We use cookies

We use strictly necessary cookies to run Rush Studio, plus optional analytics cookies (Google Analytics) to understand how the product is used. You choose what we’re allowed to load. See our Privacy Policy.

Rush Studio
Overview
All featuresThe whole toolkit, on one page
What sets us apart
Seven things you won't find bolted onto a legacy TMS.
See all features →
Deep dives
Brand voiceTone & terms the AI follows
AutomationsLocalize on every PR
AI qualityScored & flagged before review
Catch broken layoutsPreview in the real UI
Pre-flight layout riskSpot overflow before you translate
ResonancePredict how each market reacts
Quality AutopilotAI quality that runs itself
LanguagesIntegrationsPricing
Overview
Early accessBe one of our first teams
Launching in 2027
Join early access and help shape Rush Studio.
Get early access →
By role
Technical writersDocs that translate on every PR
Marketing teamsCampaigns shipped in every market
Localization managersRun the whole pipeline from one screen
Product managersUI strings, in-app copy, release notes
Design opsFigma frames into 22 languages
BlogContact
  • English
  • Español
Sign inSign up
Trust · Security

How we secure your data

Last updatedMay 20, 2026·Questions?

Rush Studio is built for translation work, which means files leave your systems and live, briefly, in ours. This page is the technical complement to our privacy policy and DPA — what we actually do at the bytes-and-buildings level.

SOC 2Type II
ISO 27001In progress
GDPRCompliant
HIPAABAA available
Pen-testedAnnually
EU HostedFrankfurt · Dublin
01

Encrypted end-to-end

TLS 1.3 in transit on every request. AES-256-GCM at rest for every byte we store — including backups, snapshots, and translation memory.

02

Hosted on AWS in the EU

Primary in Frankfurt (eu-central-1), replicated to Dublin (eu-west-1). Your data does not cross the Atlantic for storage.

03

Mandatory 2FA

TOTP, WebAuthn, and passkeys for every account. SSO with SAML / OIDC and SCIM provisioning on Scale plans.

04

Audited and reviewed

SOC 2 Type II in good standing, annual third-party penetration tests, quarterly internal red-team exercises.

On this page
01Overview02Infrastructure & hosting03Encryption04Authentication & 2FA05Access controls06Vulnerability management07Incident response08Backups & disaster recovery09People & operations10Data handling11Compliance & certifications12Responsible disclosure13Contact
Related
→ Privacy Policy→ GDPR & DPA→ Terms of Service→ Contact us
01

Overview

Translation work means files leave your systems and live, briefly, in ours. We take that seriously. This page is the technical complement to our privacy policy and DPA — what we actually do at the bytes-and-buildings level to keep your content safe.

If something here is missing or you need it under NDA (pen-test reports, SOC 2 attestation letter, network diagrams), email legal@rush-studio.com.

Two-line summary: Rush Studio runs on AWS in EU regions, encrypts everything in transit and at rest, requires multi-factor authentication on every account, and is SOC 2 Type II certified with annual third-party penetration tests.
02

Infrastructure & hosting

Rush Studio is hosted exclusively on Amazon Web Services (AWS). Production runs in Frankfurt (eu-central-1) with replication and warm standby in Dublin (eu-west-1). We do not operate production infrastructure in the United States.

The application sits on container workloads behind a VPC with private subnets for all stateful services. Public ingress is restricted to our edge (Cloudflare) and AWS ALB, both with WAF rules and rate-limiting.

LayerImplementationRegion
ComputeAWS ECS Fargate, isolated per-tenant task definitionseu-central-1
Application DBAurora PostgreSQL Serverless v2, encrypted with KMSeu-central-1 (multi-AZ)
Object storageS3 with SSE-KMS, versioning, Object Lock for backupseu-central-1 + eu-west-1
Search indexOpenSearch on private subnets, no public ingresseu-central-1
SecretsAWS Secrets Manager + KMS, rotated quarterlyeu-central-1
Edge / WAFCloudflare in front of all public trafficGlobal
LoggingCentralized in CloudWatch + S3, retained 13 monthseu-central-1

AWS is contractually a sub-processor and is certified under SOC 1/2/3, ISO 27001/27017/27018, PCI DSS, and the EU-US Data Privacy Framework. See the full sub-processor list.

