At Unbabel, we are committed to keeping our customer data safe. Privacy and Security Principles are at the core of everything we do.
We recognize our responsibility in maintaining the completeness, accuracy and privacy of communication between our customers and their customers as we translate. This responsibility is reflected in the control environment designed and implemented at Unbabel, and in our teams’ processes and activities.
Our solution is also GDPR and CCPA compliant, and Unbabel is strongly committed to industry best practices in information security, privacy and quality, being ISO 27001 certified, in addition to pursuing the ISO 9001 certification during 2024.
This webpage is designed to give you an overview of our controls in place. Our team is also happy to answer questions that may arise, so please feel free to get in touch.
Chief Technology Officer
Access Control
Unbabel has a robust system in place for granting, reviewing and revoking access to its infrastructure, network and applications. Least-privilege access is implemented across Unbabel for both physical and logical access, considerate of cases where in Unbabel team members require access to successfully perform their assigned activities.
Access Control of Processing Areas
Unbabel implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where data is processed, used or stored.
These include:
- Establishing secure areas;
- Protecting and restricting access paths through controls such as custom-designed electronic access cards, alarms, vehicle access barriers;
- Allowing only authorized personnel, either employees of Unbabel or duly authorized third-parties, are able to access the data processing equipment after providing a justification and going through an approval process;
- Ensuring that all access to the server room is logged, monitored and tracked.
Access Control to Data Processing Systems
Unbabel implements suitable measures to prevent their data processing systems from being used by unauthorized persons. Unbabel commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization.
This includes:
- Implementation of Policies and Procedures, and delivery of related training to all employees;
- Access approval controls (including sourcing approval from HR management, business owners and IT system administrators) including allocation of differentiated access rights and roles;
- Allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions;
- Use of passwords is required to access the system, password strength is enforced by complexity requirements defined in the password security policy;
- Revocation of inactive accounts and sessions;
- Periodic checks to assess that the necessary ports and interfaces are exposed;
- Control of files and documents, including controlled and documented destruction of data;
- Logging, tracking and monitoring of access to data.
Encryption & Data Anonymization
Encryption
Unbabel has a number of encryption controls in place to ensure that our customer data is protected, and that our environment allows the protection of the confidentiality, accuracy and integrity of customer data.
This includes:
- Data encrypted in transit and rest across all systems;
- TLS-negotiated secure sockets for data transfer (TLS 1.2 and 1.3);
- The AES-256 encryption algorithm is used for data encryption at rest in both database management systems and file storage;
- PII Data anonymized for processing is temporarily stored and encrypted using the AES-256 algorithm until de-anonymization.
Data in Transit and Rest
Unbabel implements suitable measures to prevent the personal data from being read, copied, altered, modified or deleted by unauthorized parties during the transit or at rest. This is accomplished by various measures:
- Use of adequate encryption technologies (TLS-negotiated secure sockets for data transfer) to protect the gateways and pipelines through which the data travels;
- Use of AES-256 for data encryption at rest;
- As far as possible, all data transmissions are logged, monitored and tracked.
Anonymization of Data
When Unbabel’s system detects personally identifiable information (PII), it is automatically removed from the document and stored in an encrypted vault. It is replaced by a token in the document that indicates the type of information removed. This gives Machine Translation and human translators the context they need to ensure the best possible translation quality while protecting customers’ privacy.
After receiving the final translation from our community (if required), the anonymized information is automatically reinserted into the translated document sent to your customer. No machine translation engine, nor human, sees the anonymized information during translation, and after delivery it is securely deleted. We anonymize the data we use to train our AI translation engines.
Data Privacy
Unbabel strictly follows the EU General Data Protection Regulation (GDPR) to guarantee its customers secure data transfers and overall data management being duly certified under the new EU-U.S. Data Privacy Framework following the Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
We also apply the Standard Contractual Clauses (SCCs) considered to provide appropriate safeguards within the meaning of Article 46, as well as the Schrems II Decision ruled by the CJEU. This means that we afford and assure a level of protection essentially equivalent to that guaranteed within the European Union.
To establish a contractual relationship with our customers, Unbabel ensures that a Data Processing Agreement (DPA) is in place, which is fully compliant with the GDPR and California Consumer Privacy Act (CCPA) legislations, including the SCCs and Schrems II Decisions.
Further, Unbabel has conducted a Transfer Impact Assessment (TIA), which has been prepared in alignment with the European Data Protection Board (EDPB) Guidelines. This Assessment provides detailed information on how Unbabel securely and effectively processes customer’s data to the US whilst respecting data subject privacy and rights. Our overall assessment results within the TIA deemed the risk of prohibited lawful access as acceptable, and overall, in view of data protection laws the transfer is permissible.
