Infrastructure Update: DeepL's Enhanced Cloud Platform

---

Overview

DeepL is enhancing its infrastructure by incorporating Amazon Web Services (AWS) into our data processing architecture. This hybrid model—combining our existing proprietary European data centers with AWS - enables us to scale reliably, accelerate feature development, and deliver enterprise-grade performance.

Effective Date: Beginning January 1, 2026, new contracts and renewals will reflect our updated infrastructure terms.

---

What Is Changing

With this infrastructure update, customer content data will be processed globally across AWS regions by default. Customers who require data processing within a specific region can purchase the Data Residency add-on (see below).

---

What Is NOT Changing

Commitment	Status
Security Standards	Same encryption protocols and security measures
Privacy Protections	No changes to how we handle and protect your data
Service Delivery	No disruption to your DeepL services
Compliance	Maintaining all current regulatory and compliance standards (including C5 and ISO 27001)

No action is required from you. The transition happens seamlessly behind the scenes with zero downtime or service interruption.

---

Why We Made This Decision

DeepL's rapid growth requires infrastructure that can scale with our expanding global customer base. Partnering with AWS enables us to:

• Scale Reliably - AWS serves millions of enterprise customers worldwide with proven uptime SLAs and operational excellence
• Accelerate Innovation - Cloud-native capabilities allow us to develop and release new features faster
• Enhance Performance - Distributed infrastructure delivers improved latency and responsiveness
• Maintain Security - AWS provides enterprise-grade security certifications and compliance frameworks that complement our existing protections

---

Hybrid Infrastructure Model

DeepL is moving from proprietary data centers only to a hybrid model combining our proprietary infrastructure with the AWS Cloud Platform.

Proprietary Data Centers (Iceland/Sweden): Continue to be used for research, model training, and servicing free-tier users.

AWS Cloud Platform: Handles data processing and storage for business and enterprise customers.

---

How Customer Data Is Managed

Data Categories

Customer Content Data

• Tier 1 — Transient Data: Content submitted to DeepL for processing (e.g., text input for translation). This data is processed instantly and never stored long-term.
• Tier 2 — Stored Data: Content stored with DeepL until the customer actively deletes it (e.g., glossaries, style guides, DeepL Agent service history).

Metadata (Global)
Non-content metadata such as account details and billing information is managed centrally and stored globally.

Default: Global Processing

By default, customer content data may be processed and stored across any of our AWS regions (currently EU, US, and JP). This enables optimal performance and reliability.

---

Data Residency Option

For customers with specific geographic data control requirements, DeepL offers a contractual Data Residency add-on. This option provides:

• Geographic Control - Assurance that your customer content data is stored, processed, and managed exclusively within your selected region
• Compliance Support - Documentation to support your internal governance and legal compliance requirements
• Regional Performance - Optimized processing within your specified region

Available Regions

• EU (European Union)
• US (United States)
• JP (Japan)

Additional regions may be added in the future.

Availability & Pricing

• Data Residency is available to sales-assisted customers only and cannot be purchased via the DeepL website
• Available for most yearly subscription plans
• Only one region per organization can be selected
• If your account includes multiple subscriptions, Data Residency must be purchased for all subscriptions in scope

Note: Operational components such as logging and monitoring may operate outside your selected primary region but do not contain customer content data.

---

GDPR Compliance & Legal Framework

DeepL remains fully GDPR compliant. Our relationship with AWS is governed by a data processing agreement that ensures adherence to GDPR requirements, including the mandatory terms between Controllers and Processors under Article 28 of the GDPR.

For any instances where data is processed outside the European Economic Area (EEA), we have implemented Standard Contractual Clauses (SCCs). These SCCs provide the necessary appropriate safeguards to ensure that data transferred to third countries receives a level of protection essentially equivalent to that within the EU.

---

AWS Security Standards

By incorporating AWS, DeepL benefits from additional security certifications and compliance frameworks, including:

• ISO 27001, 27017, 27018
• SOC 1, SOC 2, SOC 3
• GDPR compliance
• C5 (Cloud Computing Compliance Criteria Catalogue)

Customer data processed and stored in AWS data centers is encrypted. Additionally, we implement supplemental technical measures such as client-side encryption with keys managed outside of AWS's infrastructure, ensuring data protection across multiple security boundaries.

---

Frequently Asked Questions

Will there be any downtime or service interruption?
No. The infrastructure enhancement happens entirely behind the scenes. You will not experience any downtime or disruption to your DeepL services.

Where will my data be processed?
By default, customer content data is processed globally across our AWS regions (EU, US, JP). Non-content metadata is stored centrally. Customers requiring processing within a specific region can purchase the Data Residency add-on.

Do I need to take any action?
No action is required on your part. Your DeepL service continues to work as before. If you require data processing within a specific region, please contact your account representative to discuss the Data Residency option.

Are there any changes to security or privacy?
No. DeepL maintains the same encryption standards, privacy protections, and security measures. The AWS integration enhances our capabilities while preserving all existing security commitments.

When does this take effect?
The updated infrastructure terms are reflected in new contracts and renewals beginning January 1, 2026. Existing customers will be notified in accordance with their contract terms.

