Data Encryption
How Babelize encrypts your data in transit and at rest.
Data Encryption
Babelize uses industry-standard encryption to protect your data throughout its lifecycle.
Encryption Overview
| Data State | Method | Standard |
|---|---|---|
| In Transit | TLS 1.3 | Industry best practice |
| At Rest | AES-256-GCM | FIPS 140-2 compliant |
| Backups | AES-256 | Same as primary storage |
Data in Transit
TLS Configuration
All connections use TLS 1.3 with:
- Perfect forward secrecy
- Strong cipher suites only
- HSTS enforced
- Certificate transparency
API Connections
https://api.babelize.app/v1/translate- TLS 1.3 required
- TLS 1.2 supported for legacy clients
- No unencrypted (HTTP) access
Cipher Suites
Supported (in order of preference):
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
Data at Rest
Database Encryption
All database storage is encrypted:
- Algorithm: AES-256-GCM
- Key management: AWS KMS
- Automatic key rotation: Every 365 days
File Storage
Uploaded files and translation results:
- Server-side encryption (SSE-S3)
- Bucket-level encryption enforced
- No unencrypted objects allowed
Encrypted Fields
Sensitive data receives additional encryption:
| Field | Encryption |
|---|
| OAuth tokens | AES-256-GCM | | Glossary content | AES-256-GCM | | Translation results | AES-256-GCM |
Key Management
Key Hierarchy
AWS KMS Master Key
└── Data Encryption Keys (per resource type)
└── Individual resource encryptionKey Rotation
| Key Type | Rotation Period |
|---|---|
| Master keys | Annual (automatic) |
| Data keys | On each write |
Access to Keys
- Keys never leave AWS KMS
- No Babelize employee can access raw keys
- All key usage is logged
Backup Encryption
Backup Process
- Data exported with encryption
- Transmitted over encrypted channel
- Stored in encrypted backup location
- Multiple geographic copies
Backup Security
-
Same encryption as primary storage
-
Separate access controls
-
Regular restoration testing
-
Encrypt content before upload
-
Decrypt results after download
-
Manage their own keys
// Example: Client-side encryption
const encrypted = await encrypt(content, yourKey);
const result = await babelize.translate(encrypted);
const decrypted = await decrypt(result, yourKey);Note: Client-side encryption prevents server-side processing unless decryption is performed first.
Encryption Verification
Testing Encryption
Verify TLS connection:
# Check TLS version
curl -v https://api.babelize.app/v1/health 2>&1 | grep "SSL connection"
# Output: SSL connection using TLSv1.3Certificate Information
View our certificate:
openssl s_client -connect api.babelize.app:443 -servername api.babelize.appCompliance
Our encryption practices meet:
- NIST guidelines
- PCI DSS requirements
- GDPR security standards
- SOC 2 criteria
Limitations
What We Cannot Encrypt
- Content during active translation (in memory)
- Metadata required for indexing
- Aggregate usage statistics
Timing Considerations
Encryption adds minimal latency:
- Negligible for typical requests
- May be noticeable for very large files
Questions
For encryption-related questions:
- Technical: security@babelize.app
- Compliance: compliance@babelize.app