Our Data Protection Officer (DPO) is certified under IAPP as a Certified Privacy Professional (CIPPE).
Certifications & Audits
Unbabel undergoes rigorous audits on an annual basis to attest that our control environment is fit for purpose, designed and operating effectively, and further, to achieve and maintain our industry recognised certifications:
ISO 27001
Unbabel is certified against the ISO27001 standards, the international standard for Information Security Management Systems (ISMS). Obtaining this certification confirms that Unbabel meets industry-standard requirements for establishing, implementing, maintaining and continually improving an ISMS.
ISO 9001
Unbabel has developed a Quality Management System (QMS) governing the development, operation and improvement of our processes, and is pursuing the ISO 9001:2015 certification. The standard is based on a number of quality management principles focused on high-quality consistent delivery to customers. We expect to receive the certification during 2024.
Data Privacy Audit 2023 and Certifications
Unbabel was subject to an independent assessment of select Data Protection, IT and CyberSecurity controls.
Our auditor concluded the audit with full compliance noted to all controls tested. Areas covered included:
- Overall Governance
- Data Retention
- Data Subject Management
- Disclosure to Third Parties
- Data Quality
- Monitoring and Enforcement
- IT Security
Secure Development
Unbabel employs Secure Engineering Principles as the basis for any development whether internal or outsourced.
These principles include:
- Security is an Integral Part of the Unbabel Design Process and is fully implemented across Unbabel software.
- Software developers are trained to develop secure software and are familiar with the OWASP Code Review standard as required.
- In all system design, development and operation, Unbabel seeks to reduce risk to a reasonable level.
- Unbabel strives to use a common language in developing security requirements.
- Version control and tag management are standardized across teams.
- The development and code integration pipeline always comprehends static application security testing analysis (SAST) to identify security issues and those must be addressed before code integration (merge) according to their criticality in accordance with the Patch and Vulnerability Management Policy.
- Segregation of duties is maintained throughout the staging, development, testing and production environments.
- Developments are subject to testing before being released in production environments.
- Unbabel isolates public access systems from mission critical resources (in particular the key databases).
- Access management controls are in place to detect unauthorized use of the service and to support incident investigation.
Business Continuity
Unbabel has a Business Continuity Policy and Plan in place which covers all employees and locations globally. All Unbabel staff are required to acknowledge the Business Continuity Policy and Plan upon joining, and then at least every two years/when a significant change is published.
These documents cover any threats that may impact Unbabel’s ability to deliver to their customers and to operate critical business functions. These threats include, but are not limited to:
- Natural disasters (earthquakes, tsunamis, floods, etc.);
- Fires, deliberate or accidental, affecting the physical integrity of Unbabel’s premises, infrastructure or people;
- Major cybersecurity threats such as ransomware and destructionware;
- Catastrophic outage of an essential service provider (e.g. AWS, Mongo, etc.);
- Any other accidental (e.g. human error) or deliberate attacks that critically impact Unbabel’s systems, services and consequently the above processes.
Business Impact Assessments are conducted over the critical business processes on at least an annual basis.
The Business Continuity Plan is tested on at least an annual basis, based on the following objectives:
- Ensure that the measures in the Business Continuity Plan (BCP) are fit for purpose and aligned to the business expectation in terms of recovery;
- Ensure that the approach followed is logical and recovers the Critical Processes in a timely manner;
- Ensure all parties understand their role in the recovery process and execute it appropriately;
- Identify gaps or weaknesses in the BCP;
- Confirm that continuity objectives are met;
- Improve systems and processes based on test findings;
- Update the BCP where applicable, with any weaknesses or gaps identified.
Incident Response
Unbabel has a Security Incident Response Policy and Plan (SIRP) that applies to all security incidents, technological or physical.
We define an information security incident as a “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security,” per ISO/IEC 27000:2009. The SIRP prescribes the functions and responsibilities for each relevant department and team member during an incident.
Unbabel categorises its security incidents according to their impact, which in turn determines the priority with which the incident has to be addressed.
Should a security incident occur that affects customers, Unbabel will notify the affected customers as soon as possible. The notification will include the details of the incident, impact, risk assessment and actions taken or to be taken as well as any other information deemed relevant. Any actions identified as a result of an incident will be resolved in a timely manner.
The Security Incident Response Policy and Plan is subject to review at least every two years, or when a significant event or change occurs that warrants an out-of-cycle review.
