Overview
Translation work means files leave your systems and live, briefly, in ours. We take that seriously. This page is the technical complement to our privacy policy and DPA — what we actually do at the bytes-and-buildings level to keep your content safe.
If something here is missing or you need it under NDA (pen-test reports, SOC 2 attestation letter, network diagrams), email legal@rush-studio.com.
Infrastructure & hosting
Rush Studio is hosted exclusively on Amazon Web Services (AWS). Production runs in Frankfurt (eu-central-1) with replication and warm standby in Dublin (eu-west-1). We do not operate production infrastructure in the United States.
The application sits on container workloads behind a VPC with private subnets for all stateful services. Public ingress is restricted to our edge (Cloudflare) and AWS ALB, both with WAF rules and rate-limiting.
AWS is contractually a sub-processor and is certified under SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, and the EU-US Data Privacy Framework. See the full sub-processor list.
Encryption
In transit. Every connection to Rush Studio — web, API, integrations, internal service-to-service — is TLS 1.3 with modern ciphers. TLS 1.0 / 1.1 are disabled at the edge. HSTS is preloaded with max-age=63072000; includeSubDomains; preload.
At rest. Every byte we persist is encrypted with AES-256-GCM via AWS KMS. That includes the application database, S3 object storage, search indices, backups, log archives, and translation-memory exports. Each tenant's content is logically separated and keyed against a per-environment customer master key.
Key management. Master keys live in AWS KMS with automatic annual rotation. Application-level secrets (API tokens, OAuth client secrets, integration credentials) are stored in AWS Secrets Manager, rotated quarterly, and never written to logs or version control.
Passwords. Never stored. We hash with bcrypt at cost factor 12; the hash is what's compared, the plaintext is discarded the moment authentication finishes.
Authentication & 2FA
We require multi-factor authentication. Every account. No exceptions for free, paid, or trial users. The first time you sign in, you'll be walked through enrolling a second factor before you can access any workspace.
Passkeys
RecommendedWebAuthn-backed passkeys sync across devices via iCloud Keychain, Google Password Manager, or 1Password. Phishing-resistant by design.
Hardware keys
FIDO2YubiKey, Titan, or any FIDO2 / U2F-compatible authenticator. Required on Scale-plan admin accounts.
Authenticator apps
TOTP30-second TOTP codes via 1Password, Authy, Google Authenticator, or any RFC 6238 client.
SMS
Fallback onlyAvailable as a backup method. We don't recommend it as a primary — SMS is vulnerable to SIM-swap attacks.
Recovery. When you enroll a 2FA method, we issue ten one-time recovery codes. Store them somewhere safe — they're the only way back into the account if you lose your authenticator. Used codes are invalidated immediately; the pool can be regenerated at any time, which invalidates the previous batch.
Single sign-on. On the Scale plan, SAML 2.0 and OIDC SSO are available against any identity provider (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, JumpCloud, Auth0). SCIM 2.0 user provisioning and de-provisioning are included.
Session policy. Sessions expire after 30 days of inactivity (configurable down to 8 hours on Scale). Admins can force a sign-out across all devices at any time.
Access controls
In the product. Workspaces use role-based access control with five built-in roles (Owner, Admin, Manager, Linguist, Reviewer) and granular per-project overrides. Every action that touches customer content writes to an audit log, exportable in JSON.
Inside Rush Studio. Production access is limited to the on-call engineers who need it (currently six people). Access requires:
- An active SSO session with hardware-key MFA.
- A just-in-time approval from a second engineer for any database read.
- A justification recorded in our access-log channel, public to all employees.
We do not have a generic "admin account" that can read customer content. All production access is identifiable, time-bounded, and reviewed quarterly.
Vulnerability management
We follow a four-track program:
- Dependency scanning — Snyk and GitHub Dependabot run on every pull request and nightly across all repositories. Critical CVEs are patched within 24 hours.
- Static analysis — Semgrep rules tuned to our stack run in CI; high-severity findings block merge.
- Dynamic scanning — Authenticated DAST runs weekly against a staging mirror of production.
