noll vs DeepL Pro vs Google Cloud Translation: Which Is Actually Safest?

This is not a translation quality comparison.

If you want to know which tool produces the most fluent German-to-English output, there are benchmarks for that. This post is about a different question entirely: when you upload a confidential document, what happens to it?

I've spent weeks reading privacy policies, DPAs, and enterprise security documentation for the three tools that come up most often in procurement conversations: DeepL Pro, Google Cloud Translation, and noll. Here's what I found — and more importantly, what you should be checking.

Why 'secure' needs a definition first

The word "secure" gets thrown around in marketing the way "natural" gets thrown around on food labels. It sounds meaningful, it feels reassuring, and it tells you almost nothing.

Before comparing tools, you need to agree on what security actually means for document translation. I use five criteria:

1. Training — does the vendor use your content to improve its models?
2. Retention — how long does your content exist on their systems?
3. Residency — where is your content processed and stored?
4. Access — who (or what) can access your content during and after translation?
5. Auditability — can you verify these claims, or are you trusting marketing copy?

If a vendor can't give you clear, specific answers on all five, that's your first red flag.

DeepL Pro: what changes vs Free (and what doesn't)

DeepL is an excellent translation engine. The quality is genuinely impressive, and it's often the first tool teams reach for. But quality and security are different conversations.

Training

Free tier: DeepL's terms state that free translations may be used to improve their service. Your text can become training data.

Pro tier: DeepL Pro users get a commitment that their translations won't be used for training. This is meaningful. It's the primary reason most companies upgrade.

Retention

This is where things get less clear. DeepL Pro states that text is deleted after the translation is processed. But the specifics — hard delete vs soft delete, backup retention, log retention — aren't prominently documented.

For many use cases, "deleted after processing" is good enough. For regulated industries where your compliance team needs to document a specific retention window? You'll want to ask DeepL's sales team directly and get it in writing.

Residency

DeepL processes data in the EU (they're a German company based in Cologne). For EU organizations, this is a natural fit. The question is whether all processing — including API calls, caching, and failover systems — stays within EU borders at all times. Their enterprise security page covers this, but the depth of detail varies by plan tier.

Access

Pro users get stricter access controls than free users. But the web interface and the API have different data handling terms. If your team is using the DeepL web translator (paste text into browser), the guarantees are different than if they're using the API through an integrated workflow.

This distinction matters because in practice, most employees use the web interface. IT buys the Pro license; employees use whatever's fastest.

Auditability

DeepL provides a DPA for Pro customers. They publish a subprocessor list. For enterprise plans, there are additional security documents. The level of auditability scales with how much you're willing to pay and how much you push during procurement.

Google Cloud Translation: enterprise vs consumer

The first thing to understand about Google and translation: there are two completely different products.

Google Translate (the consumer app at translate.google.com) and Google Cloud Translation API (the enterprise service) have fundamentally different data handling policies. Most people conflate them, which leads to bad decisions in both directions.

Training

Consumer Google Translate: Google's privacy documentation states that translations may be used to improve the service. Your text can become training data.

Cloud Translation API: Google Cloud's data usage FAQ explicitly states that customer data submitted to the Cloud Translation API is not used to train Google's models. This is a strong commitment — and it's the one that matters for enterprise use.

The problem: if even one employee uses the consumer app instead of the API, that commitment is meaningless for that translation.

Retention

Cloud Translation API processes text transiently — Google states it doesn't persistently store customer translation content. But "persistent storage" is a technical term, and transient processing still involves temporary storage in memory, logs, and potentially caching layers.

For most enterprise use cases, Google Cloud's retention posture is strong. But again, the specifics of log retention and infrastructure-level caching aren't always documented to the level a compliance officer might want.

Residency

Google Cloud offers regional processing, and you can specify EU regions. But Google's global infrastructure means understanding exactly which subprocessors, CDN nodes, and failover systems touch your data requires careful review of their subprocessor list.

For organizations subject to strict EU data residency requirements, the configuration exists — but it's not the default. You have to set it up correctly, and verify it.

Access

Google has robust access controls, encryption at rest and in transit, and a comprehensive security program (SOC 2, ISO 27001, etc.). For large enterprises, this is often a deciding factor — Google's security infrastructure is among the strongest in the industry.

The tradeoff is complexity. Configuring Google Cloud Translation securely requires IAM setup, VPC configuration, and ongoing monitoring. It's not a "paste and translate" experience.

Auditability

Google publishes extensive compliance documentation, including SOC 2 reports, ISO certifications, and detailed DPAs. For enterprises with mature security programs, this is excellent. For smaller organizations, it can be overwhelming.

noll: stateless architecture and its tradeoffs

Full disclosure: I co-founded noll. I'm going to be as specific about our limitations as I am about our strengths.

