Table of Contents
Translation management platforms sit at a critical junction in the software development lifecycle. They handle unreleased product copy, marketing campaigns, legal disclaimers, and internal communications — content that, if exposed prematurely, can damage brands, violate NDAs, and derail product launches. Yet security in the localization space has historically been an afterthought.
At Better i18n, we took a different approach. Security is not a bolt-on feature. It is baked into every layer of the platform, from how users authenticate to how translation strings are stored and transmitted. In this post, we break down the security architecture that protects your translation workflows.
Authentication: Four Methods, One Principle
The principle is simple: give teams the authentication method that fits their security posture, without compromising on protection.
Email & Password with Verification
The foundation. Every account created with email and password goes through mandatory email verification before access is granted. This eliminates ghost accounts and ensures every user in your organization is a verified human with a real inbox.
We enforce strong password requirements and hash all credentials using modern, salted hashing algorithms. Plaintext passwords never touch our database.
OAuth: Google & GitHub
For teams already invested in Google Workspace or GitHub Organizations, OAuth single sign-on removes password management from the equation entirely. Users authenticate through their existing identity provider, inheriting whatever MFA and session policies are already in place.
This is particularly valuable for development teams. Developers already live in GitHub — letting them authenticate with the same identity reduces friction and eliminates yet another set of credentials to manage.
Email One-Time Codes
OTP via email provides passwordless authentication for users who need access without the overhead of managing credentials. Each code is single-use and time-limited, making it ideal for external collaborators, freelance translators, or stakeholders who review translations occasionally.
No password means no password to phish, reuse, or brute-force.
WebAuthn Passkeys
Passkeys are the future of authentication, and Better i18n supports them today. Built on the WebAuthn standard, passkeys use public-key cryptography where the private key never leaves the user's device. There is no shared secret to intercept, no code to phish, and no password to steal.
For enterprise teams that mandate phishing-resistant authentication, passkeys provide the strongest guarantee available in modern web applications.
Organization & Team Management
Authentication gets users in the door. Authorization determines what they can do once inside.
Better i18n supports multiple organizations per account, each with its own isolated set of projects, members, and billing. This matters for agencies managing multiple clients, enterprises with distinct business units, and consultants working across organizations.
Role-Based Access Control
Three roles provide clear permission boundaries:
- Owner — Full control over the organization, including billing, member management, and destructive operations like organization deletion.
- Admin — Project and member management without access to billing or organization-level destructive actions.
- Member — Day-to-day translation work within assigned projects. No administrative access.
This is deliberately simple. Complex RBAC systems with dozens of granular permissions create confusion and misconfiguration. Three roles, clearly defined, reduce the surface area for permission-related security mistakes.
Member Invitations
New members join via email invitation with a dedicated acceptance page at /invite/{inviteId}. Invitations are scoped to a specific organization and expire after a set period. No open registration, no self-service join — every member is explicitly invited by someone with the authority to do so.
API Key Security: Defense in Depth
CI/CD pipelines, build systems, and automation scripts need programmatic access. API keys make this possible, but they are also one of the most common vectors for accidental exposure (think leaked .env files and committed secrets).
Better i18n applies three layers of protection:
Organization-Level Scoping. Every API key is bound to a single organization. A key created for Organization A cannot access Organization B's data, even if both organizations share the same owner. This prevents lateral movement in the event of key compromise.
Hashed Storage. API keys are hashed before they are written to the database. We store the hash, not the key. If an attacker somehow gains read access to our database, they get hashes — not usable keys. The raw key is shown once at creation time and never again.
Instant Revocation. When a key is compromised — or even suspected of compromise — it can be revoked immediately from the dashboard. Revocation is instant and permanent. There is no grace period, no cached access, no lingering sessions.
Infrastructure: Hardened from the Edge
The platform runs on a stack chosen specifically for its security characteristics:
Cloudflare Workers handle all compute at the edge. This means automatic DDoS mitigation, TLS termination, and geographic distribution without managing servers. There are no open ports, no SSH access, and no traditional attack surface.
PlanetScale provides the database layer with automatic encryption at rest, fine-grained access controls, and audit logging. Database branches allow schema changes to be reviewed before deployment — the same pull request workflow developers use for code.
Cloudflare R2 stores assets with encryption at rest and in transit. Data residency controls let organizations keep their data in specific regions, which matters for GDPR and data sovereignty requirements.
Compliance: SOC 2, ISO 27001, GDPR
Enterprise procurement teams need documentation, not promises. Better i18n is aligned with three major compliance frameworks:
SOC 2 Type II provides independent, third-party verification of our security controls. The audit covers security, availability, and confidentiality — the three trust service criteria most relevant to a translation management platform.
ISO 27001 certification means our information security management system (ISMS) follows the international standard for identifying, assessing, and managing security risks systematically.
GDPR compliance covers data processing agreements, right to erasure, data minimization, and transparent consent. For European teams and any organization handling EU user data, this is non-negotiable.
Encryption: In Transit and At Rest
All data moving between your systems and Better i18n is encrypted with TLS 1.3 — the latest version of the protocol, offering faster handshakes and stronger cipher suites than its predecessors.
Data at rest is encrypted with AES-256 across all storage layers. This includes the database, object storage, and any temporary caches. Encryption keys are managed through the infrastructure providers' key management systems with automatic rotation.
Authentication sessions use secure, HttpOnly, SameSite cookies managed by Better Auth. This combination prevents cross-site scripting (XSS) from accessing session tokens, blocks cross-site request forgery (CSRF) attacks, and ensures cookies are only transmitted over HTTPS.
The Bottom Line
Security in localization is not about checking boxes — though we check those too. It is about recognizing that translation content is sensitive intellectual property that deserves the same protection as source code and customer data.
Better i18n provides four authentication methods (including phishing-resistant passkeys), organization-level isolation with role-based access control, hardened API key management, encrypted infrastructure on Cloudflare's edge network, and alignment with SOC 2, ISO 27001, and GDPR.
Your translations deserve better security. Now they have it.