- Third-party penetration test — Annually, by an external CREST-accredited firm. The latest report is available under NDA via legal@rush-studio.com.
Findings are triaged within one business day, severity-mapped to CVSS, and tracked in a public-to-employees backlog with SLAs (Critical: 24h, High: 7d, Medium: 30d, Low: 90d).
Incident response
An on-call rotation is staffed 24/7 with a 15-minute response SLA for security pages. For confirmed incidents involving customer data, we notify affected customers within 72 hours of becoming aware — typically much sooner — per the commitments in our DPA.
The notification includes the nature of the incident, the data categories affected, the likely consequences, and the mitigation steps taken or planned. A post-incident review with a written timeline and corrective actions is published to affected customers within 14 days.
Live operational events — degradations, outages, suspected incidents — are posted in real time at status.rush.studio.
Backups & disaster recovery
Backups. The application database is continuously backed up to S3 via point-in-time recovery, retained for 30 days. Object storage uses versioning plus weekly snapshots retained for 90 days. All backups are encrypted with separate KMS keys and stored cross-region.
Targets. RPO (recovery point objective): 5 minutes. RTO (recovery time objective): 4 hours. We test against these quarterly with full restore drills into an isolated environment.
Disaster recovery drill cadence. Quarterly. The last drill (Q1 2026) restored the full production database into a clean account in 1h 47m, well inside RTO.
People & operations
Every employee:
- Passes a background check before start date (jurisdiction permitting).
- Signs a confidentiality agreement covering customer data on day one.
- Completes mandatory security training on hire and annually thereafter.
- Uses a company-managed laptop with full-disk encryption, MDM, and an EDR agent (CrowdStrike).
- Has access reviewed quarterly. Access is revoked within one hour of termination.
Data handling
Data minimization. We collect only what's needed to deliver the service — see the privacy policy for the breakdown.
AI translation routing. When a segment is sent to an AI sub-processor, we transmit only the segment text plus any configured glossary terms. Account metadata, filenames, and project context never leave our infrastructure. All AI sub-processors contractually agree not to train on your data and to delete content after the translation is returned.
Tenant isolation. Customer data is logically separated by tenant ID enforced at every layer (database, search, object storage). Bulk export, deletion, and audit log access all operate within the tenant boundary.
Deletion. When you delete a project or close your account, content is purged from primary storage within 24 hours and from all backups within 30 days. We send written confirmation when the deletion completes.
Compliance & certifications
Current and in-progress:
- SOC 2 Type II — in good standing, audited annually by a Big Four firm. Report available under NDA.
- ISO 27001 — certification in progress; expected Q3 2026.
- GDPR & UK GDPR — full compliance; see GDPR & DPA page.
- CCPA / CPRA — covered under the same data-subject rights flow as GDPR.
- HIPAA — a Business Associate Agreement (BAA) is available for healthcare customers on the Scale plan. Email legal@rush-studio.com.
- PCI DSS — we never see card numbers; payments are tokenized through Stripe. PCI is out of scope by design.
For procurement teams running a vendor security assessment: we maintain prefilled responses for SIG Lite, CAIQ v4, and the EU Cloud CoC. Request the latest copy.
Responsible disclosure
We don't run a public bug bounty (yet), but we welcome reports from security researchers and reward meaningful findings.
Send reports to: legal@rush-studio.com, optionally PGP-encrypted to 0x4F7C 2A8B 3D1E 9F00.
Our promise. If you report in good faith and don't try to access other customers' data, exfiltrate data, run DoS attacks, or use social engineering: we will not pursue legal action, we will acknowledge within one business day, and we will keep you updated until the issue is closed. Confirmed novel findings receive a reward of $250–$10,000 depending on severity and impact.
Contact
Security issues: legal@rush-studio.com — monitored 24/7, target ack within 4 business hours, max one business day.
Privacy / DPO: Pedro Almeida, privacy@rush-studio.com.
Procurement & vendor assessments: legal@rush-studio.com.
Postal: Rush Studio Ltd., 12 Hatton Garden, London EC1N 8AT, United Kingdom.
If anything here is unclear, tell us — we'll rewrite it in the next revision.
