Your company has a VPN. You have endpoint protection. You have a DLP solution monitoring email attachments and cloud storage uploads. You run phishing simulations quarterly.

And every day, someone in your organization pastes a confidential contract clause into Google Translate.

This is the translation-shaped hole in your security perimeter. It is not exotic. It is not sophisticated. It is an employee trying to do their job quickly, using the tool they have used since university, without realizing they are exfiltrating data to a third-party service that may log, train on, and retain their input indefinitely.

This post is for CISOs, IT managers, and security teams who want to quantify this risk and close the gap.

What shadow IT in translation actually looks like

Shadow IT is the use of unauthorized applications, services, or devices for work. In translation, it takes several forms:

The browser paste

An employee receives an email in French. They select the text, open translate.google.com, paste, read, and close the tab. Total time: 15 seconds. Total confidential data exposed: the full email body.

The document upload

An employee needs to understand a PDF contract in German. They upload the entire file to a free translation tool. The contract — including party names, deal terms, financial figures, and governing law — now exists on a third-party server.

The ChatGPT shortcut

An employee asks ChatGPT: "Translate this paragraph from our internal policy document." They paste the paragraph. ChatGPT processes it, potentially training on the input depending on their subscription tier.

The mobile app

An employee takes a photo of a whiteboard with strategic plans written in another language. They use Google Lens or a similar app to translate the image. The photo — including all content visible on the whiteboard — is uploaded to a cloud service.

The "it's just a few words" rationalization

The most dangerous form of shadow IT translation is the one employees don't think of as translation at all. They type a foreign phrase into a search engine. They ask a voice assistant. They use an in-browser translation feature. Each of these involves sending text to a third-party service.

What these tools actually log and store

The data handling varies by tool and tier, but here is what employees typically expose:

Tool	Training on input	Content logging	Retention
Google Translate (web)	May be used to improve services	Yes	Unspecified
DeepL Free	May be used to improve services	Yes	Unspecified
ChatGPT (Free/Plus)	May be used for training (unless opted out)	Yes	Retained
Browser built-in translation	Varies by browser	Varies	Varies
Mobile translation apps	Typically yes	Typically yes	Typically indefinite

The pattern: free tools log everything. Paid tiers offer better controls, but only if properly configured. And most employees are using the free version of whatever is fastest.

Why Google and DeepL free tiers are risky for confidential work — we published a detailed policy analysis.

Quantifying the risk

Shadow IT translation is difficult to measure because it leaves almost no trace in your environment. The data leaves through the browser, and the response comes back through the browser. There is no file transfer to flag, no email attachment to scan, no USB device to block.

But you can estimate the scope:

How many employees translate?

In any organization with international operations, cross-border clients, or a multilingual workforce: nearly everyone. Marketing translates campaigns. Legal translates contracts. HR translates policies. Finance translates reports. Product teams translate documentation.

How often?

Research varies, but professional services firms report that employees use translation tools multiple times per day. Even in primarily English-speaking organizations, foreign-language documents arrive regularly — from suppliers, clients, partners, and regulators.

What data is exposed?

If you assume that employees translate what they need to understand, the data exposed through shadow IT translation mirrors the data they work with. For a law firm: client contracts. For a bank: financial reports. For an HR team: employee records. For a startup: investor term sheets.

What is the cost of exposure?

This depends on what is translated and which tool is used. But consider:

GDPR fines for unauthorized data processing: up to 4% of global turnover
Regulatory sanctions for client confidentiality breaches: varies by regulator
Contract damages for NDA violations: varies by agreement
Reputational damage: incalculable

The probability is high (it is happening right now) and the impact ranges from embarrassing to catastrophic.

Why traditional DLP doesn't catch this

Most DLP solutions monitor for:

File uploads to unauthorized cloud storage
Email attachments containing sensitive content
USB device connections
Printouts of classified documents

Translation tools bypass all of these. The data moves through the browser as a web request. It does not trigger file upload detection because it is not a file — it is a text string pasted into an input field, or a file uploaded through a web form that the DLP may not inspect.

Some advanced DLP solutions can monitor browser activity at the URL level (flagging visits to translate.google.com) or at the content level (inspecting form submissions). But most organizations have not configured their DLP for this specific threat vector.

3 approaches to close the gap

Approach 1: Block

Block access to unauthorized translation tools at the proxy or firewall level. Add translate.google.com, deepl.com (free tier), and consumer chatbot URLs to your blocklist.

Pros: immediate, comprehensive, requires no employee behavior change.

Cons: employees will find workarounds (mobile phones, personal devices). Creates frustration if no approved alternative is provided. Does not cover browser built-in translation or mobile apps.

Approach 2: Redirect

Rather than blocking, redirect employees to an approved tool. When someone navigates to an unauthorized translation URL, display a message: "For translation, please use [approved tool]. It provides the same functionality with data handling controls that meet our security policy."

Pros: less friction than blocking. Educates employees on why the policy exists. Provides a clear alternative.

Cons: requires a good approved alternative. Redirect may not work for all tool types (mobile apps, browser extensions).

Approach 3: Approve and monitor

Evaluate and approve a secure translation tool that meets your security requirements. Make it easily accessible. Communicate clearly why it is the approved option. Then monitor usage of unauthorized tools as a compliance metric.

Pros: the only approach that actually solves the underlying problem (employees need to translate things). Combines security with usability.

Cons: requires procurement, evaluation, and deployment of an approved tool. Monitoring requires DLP configuration.

The most effective strategy combines all three: block the worst offenders, redirect where possible, and provide a genuinely usable approved alternative.

Sample internal policy template

Here is a template you can adapt for your organization:

Translation Tool Policy

Purpose: to ensure that confidential, personal, or sensitive information is not disclosed to unauthorized third parties through translation tools.

Scope: all employees, contractors, and agents who translate any work-related content.

Policy:

Approved tools only. Translation of any work-related content must use tools from the Approved Translation Tool List maintained by [IT Security / Compliance].
Prohibited tools. The following tools are not approved for work-related translation: consumer Google Translate, DeepL Free, ChatGPT (Free/Plus tier), and any browser built-in translation features when processing company content.
Classification. Before translating, classify the content:
- Public: any approved tool
- Internal: approved tools with no-training policy
- Confidential: approved tools with zero-retention and DPA
- Restricted: consult Compliance before translating
No copy-paste of confidential content into any translation tool, search engine, or AI assistant unless it is on the Approved Tool List.
Reporting. If you have used an unauthorized tool for confidential content, report it to [IT Security] immediately.

Adapt the specifics. The structure matters more than the exact wording.

Takeaways

Shadow IT translation is happening in your organization right now — employees paste confidential text into free tools daily
Traditional DLP solutions do not catch browser-based translation tool usage by default
Free translation tools may log, train on, and retain input indefinitely
The risk is quantifiable: multiply frequency × data sensitivity × regulatory exposure
Three approaches: block unauthorized tools, redirect to approved alternatives, approve and monitor a secure tool
Implement a translation-specific policy and add it to your security awareness training

Shadow IT and Translation: How Employees Accidentally Leak Company Secrets