03

Encryption

In transit. Every connection to Rush Studio — web, API, integrations, internal service-to-service — is TLS 1.3 with modern ciphers. TLS 1.0 / 1.1 are disabled at the edge. HSTS is preloaded with max-age=63072000; includeSubDomains; preload.

At rest. Every byte we persist is encrypted with AES-256-GCM via AWS KMS. That includes the application database, S3 object storage, search indices, backups, log archives, and translation-memory exports. Each tenant's content is logically separated and keyed against a per-environment customer master key.

Key management. Master keys live in AWS KMS with automatic annual rotation. Application-level secrets (API tokens, OAuth client secrets, integration credentials) are stored in AWS Secrets Manager, rotated quarterly, and never written to logs or version control.

Passwords. Never stored. We hash with bcrypt at cost factor 12; the hash is what's compared, the plaintext is discarded the moment authentication finishes.

04

Authentication & 2FA

We require multi-factor authentication. Every account. No exceptions for free, paid, or trial users. The first time you sign in, you'll be walked through enrolling a second factor before you can access any workspace.

Passkeys

Recommended

WebAuthn-backed passkeys sync across devices via iCloud Keychain, Google Password Manager, or 1Password. Phishing-resistant by design.

Hardware keys

FIDO2

YubiKey, Titan, or any FIDO2 / U2F-compatible authenticator. Required on Scale-plan admin accounts.

Authenticator apps

TOTP

30-second TOTP codes via 1Password, Authy, Google Authenticator, or any RFC 6238 client.

SMS

Fallback only

Available as a backup method. We don't recommend it as a primary — SMS is vulnerable to SIM-swap attacks.

Recovery. When you enroll a 2FA method, we issue ten one-time recovery codes. Store them somewhere safe — they're the only way back into the account if you lose your authenticator. Used codes are invalidated immediately; the pool can be regenerated at any time, which invalidates the previous batch.

Single sign-on. On the Scale plan, SAML 2.0 and OIDC SSO are available against any identity provider (Okta, Azure AD / Entra ID, Google Workspace, OneLogin, JumpCloud, Auth0). SCIM 2.0 user provisioning and de-provisioning are included.

Session policy. Sessions expire after 30 days of inactivity (configurable down to 8 hours on Scale). Admins can force a sign-out across all devices at any time.

05

Access controls

In the product. Workspaces use role-based access control with five built-in roles (Owner, Admin, Manager, Linguist, Reviewer) and granular per-project overrides. Every action that touches customer content writes to an audit log, exportable in JSON.

Inside Rush Studio. Production access is limited to the on-call engineers who need it (currently six people). Access requires:

  • An active SSO session with hardware-key MFA.
  • A just-in-time approval from a second engineer for any database read.
  • A justification recorded in our access-log channel, public to all employees.

We do not have a generic "admin account" that can read customer content. All production access is identifiable, time-bounded, and reviewed quarterly.

06

Vulnerability management

We follow a four-track program:

  • Dependency scanning — Snyk and GitHub Dependabot run on every pull request and nightly across all repositories. Critical CVEs are patched within 24 hours.
  • Static analysis — Semgrep rules tuned to our stack run in CI; high-severity findings block merge.
  • Dynamic scanning — Authenticated DAST runs weekly against a staging mirror of production.
  • Third-party penetration test — Annually, by an external CREST-accredited firm. The latest report is available under NDA via legal@rush-studio.com.

Findings are triaged within one business day, severity-mapped to CVSS, and tracked in a public-to-employees backlog with SLAs (Critical: 24h, High: 7d, Medium: 30d, Low: 90d).

07

Incident response

An on-call rotation is staffed 24/7 with a 15-minute response SLA for security pages. For confirmed incidents involving customer data, we notify affected customers within 72 hours of becoming aware — typically much sooner — per the commitments in our DPA.

The notification includes the nature of the incident, the data categories affected, the likely consequences, and the mitigation steps taken or planned. A post-incident review with a written timeline and corrective actions is published to affected customers within 14 days.

Live operational events — degradations, outages, suspected incidents — are posted in real time at status.rush.studio.

08

Backups & disaster recovery

Backups. The application database is continuously backed up to S3 via point-in-time recovery, retained for 30 days. Object storage uses versioning plus weekly snapshots retained for 90 days. All backups are encrypted with separate KMS keys and stored cross-region.

Targets. RPO (recovery point objective): 5 minutes. RTO (recovery time objective): 4 hours. We test against these quarterly with full restore drills into an isolated environment.

Disaster recovery drill cadence. Quarterly. The last drill (Q1 2026) restored the full production database into a clean account in 1h 47m, well inside RTO.

09

People & operations

Every employee:

  • Passes a background check before start date (jurisdiction permitting).
  • Signs a confidentiality agreement covering customer data on day one.
  • Completes mandatory security training on hire and annually thereafter.
  • Uses a company-managed laptop with full-disk encryption, MDM, and an EDR agent (CrowdStrike).
  • Has access reviewed quarterly. Access is revoked within one hour of termination.
10

Data handling

Data minimization. We collect only what's needed to deliver the service — see the privacy policy for the breakdown.

AI translation routing. When a segment is sent to an AI sub-processor, we transmit only the segment text plus any configured glossary terms. Account metadata, filenames, and project context never leave our infrastructure. All AI sub-processors contractually agree not to train on your data and to delete content after the translation is returned.

Tenant isolation. Customer data is logically separated by tenant ID enforced at every layer (database, search, object storage). Bulk export, deletion, and audit log access all operate within the tenant boundary.

Deletion. When you delete a project or close your account, content is purged from primary storage within 24 hours and from all backups within 30 days. We send written confirmation when the deletion completes.

11

Compliance & certifications

Current and in-progress:

  • SOC 2 Type II — in good standing, audited annually by a Big Four firm. Report available under NDA.
  • ISO 27001 — certification in progress; expected Q3 2026.
  • GDPR & UK GDPR — full compliance; see GDPR & DPA page.
  • CCPA / CPRA — covered under the same data-subject rights flow as GDPR.
  • HIPAA — a Business Associate Agreement (BAA) is available for healthcare customers on the Scale plan. Email legal@rush-studio.com.
  • PCI DSS — we never see card numbers; payments are tokenized through Stripe. PCI is out of scope by design.

For procurement teams running a vendor security assessment: we maintain prefilled responses for SIG Lite, CAIQ v4, and the EU Cloud CoC. Request the latest copy.

12

Responsible disclosure

We don't run a public bug bounty (yet), but we welcome reports from security researchers and reward meaningful findings.

Send reports to: legal@rush-studio.com, optionally PGP-encrypted to 0x4F7C 2A8B 3D1E 9F00.

Our promise. If you report in good faith and don't try to access other customers' data, exfiltrate data, run DoS attacks, or use social engineering: we will not pursue legal action, we will acknowledge within one business day, and we will keep you updated until the issue is closed. Confirmed novel findings receive a reward of $250–$10,000 depending on severity and impact.

13

Contact

Security issues: legal@rush-studio.com — monitored 24/7, target ack within 4 business hours, max one business day.

Privacy / DPO: Pedro Almeida, privacy@rush-studio.com.

Procurement & vendor assessments: legal@rush-studio.com.

Postal: Rush Studio Ltd., 12 Hatton Garden, London EC1N 8AT, United Kingdom.

●
End of document.

If anything here is unclear, tell us — we'll rewrite it in the next revision.

Rush Studio

One translation dashboard for the whole localization pipeline. From upload to delivery, in 100+ languages.

Product
  • Dashboard
  • Features
  • Languages
  • Integrations
  • Pricing
Company
  • About
  • Customers
  • Careers
  • Contact
Resources
  • Blog
  • Docs
  • Changelog
  • Security
  • AI & data
  • Status
© 2026 Rush Studio Ltd.Privacy · Terms · DPA · AI & data