Unveiling Security Gaps in the Language Industry's Supply Chain: A Case Study with Crowdin
In a thought-provoking presentation at SlatorCon Remote December 2025, Jourik Ciesielski, CTO at Elan Languages, shed light on the critical importance of security, confidentiality, and data protection in the language technology and translation supply chain. He emphasized the often-overlooked risks associated with the industry's complex processes.
Ciesielski began by highlighting the positive efforts of many companies in prioritizing security. He mentioned ISO certifications, compliance with GDPR, private company network VPNs, and two-factor authentication as examples of robust security measures. However, he also pointed out that these efforts primarily focus on internal processes and technologies, leaving a significant gap in the supply chain.
The Language Industry's Complex Supply Chain
Ciesielski described the typical journey of content in the language industry. A company might utilize a language technology platform like Crowdin to manage their data. However, the content then undergoes a series of subcontracting steps, eventually reaching a freelance linguist for translation. Each additional step in the supply chain introduces new vulnerabilities.
The Freelance Linguist's Role
He emphasized that freelance linguists often carry a substantial responsibility without being aware of the risks. For instance, they might share their laptops with family members, connect to public WiFi networks, or fall victim to phishing attacks. These actions can expose sensitive information and compromise security.
The Scale of the Risk
Ciesielski posed a rhetorical question: How significant is this risk? He answered that it is enormous. The consequences of inaction are too severe to ignore.
Addressing the Challenge
To combat this, Ciesielski advocated for implementing security measures not only in processes but also in the technologies used. He highlighted the zero-trust policy adopted by Crowdin, which relies solely on technical controls for security enforcement. This approach ensures that security is not dependent on promises or agreements but on robust technical measures.
Technical Controls in Action
Crowdin's security features include enforcing Security Assertion Markup Language (SAML) for managers, verifying devices via email, and implementing two-factor authentication through an authorization application. Ciesielski also mentioned plans to enhance security with features like deactivating inactive user accounts, setting API token lifespans, and configuring idle session timeouts.
The Bottom Line
In conclusion, Ciesielski urged the SlatorCon audience to reassess the security risks within their supply chains. He emphasized that the industry must prioritize security at every stage to protect sensitive information and maintain the integrity of the language technology and translation processes.