Training

noll never uses customer content for training. Not on any tier. Not in any configuration. We don't have a training pipeline for customer data because we don't have a proprietary translation model — we route through enterprise-grade APIs with contractual no-training guarantees.

Retention

This is our core differentiator. noll operates on a 30-minute hard deletion window. After translation, your source file and translated output are available for download for 30 minutes. Then they're permanently deleted. No soft delete. No backups. No logs containing document content.

This is verifiable: there is no translation history, no dashboard, no way to recover a document after the window closes.

The tradeoff is real: if you forget to download your translation, it's gone. There's no "recently translated" tab to save you. That's by design, but it requires teams to adapt their workflow.

Residency

All processing happens in EU data centers. No exceptions, no failover to non-EU regions. This is straightforward because our architecture is simpler — we don't have the global infrastructure complexity of Google or the multi-tier product structure of DeepL.

Access

Zero-access architecture. No noll employee can view, access, or retrieve your document content. There's no admin panel with a "view customer documents" feature because there are no customer documents to view after the retention window closes.

Auditability

We provide a DPA, publish our data handling practices in detail, and our architecture is simple enough to be fully understood by a compliance team in a single conversation. We don't have SOC 2 or ISO 27001 certification (yet) — that's a genuine gap for organizations that require it.

The comparison table

Criterion	DeepL Pro	Google Cloud Translation	noll
Training on content	No (Pro tier)	No (Cloud API)	No (all tiers)
Retention window	Short (unspecified)	Transient processing	30 min (hard delete)
Content logging	Reduced	Minimal	None
EU data residency	Default (German company)	Configurable	Default (EU-only)
DPA available	Yes (Pro)	Yes (Cloud)	Yes
SOC 2 / ISO 27001	Yes	Yes	Not yet
Account required	Yes	Yes (GCP account)	No
Translation history	Yes	Depends on config	None
Format preservation	Limited	API (text-only)	Full (PDF, DOCX)
Setup complexity	Low	High	Minimal

Decision framework: when to pick which

Rather than declaring a "winner," here's how to match the tool to your actual requirements.

Choose DeepL Pro when:

• Translation quality is your primary concern and you have a mature review workflow
• Your compliance requirements are satisfied by "no training" without needing specific retention SLAs
• Your team wants glossary management, formality controls, and a polished web interface
• You're comfortable with per-seat pricing and your usage is consistent enough to justify it

Choose Google Cloud Translation when:

• You're already in the GCP ecosystem and want API-level integration
• Your organization has the engineering resources to configure and maintain a secure setup
• You need the broadest language coverage and are willing to trade simplicity for capability
• Your security team wants vendor certifications (SOC 2, ISO 27001) and detailed audit reports

Choose noll when:

• Your documents are confidential enough that any retention is a risk (legal, M&A, HR, medical)
• You need verifiable, time-bound deletion that you can document for compliance
• Your team needs to translate formatted documents (PDF, DOCX) without destroying layout
• You want the simplest possible setup — no accounts, no configuration, no dashboard to manage
• EU data residency is a hard requirement, not a nice-to-have

Combine them when:

Most organizations don't need to choose just one. Use the right tool for the right risk level:

• Low sensitivity (marketing copy, internal memos): whatever's fastest
• Medium sensitivity (business communications, general contracts): DeepL Pro or Google Cloud API
• High sensitivity (privileged legal docs, M&A, patient data, employee records): noll or equivalent zero-retention tool

What to ask any vendor

Regardless of which tool you're evaluating, run it through the same five questions. A full vendor evaluation checklist is available, but here's the minimum:

1. Do you train on my content? — accept only "no, never" with contractual backing.
2. What's your retention window? — "we delete it" isn't specific enough. Get a number.
3. Where is my data processed? — "EU" isn't specific enough. Which data center? What about failover?
4. Who can access my content? — "only authorized personnel" isn't specific enough. What personnel? Under what conditions?
5. How can I verify these claims? — if the answer is "trust us," keep looking.

Takeaways

• "Secure" means different things to different organizations — define your criteria before comparing
• DeepL Pro removes training risk but leaves retention details underspecified for some use cases
• Google Cloud Translation API has strong enterprise controls but requires technical setup to configure correctly
• noll trades features (history, glossaries, dashboards) for architectural simplicity and verifiable deletion
• most teams should use different tools for different sensitivity levels, not pick one for everything
• always ask the five questions: training, retention, residency, access, auditability

Further reading

• DeepL Pro is NOT Enough: The Hidden Data Retention Policy
• Stop Using Google Translate for Work
• Which translation services should I use for sensitive documents?
• Why not Google or DeepL?
• Data Residency Lies: Why 'Processing in EU' Doesn't Mean 'Staying in EU'