Security

Security

WebTranslate's security architecture, operational controls, and the processes we maintain to protect your website, your data, and your visitors.

Effective

1 March 2025

Last updated

1 March 2026

Applies to

web.neurogenhq.com

01

Our Security Commitment

Security is fundamental to WebTranslate. When you route your website traffic through our Translation Delivery Network, you are trusting us with your website's content and your visitors' experience. We take that responsibility seriously.

This page describes the security controls, processes, and standards we maintain. For enterprise security assessments, security addenda, or penetration test results, contact security@neurogenhq.com.

02

Infrastructure Security

WebTranslate runs on enterprise-grade cloud infrastructure with the following controls in place:

  • Distributed architecture: our Translation Delivery Network (TDN) is distributed across multiple geographic regions and data centres, eliminating single points of failure.
  • Network isolation: all internal services are deployed in private virtual networks (VPCs) with strict ingress and egress controls. No internal services are directly internet-accessible.
  • DDoS protection: volumetric and application-layer DDoS mitigation is active at the network edge. We maintain excess capacity to absorb traffic spikes.
  • Redundancy: compute, storage, and networking layers are replicated across availability zones. Our architecture supports automatic failover within 60 seconds.
  • Infrastructure as code: all infrastructure is provisioned through code and version-controlled, ensuring auditability and consistency.
03

Encryption

Data is encrypted at every layer:

  • In transit: all communication between your website's origin server, our edge network, and your visitors is encrypted using TLS 1.2 or TLS 1.3. Older protocol versions (TLS 1.0, 1.1, SSLv3) are disabled.
  • At rest: all stored data — including account configuration, glossary terms, translation logs, and cached content — is encrypted at rest using AES-256.
  • Key management: encryption keys are managed through a dedicated key management service (KMS). Keys are rotated periodically and access is strictly controlled.
  • Certificate management: TLS certificates are automatically provisioned and renewed. We support your own custom certificates for enterprise deployments.
04

Access Controls

Access to WebTranslate systems follows least-privilege principles:

  • Multi-factor authentication (MFA) is required for all employee access to production systems and administrative tools.
  • Role-based access control (RBAC) ensures employees have access only to the systems and data required for their role.
  • Production access is restricted to a small number of named engineers, granted on a need-to-access basis with manager approval.
  • All administrative actions on production systems are logged in an immutable audit trail.
  • Access rights are reviewed quarterly and revoked immediately upon employee offboarding.
  • Third-party vendor access to production systems is prohibited. Vendors work in isolated staging environments.
05

Application Security

Security is embedded throughout our software development lifecycle:

  • Secure development practices: our engineering team follows OWASP guidelines. Code changes undergo peer review before merging.
  • Dependency management: third-party dependencies are monitored for known vulnerabilities using automated scanning tools. Critical patches are applied within 48 hours of disclosure.
  • Static analysis: all code is scanned for security issues as part of the CI/CD pipeline. Builds fail on high-severity findings.
  • Secrets management: no secrets, credentials, or keys are stored in source code. All secrets are managed through a secure vault service.
  • Input validation: all external inputs — including content received from your origin website — are sanitised before processing to prevent injection attacks.
  • Content Security Policy: our dashboard implements strict CSP, X-Frame-Options, HSTS, and other security headers.
06

Network and Perimeter Security

Our network perimeter is protected by multiple layers:

  • Web Application Firewall (WAF): all traffic entering our edge network passes through a WAF with rules to block common web attacks (SQL injection, XSS, path traversal, etc.).
  • Rate limiting: aggressive rate limiting is enforced at the edge to protect against brute-force and enumeration attacks.
  • IP allowlisting: administrative interfaces are accessible only from approved IP ranges.
  • Network segmentation: databases, translation engines, and external-facing services are in separate network segments with explicit firewall rules between them.
  • Intrusion detection: network and host-based intrusion detection systems (IDS) monitor for anomalous activity and alert our security team in real-time.
07

Incident Response

We maintain a documented incident response plan with defined severity levels, escalation paths, and response time targets.

  • P0 (Critical — data breach or service unavailability): immediate response, all-hands. Customer notification within 2 hours.
  • P1 (High — degraded service or suspected compromise): response within 1 hour. Customer notification within 4 hours.
  • P2 (Medium — non-critical vulnerability): response within 4 hours. Remediation within 7 days.
  • P3 (Low — informational): addressed in regular security sprint cycles.

For security incidents involving personal data, we notify affected customers within 48 hours in accordance with our GDPR obligations, providing details of the nature of the breach and the steps taken.

Our incident response team conducts a post-incident review for all P0 and P1 incidents, with a written report available to affected enterprise customers.

08

Employee Security

Our people practices reinforce our technical controls:

  • Background checks are conducted for all employees and contractors with access to production systems, in accordance with applicable law.
  • Security awareness training is mandatory for all employees at onboarding and annually thereafter.
  • Employees sign confidentiality agreements covering customer data and trade secrets.
  • Endpoint security: all company devices are enrolled in mobile device management (MDM), have full-disk encryption enabled, and run approved security software.
  • Clean desk and clear screen policies are enforced in our offices.
09

Compliance and Audits

WebTranslate's security programme is aligned with internationally recognised standards. Our current compliance posture:

  • We conduct annual penetration tests by independent third-party security firms. Summary results are available to enterprise customers under NDA.
  • Internal security audits are conducted quarterly.
  • Our infrastructure providers maintain ISO 27001, SOC 2 Type II, and other relevant certifications. Certificates are available upon request.
  • We are working towards formal ISO 27001 certification for NeuroGen's own operations.

Enterprise customers with specific compliance requirements (PCI-DSS, HIPAA, SOC 2 pass-through, etc.) should contact their account manager to discuss available documentation and custom security controls.

10

Third-party and Supply Chain Security

We manage supply chain security through:

  • Vendor assessment: all new vendors with access to customer data are assessed against our security requirements before onboarding.
  • Contractual obligations: vendors are bound by data processing agreements and security addenda requiring equivalent security controls.
  • Periodic review: vendor security posture is reviewed annually or when they disclose significant changes to their infrastructure.
  • Dependency auditing: open-source dependencies are reviewed for licence and security issues.
11

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities in WebTranslate. If you have discovered a potential security issue, please report it to us so we can address it before it is exploited.

How to report:

  • Email: security@neurogenhq.com
  • Subject line: Vulnerability Disclosure — WebTranslate
  • Please include a description of the vulnerability, steps to reproduce, and potential impact.
  • Please do not publicly disclose the issue until we have had reasonable time to investigate and remediate (typically 90 days).

We commit to:

  • Acknowledging receipt within 2 business days.
  • Providing a status update within 10 business days.
  • Notifying you when the issue is resolved.
  • Not taking legal action against researchers who responsibly disclose in good faith.

We do not currently offer a paid bug bounty programme, but we recognise significant findings publicly (with researcher consent) and may provide other recognition.

12

Contact

For security enquiries, incident reports, or enterprise security assessments:

  • Security issues: security@neurogenhq.com
  • Enterprise security assessments and documentation: your account manager or legal@neurogenhq.com
  • Response time: security reports are triaged within 24 hours