OUR COMMITMENT TO SECURITY
Translation Excellence, Inc. takes the security of client data, confidential communications, and the personal information of the individuals we serve seriously. As a professional language services company operating across healthcare, legal, government, and business sectors, we recognize that trust and confidentiality are foundational to everything we do.
Translation Excellence, Inc. is certified to the ISO/IEC 27001 standard for Information Security Management Systems (ISMS) and structures our security program in accordance with ISO 27001 requirements. This certification reflects our commitment to a systematic, risk-based approach to protecting the information assets of our clients, partners, and the individuals we serve.
This Security Statement describes the administrative, physical, and technical safeguards Translation Excellence, Inc. maintains to protect information in our care. It applies to all data handled through our website, service operations, and internal systems.
ORGANIZATIONAL SECURITY
1.1
Information Security Management System (ISMS)
Translation Excellence, Inc. operates a formal Information Security Management System (ISMS) certified to ISO/IEC 27001. Our ISMS provides a structured, risk-based framework for identifying, assessing, and treating information security risks across our organization. The ISMS is subject to ongoing internal review and periodic external audit to maintain certification and drive continuous improvement.
1.2
Information Security Program
Translation Excellence, Inc. maintains a formal information security program that is reviewed and updated on a regular basis. Our program is designed to identify, assess, and manage risks to the confidentiality, integrity, and availability of information we handle.
1.3
Designated Privacy and Security Officer
Translation Excellence, Inc. has designated a Privacy and Security Officer responsible for overseeing our security program, managing compliance with applicable regulations (including HIPAA and ISO 27001), responding to security incidents, and coordinating with clients on data protection matters.
1.4
Security Policies and Procedures
We maintain written security policies and procedures covering acceptable use, data handling, access control, incident response, and vendor management. These policies are reviewed at least annually and updated as needed to reflect changes in our operations, technology, or the regulatory environment, consistent with the ISO 27001 documentation requirements.
1.5
Risk Assessments
Translation Excellence, Inc. conducts periodic risk assessments to identify potential vulnerabilities in our information systems and operational practices, in accordance with our ISO 27001 ISMS framework. Findings from risk assessments are used to prioritize security improvements and safeguard investments.
PHYSICAL SECURITY
3.1
Facility Access
Access to Translation Excellence, Inc.’s offices and any areas where sensitive information is processed is restricted to authorized personnel. Visitor access is logged and supervised.
3.2
Secure Disposal
Physical documents and materials containing client information or PHI are disposed of using secure shredding methods. Electronic media containing sensitive data is sanitized or destroyed prior to disposal or repurposing.
3.3
Remote Work Standards
Employees and contractors performing remote interpreting, translation, or administrative work involving sensitive information are required to work from secure, private environments. This includes ensuring that confidential conversations cannot be overheard and that screens displaying sensitive information are not visible to unauthorized individuals.
TECHNICAL SECURITY CONTROLS
4.1
Encryption
Data transmitted between clients and our website is protected using Transport Layer Security (TLS) encryption. Any electronic Protected Health Information (ePHI) or other sensitive data transmitted by Translation Excellence, Inc. is encrypted in transit using industry-standard protocols.
4.2
Access Controls
Access to systems and data containing sensitive or confidential information is governed by role-based access controls. Access is granted on a least-privilege basis — personnel are given only the level of access necessary to perform their assigned responsibilities.
4.3
Authentication
Translation Excellence, Inc. requires the use of strong passwords and, where applicable, multi-factor authentication (MFA) for access to internal systems and platforms containing sensitive data.
4.4
System Monitoring and Logging
We maintain audit logs for access to systems containing sensitive client or PHI data. These logs are reviewed periodically to detect anomalous or unauthorized activity.
4.5
Software and Patch Management
Translation Excellence, Inc. maintains a patch management practice to ensure that operating systems, applications, and security tools used in our operations are kept up to date with current security patches and updates.
4.6
Endpoint Security
Company-issued and authorized devices are protected with up-to-date endpoint security software, including antivirus and malware protection. Automatic screen lock and full-disk encryption are enforced where applicable.