Can I guarantee my data stays in a specific region?
Yes. Sales-assisted customers can purchase the Data Residency add-on to contractually guarantee that customer content data remains within their selected region (EU, US, or JP).

What happens to my data if I cancel my subscription?
Customer content is deleted in accordance with our standard data deletion policies, regardless of which AWS region your data is stored in. Please refer to our Help Center article "About the deletion of customer content" for details.

---

For additional questions, please contact your DeepL account representative.

DeepL Agent Achieves ISO 27001 Certification

---

We are pleased to announce that DeepL Agent has successfully achieved ISO 27001:2022 certification, reinforcing our unwavering commitment to information security and data protection.

About DeepL Agent

DeepL Agent is our advanced AI-powered assistant that helps users automate complex tasks through an intuitive chat-like web interface. Built on a secure cloud-based architecture hosted on AWS infrastructure within the EU, DeepL Agent offers a comprehensive set of capabilities:

• Web Browsing – Navigate websites, interact with web applications, and gather information autonomously
• Document Management – Create, edit, and process documents across multiple formats
• Data Processing – Execute code in a secure sandboxed environment for analysis and automation
• Task Planning – Break down complex requests into multi-step plans with parallel execution
• DeepL Translation – Seamlessly integrated access to DeepL's translation services
• Asynchronous Execution – Submit tasks and return later to review progress and results

All customer data remains within EU regions, and our strict no-LLM-training policy ensures your data is never used to train or update the underlying models.

What ISO 27001 Certification Means for Our Customers

ISO 27001 is the internationally recognized standard for information security management systems (ISMS). This certification demonstrates that DeepL Agent has been independently audited and meets rigorous requirements for:

• Risk Management – Systematic identification and mitigation of security risks
• Data Protection – Robust controls safeguarding customer data throughout its lifecycle
• Operational Security – Secure development, deployment, and operational practices
• Continuous Improvement – Ongoing monitoring, assessment, and enhancement of security measures

Our Commitment

DeepL Agent operates under the same comprehensive Information Security Management System (ISMS) that governs all DeepL services, ensuring consistent, enterprise-grade data protection. Key security measures include:

• Task isolation architecture preventing cross-contamination of data between users
• Ephemeral data processing with no retention for training purposes
• TLS 1.2/1.3 encryption for all data transmission
• Logical data separation between customers
• Multi-factor authentication and role-based access controls

This certification reflects the dedication of our security, engineering, and compliance teams who work tirelessly to uphold the highest standards of information security.

Verification

Customers and partners can request a copy of our ISO 27001 certificate through our Trust Center.

Drift Vulnerability Statement

We are aware of the recently disclosed Drift vulnerability. After careful review, we can confirm that DeepL is not affected by this issue, as we do not use Salesforce-Drift in our environment.

As an added precaution, we have also reviewed our Salesforce audit logs to ensure that there has been no suspicious or malicious activity in our instance.

We remain committed to the security and privacy of our users and will continue to monitor the situation.

We are proud to announce that DeepL has successfully achieved the C5 Type 2 attestation and renewed its SOC 2 Type 2 report. These achievements underscore our unwavering commitment to protecting customer data, maintaining transparency, and adhering to internationally recognized security and compliance standards.

About the C5 Type 2 Attestation

The C5 (Cloud Computing Compliance Criteria Catalog) attestation, issued by the German Federal Office for Information Security (BSI), is one of the most stringent standards for cloud security. The Type 2 attestation goes beyond a point-in-time evaluation, requiring a detailed review of our security measures over an extended period. This ensures that DeepL not only meets industry-leading security requirements but also consistently maintains them in practice.

Key areas covered by the C5 attestation include:

• Data Security: Robust measures to protect data against unauthorized access and breaches.
• Transparency: Clear documentation of data handling and operational processes.
• Compliance: Alignment with German and EU regulatory requirements, including GDPR.

About the SOC 2 Type 2 Report

The SOC 2 (Service Organization Control) framework is an internationally recognized standard for evaluating an organization’s controls related to security, availability, and confidentiality. The Type 2 report provides assurance that DeepL has implemented and maintained these controls effectively over time.

Key benefits of the SOC 2 Type 2 report include:

• Independent Validation: Confirmation from an external auditor that our systems and processes meet strict security and operational standards.
• Customer Confidence: Assurance that your data is handled securely and reliably.
• Ongoing Commitment: A demonstration of our continuous efforts to maintain and improve our security posture.

We are thrilled to announce that DeepL has achieved HIPAA compliance, marking another significant milestone in our commitment to safeguarding sensitive data and providing the highest standards of security and privacy for our users.
The Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for the protection of sensitive health information (PHI), and this compliance demonstrates that DeepL meets the rigorous requirements for handling and securing such data.

What Does This Mean for You?

• Enhanced Data Security: DeepL now adheres to HIPAA's stringent requirements for protecting sensitive health information, ensuring that all your data is handled with the utmost care.
• Trust and Reliability: Whether you're in healthcare, research, or any industry that requires HIPAA compliance, you can trust DeepL to provide secure and reliable translation services.
• Commitment to Privacy: This achievement reflects our ongoing dedication to protecting your data and maintaining transparency about our security practices.