The SIRP is subject to testing at least every two years, or when there is an event that warrants an out-of-cycle test. Test results and any identified weaknesses and subsequent actions are reported to the Leadership team and the Compliance Committee as required. Actions required are taken in a timely manner.
Security & Privacy Governance
Our Commitment to Information Security
Unbabel aims to achieve specific, defined and measurable information security objectives, which are developed in accordance with the business objectives, the context and risk appetite of the organization. These objectives include, but are not limited to:
- IS.1: Preserve the accuracy, confidentiality, integrity and privacy of the information entrusted to Unbabel by its customers by implementing appropriate and robust technical and operational safeguards on its technology, processes and people.
- IS.2: Continuously monitor and understand the risks and threats which may affect Unbabel currently and in the future, thereby sustaining a proactive attitude towards Information Security.
- IS.3: Implement a security-aware culture at Unbabel that reflects its commitment to Information Security and is a driving force behind “security by design” principles in all aspects of the business, from product architecture to service delivery.
- IS.4: Become the world’s translation layer, whilst addressing the needs for transparency and trust in Information Security matters to Unbabel’s customers, partners and relevant parties.
- IS.5: Learn from, improve upon and iterate, by means of a virtuous cycle, on the Information Security posture of Unbabel and its ISMS.
- IS.6: Synergize Information Security requirements and controls with relevant contractual, legal or regulatory requirements, including for aspects related to personal data (e.g. GDPR).
Everyone at Unbabel has an information security responsibility and is trained regularly on policies and best practices.
Compliance Committee
Unbabel’s Compliance Committee (the “Committee”) is responsible for assisting the Board in overseeing:
- Unbabel’s Compliance Program which is including but not limited to; legal, regulatory, security, privacy, industry standards and guidelines, certifications and governance related topics, activities and issues;
- The operation of Unbabel’s ISMS and its security posture;
- Management’s identification and evaluation of Unbabel’s principal legal & regulatory compliance risks;
- Monitoring and reporting of Unbabel’s compliance with legal and regulatory requirements.
The Committee meets at least once per quarter, and reports to the Board as required.
Dedicated Security Professionals
All employees are responsible for maintaining a secure and safe environment at Unbabel at all times. Further, Unbabel has dedicated teams who are responsible for ensuring compliance with security & privacy standards. This includes:
- Our Lead Security Engineer, responsible for the implementation of our Information Security Management System (ISMS) and engaging with all related teams and control owners.
- A Site Reliability Engineering (SRE) team, responsible for the security and monitoring of Unbabel production and test environments.
- A Security Incident Response Team (SIRT) and a Crisis Incident Management Team, both ready to engage in the case of any event which could cause business disruption.
- A Tech Ops team, responsible for the security processes and protection of Unbabel’s information with regards to end-user computing and the provisioning and de-provisioning of users on corporate services.
- An Office Management team, responsible for securing Unbabel buildings and other assets.
- A Legal and Compliance team, responsible to ensure data privacy controls are in place, and further, we are in compliance with the requirements of our certifications.
Patch & Vulnerability Management
Managing vulnerabilities across all Unbabel systems is a critical function to ensure the company’s information security. The purpose of this management is to mitigate the exposure to known vulnerabilities and outdated versions of software, in order to reduce the risk of confidentiality, integrity and availability of Unbabel’s IT systems and information.
Security Patches are deployed within an agreed upon timeline, determined in accordance with the urgency assigned to the Security Patch. Similarly, all third party entities who maintain or/and store Unbabel information or connect directly to Unbabel network, must have an agreement in place which states that they have a security patching procedure in place.
Vulnerabilities are identified mostly through the following channels:
- Internally self-identified;
- Reported to the security@stagingunbabel.wpengine.com mailbox;
- Responsible Disclosure Program – For ethical hackers / bug bounty reporters as published on our website at https://unbabel.com/responsible-disclosure/;
- Penetration Testing – Unbabel employs a third party to conduct frequent penetration testing. The third party is onboarded in line with our Procurement Policy and Supplier Management Policy;
- Monitoring of vulnerability disclosure news feeds;
- External events / news.
Identified vulnerabilities are prioritised using the following criteria:
- Common Vulnerabilities and Exposures – External measure
- Exploitability index – External measure
- CVSS Score – External measure
- Impact on Unbabel’s processes and services – Internal measure
- Recovery priority – Internal measure
- Any remediation measures to be taken as a result of the vulnerability are then addressed within the SLO assigned.