THIRD-PARTY AND VENDOR SECURITY
5.1
Vendor Assessment
Before engaging third-party vendors, platforms, or subcontractors who may access, process, or store client information, Translation Excellence, Inc. conducts a review of the vendor’s security practices and capabilities.
5.2
Contractual Obligations
Third-party vendors with access to sensitive client data are required to agree to appropriate contractual obligations, including data protection requirements, confidentiality obligations, and — where applicable — Business Associate Agreements (BAAs) under HIPAA.
5.3
Subcontractor Interpreters
Independent interpreters and translators engaged by Translation Excellence, Inc. on a subcontract basis to fulfill client assignments are subject to the same confidentiality and HIPAA compliance requirements as direct employees. All subcontractors assigned to healthcare accounts must execute a BAA with Translation Excellence, Inc. prior to their first assignment.
INCIDENT RESPONSE
6.1
Incident Detection and Reporting
Translation Excellence, Inc. maintains procedures for identifying, reporting, and responding to potential security incidents. Employees and contractors are required to immediately report any suspected or confirmed breach of data security, loss of a device containing sensitive information, or unauthorized access to client information.
6.2
Incident Response Procedures
Upon identifying a potential security incident, Translation Excellence, Inc. will:
(a) Promptly investigate the nature, scope, and impact of the incident.
(b) Contain the incident and take steps to prevent further exposure.
(c) Notify affected clients and, where applicable, individuals whose PHI may have been compromised.
(d) Comply with all applicable breach notification obligations under HIPAA, Colorado law, and any other applicable regulations.
(e) Document the incident and response actions, and take corrective measures to prevent recurrence.
6.3
HIPAA Breach Notification
For incidents involving unsecured Protected Health Information, Translation Excellence, Inc. will provide notification to the applicable Covered Entity without unreasonable delay and no later than 60 calendar days following discovery, in accordance with 45 CFR § 164.410. Detailed breach notification procedures are set forth in our HIPAA Privacy & Confidentiality Policy.
COMPLIANCE AND REGULATORY FRAMEWORK
ISO/IEC 27001
Translation Excellence, Inc. is certified to the ISO/IEC 27001 standard for Information Security Management Systems. Our ISMS is structured around the ISO 27001 framework, providing a systematic, audit-ready approach to managing information security risks across our organization. We adhere to ISO 27001 controls and requirements as part of our ongoing commitment to information security excellence.
HIPAA / HITECH Act
As a Business Associate to healthcare Covered Entities, Translation Excellence, Inc. complies with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule, and the expanded obligations imposed on Business Associates under the HITECH Act.
Colorado Privacy Act (CPA)
Translation Excellence, Inc. complies with applicable provisions of the Colorado Privacy Act governing the handling of personal data of Colorado residents.
Federal Contract Requirements
Where services are provided under federal government contracts, Translation Excellence, Inc. adheres to applicable security and data handling requirements, including those set forth in the contract, applicable Federal Acquisition Regulations (FAR), and any agency-specific security requirements.
NIST Cybersecurity Framework
Translation Excellence, Inc. uses the NIST Cybersecurity Framework as a complementary reference model alongside our ISO 27001 ISMS for organizing and continuously improving our information security program.
DATA RETENTION AND DISPOSAL
Translation Excellence, Inc. retains client data, assignment records, and related information only as long as necessary to fulfill the purposes for which it was collected, to comply with applicable legal and contractual obligations, and to resolve disputes or enforce agreements.
Data retention periods are as follows:
- Healthcare assignment records and related PHI documentation: Minimum of 6 years in accordance with HIPAA requirements, or longer as required by applicable contract or regulation.
- Non-healthcare client and business records: Retained in accordance with applicable law and internal records retention policy, generally not less than 3 years.
- Security and audit logs: Retained for a minimum of 1 year, or longer as required by applicable contract or regulation.
When data is no longer needed, Translation Excellence, Inc. disposes of it securely using methods appropriate to the sensitivity of the information, including secure deletion of electronic data and physical shredding of paper records.
UPDATES TO THIS STATEMENT
Translation Excellence, Inc. reviews and updates this Security Statement at least annually and as needed to reflect material changes in our practices, technology, or applicable legal requirements. The “Last Reviewed” date at the top of this document reflects the most recent review.
