Security, privacy and data confidentiality are very important to us at ModelFront, as it is to you and to your clients.

Luckily, it's relatively simple. Our technology and operation is very similar to that of machine translation and the most trusted machine translation providers.

Your data is yours. Your data are protected - our servers use Transport Layer Security (TLS) to encrypt every request and response.

For any questions about security, please contact security@modelfront.com.

Private by default

Your data and evaluations are private by default.

Your data for your custom models are never used for any other models, nor any other purpose.

• The text in your API requests ("data in transit") is not permanently stored, it is only processed for handling the request ("no-trace").

• ModelFront quality prediction is fully automated and developed fully in-house.

• No third-party companies or humans have access to your requests, unless you explicitly request machine translation.

• If you request machine translation, then your request is forwarded to the requested third-party machine translation API, and is subject to those API terms.

• You should anonymize consumer user data as necessary to comply with local law.

GDPR

We adhere to the items in the EU's GDPR compliance checklist for US companies.

ModelFront does not gather any consumer user data. For training and evaluation, ModelFront hosts your text data for you specifically (delete upon request). For API requests, ModelFront processes but does not store data ("no trace").

Google Cloud & the General Data Protection Regulation (GDPR)

Delete by request

You can request that we permanently delete your custom models, training data, evaluations or account at any time.

Non-disclosure agreements

We are generally willing to opt in to a standard one-way non-disclosure agreement (NDA) or mutual non-disclosure agreement (MNDA) before you send us your data or discuss your business needs with us.

Our infrastructure

The ModelFront team uses Google Workspace to communicate and GitHub to develop and store ModelFront source code. GitHub is owned by Microsoft.

The ModelFront system is deployed on the Google Cloud Platform, including Google Cloud Storage, with all virtual machines running inside Kubernetes clusters of Docker containers behind Cloudflare.

For more information on the ModelFront technology stack, please contact us.

By default, ModelFront system machines and data are in Google's US datacenters. They can be located in other datacentres by client request.

To discuss  private cloud and on-premise deployment, please contact us.

Penetration and vulnerability testing

A third-party security service carries out penetration testing after major updates to:

• console.modelfront.com
• api.modelfront.com

A third-party security service is regularly scanning and providing reports and alerts for:

• console.modelfront.com
• api.modelfront.com

Audit reporting

Data sent to the ModelFront API and console is received and processed on the Google Cloud Platform.

Metadata created in the ModelFront console is received, processed and stored on the Google Cloud Platform.

Google provides annual audit reports for SOC 1, SOC 2 and SOC 3 compliance that cover all ModelFront infrastructure.

SOC 2 reports are confidential, but ModelFront has permission to share them with third-party auditors under NDA.

• Google Cloud audit reports

Payment processing

This section is only applicable to those customers using the default payment or invoicing options.

To process credit card payments and invoices, ModelFront uses the services of Stripe, Inc. Therefore ModelFront does not store credit card information. Stripe, Inc is subject to the EU-US and Swiss-US Privacy Shield Framework and fully PCI compliant.

“Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.”

Security at Stripe

To pay without a credit card or without Stripe, contact ModelFront to set up invoicing with Stripe or directly.

Our website

To improve user experience, we collect anonymized website user metrics like session time and browser type with third-party tools like Google Analytics. If you want to opt out, you can use one of the many browser add-ons, plugins or extensions built for that purpose.

Our company

As a US-based corporation registered in Delaware, ModelFront Inc. and its officers are subject to US law as well as the laws of other jurisdictions where it operates.

We do not outsource nor work with external consultants. All technical work is done fully in-house by the core ModelFront team.

For more questions about our company, please contact legal@modelfront.com.

Account security

ModelFront accounts require email verification to create. ModelFront account passwords can be reset via email. ModelFront accounts are automatically locked after too many failed attempts to sign in or other suspicious activity.

Raw training data text, API request text or payment card numbers cannot be accessed from an account.

Incident and vulnerability reporting policy

It is our policy to report security incidents, like data breaches, and potential security incidents to affected clients, shut off access as necessary while maintaining the operation of production systems, hold a retrospective and take corrective action to prevent future incidents.

We also warn clients of potential risks when possible. The most common risk is clients' terminated employees continuing to access their ModelFront accounts.

Transparency report

As of March 2023, ModelFront has not received any requests to provide, remove or modify data from the US government or any other.

Note that in the event of a request, ModelFront may be under government order not to disclose the existence of such a request.

In that event, this transparency report will no longer be available or no longer explicitly state that ModelFront has not received any such requests.

Updates

We continually update our approach to security, privacy and data confidentiality as we grow and as technology, laws and concerns change.

We last updated this security, privacy and data confidentiality policy in March 2023.

• April 2021: Added Incident reporting policy
• July 2022: Added GDPR
• July 2022: Removed MongoDB Atlas
• February 2023: Formatting and wording
• March 2023: Update Transparency report