DeepL’s C5 Type 2 attestation and our commitment to secure, compliant AI

By Maximilian Ehrlich, Information Security Officer, DeepL
In this post

Last month, DeepL launched DeepL AI Labs: a window into the innovative solutions that we’re developing as we leverage our AI platform for solving wider business challenges. As part of this, we introduced the world to DeepL Agent, the general-purpose AI agent that can take on any task you would normally use a computer for, in order to transform business workflows.

You probably saw our DeepL AI Labs announcement. You might have missed an announcement a few days before that was also crucial for the new era of agentic AI. It’s the recognition from Germany’s Federal Office for Information Security that DeepL is now C5 Type 2 attested. It’s important because it shows why organizations in even the most sensitive industries can trust DeepL to work with their systems and data, and deploy innovative solutions.

At the same time as pushing the boundaries of AI innovation in business, we’re equally committed to innovating on security and compliance. When new standards emerge, with new ideas on how to protect data, we embrace them. This enables us to help businesses of all types deploy AI with confidence.

What C5 Type 2 certifies

The C5 Type 2 attestation is designed to help Germany’s most highly regulated industries recognize cloud providers that they can trust. Earning it involves meeting 114 separate information security criteria, including several that aren’t found in other security requirements and certifications. Whereas other certifications focus on identifying whether organizations have the right policies, controls and security features in place, C5 Type 2 goes further. It audits the effectiveness of these measures over a minimum six-month period, providing a rigorous test of cloud providers’ data security approach.

The world has several different, overlapping data security and privacy standards. Although they share similar goals, they often approach analyzing security from different perspectives and require different commitments from organizations to achieve their standards. C5 Type 2, for example, recognizes new security technologies that weren’t required by previous certifications and which give customers in highly regulated industries even greater confidence.

Bring Your Own Key Encryption and other leading security features

These technologies include Bring Your Own Key Encryption, one of the most advanced security innovations around, which enables customers to generate their own, unique encryption keys when sending data to DeepL. This provides unprecedented levels of control and security over when and how data can be accessed. Our customers can permanently remove DeepL’s access to their data at any time, putting it completely out of reach. This is invaluable for highly regulated industries like healthcare and finance.

Other advanced data security technologies are covered by C5 Type 2 as well. Multi-Factor Authentication (MFA) requires anyone logging into their account to verify their identity in two different ways, such as through an authenticator app. Access Control features include controlling which employees can access an organization’s DeepL account from their mobile devices, and ensuring that any logged-in employees are directed to the organization’s secure DeepL account.

How evolving certifications give a 360-degree view of security

C5 Type 2 attestation is a requirement for organizations within Germany that operate in highly regulated industries. However, as a member of the global security and compliance community, I know that its impact stretches far beyond one country. Demonstrating that we meet the standards that countries set for their most sensitive industries sends a clear signal to other organizations too. Wherever they operate, they can have confidence working with DeepL. 

Our C5 Type 2 attestation comes just a few months after we announced that DeepL now complies with the United States Health Insurance Portability and Accountability Act (HIPAA). Like C5 Type 2, HIPAA has its own distinct features. It’s a regulation that’s specific to healthcare, reflects the extremely sensitive nature of Protected Health Information (PHI), and includes a Privacy Rule that gives patients the right to access, amend and restrict any data related to them. Among other things, this puts an emphasis on detailed auditing, logging and data encryption processes. The measures that enable DeepL to comply with HIPAA are also relevant to C5 Type 2. Furthermore, they’re relevant to any business that needs technology to work with data in a way that’s transparent and auditable. 

Committed to innovating on security

All of the new security certifications and accreditations that DeepL receives are in addition to the standards we hold such as ISO 27001, SOC 2 Type 2 and GDPR, which provide broad frameworks to cover a range of different industries. All are important. Together they give a full picture of the different approaches we take to keeping our customers data secure, giving them full control over when and how it’s used, and ensuring that they have traceability and visibility when it comes to how our AI solutions work with that data.

One of the most important features of security standards and certifications is that they keep evolving. It enables them to align with the ways that data security needs to advance to take account of new threats and cover new kinds of technology. We embrace this as an opportunity to show that we can innovate on providing our customers with the safeguards that they need. In fact, we’re just as passionate about that as we are about developing exciting new solutions to work within those safeguards.

Share