At Unbabel, we are committed to keeping our customer data safe. Privacy and Security Principles are at the core of everything we do.
We recognize our responsibility in maintaining the completeness, accuracy and privacy of communication between our customers and their customers as we translate. This responsibility is reflected in the control environment designed and implemented at Unbabel, and in our teams’ processes and activities.
Our solution is also GDPR and CCPA compliant, and Unbabel is strongly committed to industry best practices in information security, privacy and quality, being ISO 27001 certified, in addition to pursuing the ISO 9001 certification during 2023/24.
This webpage is designed to give you an overview of our controls in place. Our team is also happy to answer questions that may arise, so please feel free to get in touch.
Unbabel has a robust system in place for granting, reviewing and revoking access to its infrastructure, network and applications. Least-privilege access is implemented across Unbabel for both physical and logical access, considerate of cases where in Unbabel team members require access to successfully perform their assigned activities.
Access Control of Processing Areas
Unbabel implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where data is processed, used or stored.
Access Control to Data Processing Systems
Unbabel implements suitable measures to prevent their data processing systems from being used by unauthorized persons. Unbabel commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization.
Unbabel has a number of encryption controls in place to ensure that our customer data is protected, and that our environment allows the protection of the confidentiality, accuracy and integrity of customer data.
Data in Transit and Rest
Unbabel implements suitable measures to prevent the personal data from being read, copied, altered, modified or deleted by unauthorized parties during the transit or at rest. This is accomplished by various measures:
Anonymization of Data
When Unbabel’s system detects personally identifiable information (PII), it is automatically removed from the document and stored in an encrypted vault. It is replaced by a token in the document that indicates the type of information removed. This gives Machine Translation and human translators the context they need to ensure the best possible translation quality while protecting customers’ privacy.
After receiving the final translation from our community (if required), the anonymized information is automatically reinserted into the translated document sent to your customer. No machine translation engine, nor human, sees the anonymized information during translation, and after delivery it is securely deleted. We anonymize the data we use to train our AI translation engines.
Unbabel strictly follows the EU General Data Protection Regulation (GDPR) to guarantee its customers secure data transfers and overall data management being duly certified under the new EU-U.S. Data Privacy Framework following the Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
We also apply the Standard Contractual Clauses (SCCs) considered to provide appropriate safeguards within the meaning of Article 46, as well as the Schrems II Decision ruled by the CJEU. This means that we afford and assure a level of protection essentially equivalent to that guaranteed within the European Union.
To establish a contractual relationship with our customers, Unbabel ensures that a Data Processing Agreement (DPA) is in place, which is fully compliant with the GDPR and California Consumer Privacy Act (CCPA) legislations, including the SCCs and Schrems II Decisions.
Further, Unbabel has conducted a Transfer Impact Assessment (TIA), which has been prepared in alignment with the European Data Protection Board (EDPB) Guidelines. This Assessment provides detailed information on how Unbabel securely and effectively processes customer’s data to the US whilst respecting data subject privacy and rights. Our overall assessment results within the TIA deemed the risk of prohibited lawful access as acceptable, and overall, in view of data protection laws the transfer is permissible.
Our Data Protection Officer (DPO) is certified under IAPP as a Certified Privacy Professional (CIPPE).
Unbabel undergoes rigorous audits on an annual basis to attest that our control environment is fit for purpose, designed and operating effectively, and further, to achieve and maintain our industry recognised certifications:
Unbabel is certified against the ISO27001 standards, the international standard for Information Security Management Systems (ISMS). Obtaining this certification confirms that Unbabel meets industry-standard requirements for establishing, implementing, maintaining and continually improving an ISMS.
Unbabel has developed a Quality Management System (QMS) governing the development, operation and improvement of our processes, and is pursuing the ISO 9001:2015 certification. The standard is based on a number of quality management principles focused on high-quality consistent delivery to customers. We expect to receive the certification by the end of 2023.
Data Privacy Audit 2023 and Certifications
Unbabel was subject to an independent assessment of select Data Protection, IT and CyberSecurity controls.
Our auditor concluded the audit with full compliance noted to all controls tested. Areas covered included:
Unbabel employs Secure Engineering Principles as the basis for any development whether internal or outsourced.
These principles include:
Unbabel has a Business Continuity Policy and Plan in place which covers all employees and locations globally. All Unbabel staff are required to acknowledge the Business Continuity Policy and Plan upon joining, and then at least every two years/when a significant change is published.
These documents cover any threats that may impact Unbabel’s ability to deliver to their customers and to operate critical business functions. These threats include, but are not limited to:
Business Impact Assessments are conducted over the critical business processes on at least an annual basis.
The Business Continuity Plan is tested on at least an annual basis, based on the following objectives:
Unbabel has a Security Incident Response Policy and Plan (SIRP) that applies to all security incidents, technological or physical.
We define an information security incident as a “single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security,” per ISO/IEC 27000:2009. The SIRP prescribes the functions and responsibilities for each relevant department and team member during an incident.
Unbabel categorises its security incidents according to their impact, which in turn determines the priority with which the incident has to be addressed.
Should a security incident occur that affects customers, Unbabel will notify the affected customers as soon as possible. The notification will include the details of the incident, impact, risk assessment and actions taken or to be taken as well as any other information deemed relevant. Any actions identified as a result of an incident will be resolved in a timely manner.
The Security Incident Response Policy and Plan is subject to review at least every two years, or when a significant event or change occurs that warrants an out-of-cycle review.
The SIRP is subject to testing at least every two years, or when there is an event that warrants an out-of-cycle test. Test results and any identified weaknesses and subsequent actions are reported to the Leadership team and the Compliance Committee as required. Actions required are taken in a timely manner.
Our Commitment to Information Security
Unbabel aims to achieve specific, defined and measurable information security objectives, which are developed in accordance with the business objectives, the context and risk appetite of the organization. These objectives include, but are not limited to:
Everyone at Unbabel has an information security responsibility and is trained regularly on policies and best practices.
Unbabel’s Compliance Committee (the “Committee”) is responsible for assisting the Board in overseeing:
The Committee meets at least once per quarter, and reports to the Board as required.
Dedicated Security Professionals
All employees are responsible for maintaining a secure and safe environment at Unbabel at all times. Further, Unbabel has dedicated teams who are responsible for ensuring compliance with security & privacy standards. This includes:
Managing vulnerabilities across all Unbabel systems is a critical function to ensure the company’s information security. The purpose of this management is to mitigate the exposure to known vulnerabilities and outdated versions of software, in order to reduce the risk of confidentiality, integrity and availability of Unbabel’s IT systems and information.
Security Patches are deployed within an agreed upon timeline, determined in accordance with the urgency assigned to the Security Patch. Similarly, all third party entities who maintain or/and store Unbabel information or connect directly to Unbabel network, must have an agreement in place which states that they have a security patching procedure in place.
Vulnerabilities are identified mostly through the following channels:
Identified vulnerabilities are prioritised using the following criteria: