Security whitepaper
This document provides a comprehensive overview of how Langbly protects customer data. It covers infrastructure, encryption, authentication, data flow, access controls, incident response, and GDPR compliance.
For a shorter summary, see Security and data handling.
Architecture Overview
Every translation request flows through a simple, stateless path:
- Client request arrives over TLS 1.3 at the API endpoint
- Authentication — the API key is verified against the key management service
- Rate limiting — request volume is checked against plan limits
- Translation — text is sent to the translation engine
- Response — translated text is returned to the client
- Discard — request and response content is dropped from memory
There is no queue, no background processing, and no content storage. Each request is independent and fully processed before the response is sent.
Endpoints
| Endpoint | Region | Use case |
|---|---|---|
api.langbly.com | Netherlands (europe-west4) | Global access, lowest latency |
eu.langbly.com | Finland (europe-north1) | Strict EU data residency |
Both endpoints use the same codebase, authentication, and billing. The only difference is where translation processing happens.
Encryption
In transit
All API traffic uses TLS 1.3. Connections using older TLS versions or plaintext HTTP are rejected at the edge. There is no option to downgrade or bypass encryption.
API keys are transmitted in the X-API-Key header (recommended) or as a query parameter. Header-based transmission is preferred because query parameters may appear in server logs and browser history.
At rest
Account data (email, name, billing information) and usage metrics are encrypted at rest using AES-256. Encryption is handled by the cloud provider's managed encryption service with automatic key rotation.
Translation content is not encrypted at rest because it is never stored. There is nothing to encrypt.
Authentication
API keys
Every API request requires a valid API key. Keys are verified on each request through a dedicated key management service that handles:
- Key validation and lookup
- Per-key rate limiting
- Usage tracking per key
Customers can create multiple API keys per account and revoke them independently. Key revocation takes effect immediately.
Dashboard access
The Langbly dashboard uses email/password authentication with secure session management. Sessions expire after a period of inactivity.
Data Handling
Zero content retention
This is the most important security property of the Langbly API: translation content is never stored.
- Request bodies (source text) exist in memory only during processing
- Response bodies (translated text) exist in memory only until sent to the client
- No translation content is written to disk, databases, or log files
- No translation content is cached (Redis stores only usage counters, not text)
What we do store
| Data type | Purpose | Retention |
|---|---|---|
| Account info (email, name) | User management | Duration of account |
| Billing data | Invoicing via payment provider | As required by law |
| API keys (hashed) | Authentication | Until revoked |
| Usage counters | Billing, rate limiting | Duration of account |
| Request metadata | Monitoring, debugging | 30 days |
Request metadata includes timestamp, language pair, character count, and response time. It does not include the actual text content.
What we never store
- Source text submitted for translation
- Translated output text
- File contents (if applicable)
- Any derived data from translation content
No-Training Policy
Langbly does not use customer data to train, fine-tune, or improve any models. This is a permanent, unconditional policy.
Your translation content is processed and discarded. It is not aggregated, analyzed, or used for any purpose beyond fulfilling your specific API request.
Network Security
Infrastructure isolation
Each API endpoint runs in its own isolated compute environment. Key properties:
- No shared compute resources between customers
- Databases are not accessible from the public internet
- Internal services communicate over private networking
- Egress is restricted to required external services only
DDoS protection
API endpoints sit behind a global CDN and DDoS mitigation layer that filters volumetric and application-layer attacks before they reach the origin servers.
Rate limiting
Rate limits are enforced per API key through the key management service. Limits vary by plan tier and are designed to prevent abuse without impacting legitimate usage.
Access Controls
Principle of least privilege
Production infrastructure access follows strict least-privilege principles:
- Only the operator has direct access to production systems
- No shared credentials or service accounts for human access
- All infrastructure changes are deployed through version-controlled pipelines
- Administrative access is authenticated and logged
Dependency management
Dependencies are managed through lockfiles and updated regularly. Security advisories for dependencies are monitored and patched promptly.
