Unpacking Security Gaps in the Language Industry Supply Chain with Crowdin

Representing Language Technology Platform (LTP) CrowdIn, Jourik Ciesielski, CTO at Elan Languages, gave a presentation at SlatorCon Remote December 2025 on the importance of security, confidentiality, and data protection in language technology and in the translation supply chain.

Ciesielski told the audience, “I want to tell a little story here, and I’m going to start off quite positively. […] Many companies are doing many great things when it comes to security. […] You might have one or more ISO certifications, like the ISO 27001 […], you might have all kinds of measures in place to be compliant with GDPR or similar legislation, […] or you might have a private company network VPN […] or use two-factor authentication. […] All of that is really good. […] But it basically confirms that security is top of mind in everything that we do.”

With that in mind, Ciesielski asked the audience to think about how the language industry handles and processes content. “[A company] might purchase a language technology platform like Crowdin, for example, and push all of their data into the system. [But after that,] a multi-language vendor […] might [subcontract to] a single language vendor, […] and then that vendor might hire a freelance linguist to do the actual translation.”

“With every extra step in the supply chain, with every extra actor in the supply chain, the risk of vulnerability increases. And freelance linguists, without realizing it, actually carry a massive, massive responsibility,” he added.

Extremely High Risk

“Freelancers might, for example, share their laptop with their children who play Minecraft on the same laptop and install all kinds of plugins. […] Freelancers might […] connect to public WiFi networks, or fall for phishing attacks, and so on. The risk is extremely high.”

Ciesielski highlighted that “the key message is that if you buy translation, you’re indirectly granting access and edit permissions to people you don’t know, to your very sensitive information, people who don’t have a clue about your security policies. And now I’m going to ask a very rhetorical question: How big is this risk? It’s huge.”

“The risk of doing nothing is too high to be acceptable. Therefore, we have to enforce security in our processes, but also in all of the technologies that we use. And if you are in language services, you know that we use many, many different tools and many different technologies.” — Jourik Ciesielski, CTO, Elan Languages

Ciesielski goes on to tell the SlatorCon audience what he thinks is the solution to this problem, referencing the security measures and features available in Crowdin. “The one thing that all of our security measures have in common is that they are based on a zero-trust policy. What does that mean? It means that we do not rely on promises. It means that we do not rely on agreements. We only exclusively rely on technical controls to enforce security.”

Technical Controls

“Zero trust. No promises, no agreements, only technical controls,” he stated, adding that a tool like Crowdin enforces Security Assertion Markup Language (SAML) for managers, verifies devices via email, and enforces two-factor authentication via an authorization application.

“But even that is not entirely waterproof,” he added, explaining that LTP tools like Crowdin can take one step further by automating the deactivation of inactive user accounts, setting a maximum lifetime for API tokens, and configuring idle session timeouts. He noted that covering user needs like biometric two-factor authentication is also planned for the future.

“The risk [of not implementing these features] is simply too high to be acceptable,” Ciesielski concluded, reminding the SlatorCon audience to reconsider the security risk of their existing supply chain.