db0d-bcf2-b4cc3d7ad768\"><span style=\"font-weight: 400;\">Access Control<\/span><\/a><span style=\"font-weight: 400;\">) and all user actions are logged.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All stored data is encrypted using Linux LUKS (aes-xts-plain64:sha256) or AWS encryption (AES256).<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Data Centers and Locations<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Phrase service is hosted on Amazon Web Services (AWS) platform. The physical servers are located in AWS data centers. User content can also be found in backups, stored in AWS S3.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Production Environment<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">We maintain separate and distinct development, QA, pre-production and production environments.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">To access the Phrase production environment, authorized and trained members of the Phrase Engineering team members use VPN and authenticate using unique strong passwords and 2FA.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Change Management<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Phrase uses a formalized IT change management process designed to ensure that changes are authorized and operate as intended.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The change management system in Phrase follows these principles:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">All software development follows the best practices documented in Phrase policies and documentation of particular components.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">All changes are documented and approved by the relevant team lead.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">All changes are tested in the QA and pre-production environments prior to deployment to the production environment. Changes are approved only if they fulfill predetermined criteria. The development and QA environments use testing data and do not include real customer data.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">All changes which affect applied security measures or risk profile of the Phrase service are assessed by Phrase\u2019s information\u00a0 a security team.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In case of a major change, penetration tests and\/or vulnerability tests are performed.<\/span><\/li>\n<\/ul>\n<h3><span style=\"font-weight: 400;\">Access Control<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Access management in Phrase is guided by the following principles:<\/span><\/p>\n<p><strong>Principle of Least Privilege<\/strong><\/p>\n<p>Access privileges for any user should be limited to resources absolutely essential for completion of assigned duties or functions, and nothing more.<\/p>\n<p><strong>Principle of Segregation of Duties<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Whenever practical, no single person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.<\/span><\/p>\n<p><strong>Personalized profiles<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Whenever possible, user profiles are personalized, e.g. tied to the identity of one specific user.<\/span><\/p>\n<p><strong>Single identity<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">Wherever possible, user profiles use a single authentication provider (such as Google ID) and single credentials. Multi-factor authentication is enabled when supported by the authentication provider.<\/span><\/p>\n<p><strong>User responsibility<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">The user is responsible for the protection of the authentication means (username, password, means of multi-factor authentication) and all actions performed under their profile. The administrator of the IT system \/ application is responsible for the use and protection of technical profiles.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Event Logging<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">We store logs related to system and applications events and also related to any user activity within their Phrase account. We have centralized log management in the form of a third-party service.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Audit logs relating to a customer\u2019s use of the platform are available to Phrase engineers and can be provided upon request.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Login history (including IP address, country and user agent identification) is available to each user and accessible via the UI.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Encrypted Communication<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">All communication is encrypted by default. This includes communication between Phrase servers and the user\u2019s web browser, the Phrase CAT desktop editor and the mobile application.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Phrase uses industry standard encryption for data in transit. They are encrypted by TLS 1.2. The identity of the connection to Phrase is verified by a secure certification authority.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Redundancy and Backups<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Redundant architecture provides for a high service up-time. All data is kept in several redundant database instances. All data is backed up through near real-time incremental backups as well as daily full backups to a highly durable storage hosted in AWS S3. Backups are encrypted using Linux LUKS (aes-xts-plain64:sha256) or AWS encryption (AES256).<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Disaster Recovery and Incident Response<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">We apply disaster recovery and incident response policies that facilitate\u00a0 timely and effective reactions to incidents. This helps us in our efforts to maintain high<\/span> <a href=\"https:\/\/status.phrase.com\/\"><span style=\"font-weight: 400;\">service availability<\/span><\/a><span style=\"font-weight: 400;\">, and to promptly recover from\u00a0 disaster events with\u00a0 minimal data loss. The performance of our disaster recovery is measured by Recovery Time Objective (RTO) and Recovery Point Objective (RPO).