DeepL Logo

DeepL completes SOC 2 Type II report, further enhancing security and confidentiality

What you need to know about SOC 2 Type 2 reports and DeepL:

  • A SOC 2 Type II report evaluates a company’s information systems regarding security, availability, confidentiality, processing integrity, and privacy
  • This report illustrates DeepL’s continued dedication to world-class data protection and security
  • DeepL’s full SOC 2 Type II report can be accessed via request here

Does your company have specific security requirements for all the tools and vendors it works with? If you answered yes, good—you should. From GDPR to ISO 27001, there are many important data security and privacy measures you need to take into consideration.

On that note, we have great news. DeepL now has another qualification to add to its growing list: the SOC 2 Type II report. This extensive auditing procedure provides the proof that security-conscious organizations need when choosing which tools and service providers to work with.

Want to learn more about what this is, why it’s important, and how you can access DeepL’s report? Read on.

What is a SOC 2 Type II report?

an illustration of the Soc 2 type 2 five trust service principles

The Service and Organization Controls (SOC) 2 Type II report was ​​developed by the American Institute of Certified Public Accountants (AICPA), based on the Trust Services Criteria (TSC), as a way to define proper customer data management. 

The purpose of the SOC 2 report is to evaluate information systems of a company or organization based on five “trust service principles”, which are:

  • Security: this is a critical principle for all companies or organizations that deal with sensitive or confidential information. For DeepL, this means that we put controls in place to protect against theft, unauthorized access, or destruction of our systems and data.
  • Availability: this principle is vital for companies that rely on their systems and data to conduct their day-to-day business operations. At DeepL, this means we use controls to maintain the consistent availability of all our systems and data. 
  • Processing integrity: critical for organizations that rely on accurate data to make business decisions, meeting this principle requires controls be put in place to ensure the accuracy and completeness of data processing.  
  • Confidentiality: this principle is necessary for organizations that handle sensitive data and information. At DeepL, it means we introduce controls to safeguard the confidentiality of our systems and data. For example, the SOC 2 Type II audit verified that we never store any DeepL Pro translation data—effectively maintaining the full confidentiality of users’ data.
  • Privacy: this principle is critical for organizations that collect, process, or store personal information, and refers to controls put in place to protect the privacy of personal data.

According to Maximilian Ehrlich, DeepL’s Information Security Officer, it’s important to note that “each SOC 2 Type II report is unique to the organization and, therefore, reflects its own designed controls in accordance with its business objectives, risks, and adherence to the trust service criteria.” 

As the SOC 2 Type II report provides critical information on how customer data is managed, it must be issued by an outside auditor. It’s the job of this auditor to assess how well the company or organization in question is complying with the five trust principles defined above.

How is a SOC 2 Type II report different from a Type I report?

If there’s a SOC 2 Type II report, there has to be a Type I, right? Indeed, there is—and there are some important distinctions between the two. 

The main difference between the Type I and the Type II report is that the Type I describes the existing controls of a company. On the other hand, the Type II requires that an independent auditor checks the described controls.  

According to Ehrlich, the Type II report proves that “the predefined policies and procedures have been successfully followed for a reporting period of 12 months", which is verified by a third party. Therefore, the Type II report serves as a much stronger testament to existing security controls than a Type I report. 

Why are SOC 2 Type II reports important?

While not every company requires their partners and service providers to have passed their SOC 2 Type II report, the most security-minded organizations do.

Successfully completing the SOC 2 Type II audit is a rigorous, extensive undertaking. Thus, having this report is a clear sign to all potential partners, suppliers, and clients that your company prioritizes data security and privacy—and you’ve put in the work to prove it. 

At DeepL, data security, privacy, and data protection are of the utmost importance—which is why we’re so pleased to share that DeepL has passed its independent SOC 2 Type II audit of its Pro service, conducted by a Certified Public Accountant (CPA).

Here, Ehrlich perfectly captures DeepL’s shared sentiment, stating: “We are proud to announce our SOC 2 Type II report as further evidence of DeepL’s commitment to security and validation of our security measures."

Want to read DeepL’s SOC 2 Type II report?

DeepL's SOC 2 type 2 (service organization controls) report cover

Of course, we’re happy to share DeepL’s audit verdict and the final report:

And if you’d like to learn more about how we protect customer data at DeepL, you can peruse our data security page or check out our data protection deep dive.