Incident Response
Detection
Automated monitoring checks both API endpoints every minute. Health checks verify:
- API endpoint availability
- Database connectivity
- Cache availability
- Translation engine responsiveness
- Response time percentiles
Alerts fire within 5 minutes of detecting an issue.
Response process
| Phase | Target | Action |
|---|---|---|
| Detection | < 5 minutes | Automated monitoring detects the issue |
| Triage | < 15 minutes | Determine severity and impact |
| Initial response | < 30 minutes | Begin investigation, update status page |
| Resolution | < 4 hours | Restore service to normal operation |
| Post-mortem | < 5 business days | Root cause analysis shared with affected customers |
Data breach notification
If a data breach occurs, affected customers are notified within 72 hours as required by GDPR Article 33.
Because Langbly does not store translation content, the potential scope of any breach is limited to account metadata (email, name, billing data) and API keys. There is no corpus of customer translations that could be exposed.
EU Data Residency
Customers requiring strict EU data residency can use the dedicated endpoint at eu.langbly.com. On this endpoint:
- The API server runs in Finland (europe-north1)
- Translation processing uses EU-based infrastructure exclusively
- The database is in the EU
- No data leaves the European Union at any point during processing
For full details, see EU Data Residency.
GDPR Compliance Mapping
The following maps Langbly's practices to specific GDPR articles:
Article 5 — Principles
| Principle | How Langbly complies |
|---|---|
| Lawfulness, fairness, transparency | Processing based on contractual necessity. Privacy policy and DPA publicly available. |
| Purpose limitation | Data processed exclusively for providing translation services and billing. |
| Data minimization | Only account data and usage metrics stored. Translation content not retained. |
| Accuracy | Customers control their account data and can update it at any time. |
| Storage limitation | Translation content retention is zero. Account data kept for duration of account. |
| Integrity and confidentiality | TLS 1.3, AES-256 at rest, isolated infrastructure, access controls. |
Article 6 — Lawfulness of Processing
Langbly processes personal data on the basis of contractual necessity (Article 6(1)(b)). The customer submits data for translation, and Langbly processes it to fulfill that request.
Article 25 — Data Protection by Design and by Default
Zero content retention is a design decision, not a policy bolt-on. The architecture physically cannot retain translation content because there is no storage mechanism for it. This is data protection by design.
Article 28 — Processor Obligations
Langbly acts as a data processor on behalf of the customer (data controller). A Data Processing Agreement (DPA) is available at langbly.com/dpa.
Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud hosting provider | API hosting and infrastructure | Netherlands / Finland |
| Stripe | Payment processing | United States (with EU SCCs) |
Article 32 — Security of Processing
See the Encryption, Network Security, and Access Controls sections above. Measures include:
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- Isolated compute environments
- Least-privilege access controls
- Automated monitoring and alerting
Article 33 — Breach Notification
Langbly notifies the relevant supervisory authority within 72 hours of becoming aware of a breach. Affected customers are notified without undue delay.
Articles 15-22 — Data Subject Rights
Customers can exercise the following rights by contacting hello@langbly.com:
- Right of access (Art. 15): Request a copy of stored personal data
- Right to rectification (Art. 16): Correct inaccurate account data
- Right to erasure (Art. 17): Request deletion of account and all associated data
- Right to restriction (Art. 18): Restrict processing of personal data
- Right to data portability (Art. 20): Receive account data in a structured format
- Right to object (Art. 21): Object to processing of personal data
Translation content cannot be subject to these requests because it is not stored.
Audits
Langbly makes available to customers all information necessary to demonstrate compliance with GDPR Article 28. Customers may conduct audits of Langbly's data processing practices, subject to reasonable advance notice (30 days) and scheduling during business hours.
Contact
For security questions, vulnerability reports, or compliance inquiries:
- Security issues: security@langbly.com
- General inquiries: hello@langbly.com
- DPA requests: langbly.com/dpa