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">RTO is the targeted duration of time in which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. Phrase proved in tests to reach an 8 hour RTO for all components of its service.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">RPO is the maximum acceptable amount of data loss measured in time. It is the age of the files or data in backup storage required to resume normal operations if a computer system or network failure occurs. RPO covers incidents that require complete recovery of all database instances. In case only one database instance is affected by the incident, the production environment seamlessly switches to another instance. Phrase reaches a 4 hour RPO even in case of a catastrophic failure.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Physical Security<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Although most of the assets of Phrase are cloud-based, company policy ensures the protection of the physical premises as well as the information assets stored herein.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Our premises are protected by a security service that is present 24\/7. The entrance to the building is monitored by CCTV cameras. Security controls all access points to the building including emergency doors.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In general, Phrase premises are only accessible to Phrase employees and long-term contractors. These persons are holders of tokens granting access to the general office area, excluding restricted areas.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Visitors are registered at the reception desk that operates 24\/7. Based on their registration, they are only given access to the lift area. To access Phrase premises, they must be accompanied at all times by a Phrase employee. All Phrase employees are responsible for keeping their visitors accompanied at all times during their visit and not granting them any unnecessary access to any information assets belonging to Phrase.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hard copies of classified information may be stored only in locked closets located in the Phrase office. Access to those documents is granted only to employees who require it for the performance of their duties.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Classified IT assets are stored in the server room. Access to the server room is only granted following confirmation by a designated Phrase employee. Phrase\u2019s information assets are stored separately from the equipment of other tenants in locked racks.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Employee Policies<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Phrase personnel are obliged to act in line with legislation, rules and procedures described in this and related policy documents. They are responsible for the security of assets entrusted to them by Phrase. Any misconduct or violation of the aforementioned obligations may lead to disciplinary measures according to applicable labor legislation.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A centrally managed and automatically updated anti-malware solution is installed on all computers.\u00a0 All devices have full disc encryption enabled and are protected by strong password and\/or biometrics. Phrase users have to follow these policies even when using their own devices. Clean desk policy provides rules for securing the devices when not attended and for safe storage of internal and classified information only in the designated protected areas.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Users have to create unique, complex and not easily guessable passwords for all work-related accounts. Remote access to the internal Phrase network is only possible through company managed VPN.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All prospective Phrase employees and contractors are subject to background checks in line with privacy legislation. Security awareness training is part of our on-boarding process and is repeated annually. All employees and contractors are subject to confidentiality undertakings as part of their contractual arrangements.<\/span><\/p>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n\n\n\n<div id=\"acf\/text-block_e3e42ae74e2c9951bdfde894683da791\" class=\"pxblock pxblock--text alignfull spacing--default bg--white\">\n\n\t\n\t<div class=\"container\">\n\t\t<div class=\"wysiwyg animate-in block-center\">\n\t\t\t<h2>Bug-Bounty Program<\/h2>\n<p data-pm-slice=\"1 1 []\">Have you found a security vulnerability in our product? You can submit it in our bug-bounty program and get a reward. Our bug-bounty is managed by <a href=\"http:\/\/intigriti.com\">Intigriti<\/a> and you have to be a verified researcher to participate. Please send us an email with the description of the vulnerability you found and your Intigriti username to <a class=\"ProsemirrorEditor-link\" href=\"mailto:security@phrase.com\">security@phrase.com<\/a> and we will make sure you are invited.<\/p>\n\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":4,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"_stopmodifiedupdate":false,"_modified_date":"","_searchwp_excluded":"","footnotes":""},"class_list":["post-28330","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/pages\/28330"}],"collection":[{"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/comments?post=28330"}],"version-history":[{"count":102,"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/pages\/28330\/revisions"}],"predecessor-version":[{"id":94588,"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/pages\/28330\/revisions\/94588"}],"wp:attachment":[{"href":"https:\/\/phrase.com\/wp-json\/wp\/v2\/media?parent=28330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}