Introduction

The purpose of this document is to demonstrate the management board’s commitment to information security and privacy. It provides overarching policy statements to guide all subordinate policies and controls, ensuring alignment with business objectives, compliance obligations, and the protection of information assets.

Policy

The Board of Directors and management of Welocalize operate across multiple industries, including legal, life sciences, technology, manufacturing, and entertainment, providing comprehensive language services and AI-driven solutions. We are committed to preserving the confidentiality, integrity, availability, and privacy of information to support organizational goals and fulfill our compliance obligations.

  • Meeting applicable laws, regulations, and contractual obligations related to Personal Identifiable Information (PII) protection, privacy rights, and ethical AI usage.
  • Ensuring alignment of information security and privacy requirements with business objectives.
  • Incorporating internal and external factors, as well as the needs of Interested Parties, into our Information Security & Privacy Information Management System.
  • Developing and implementing robust policies and controls to manage risks associated with AI systems, ensuring their secure and ethical use.
  • Ensuring transparency, accountability, and compliance in the processing of data through AI technologies, in line with international privacy and security standards.
  • Actively monitoring and mitigating potential biases, risks, or unintended consequences of AI to safeguard individual rights and business interests.
  • PII Processor: Acting on behalf of customers within the scope of our services, for which we are collecting and processing general contact information from our customers and suppliers.
  • PII Controller: In our role as an employer and in managing contact information from customers, suppliers, and website visitors.
  • Our system’s objectives are established in alignment withinternational standards, emphasizing risk management, continual improvement, and compliance with data protection regulations.
  • Our PIMS Board is responsible for the overall management and maintenance of our risk treatment plan with specific risk management activities tasked to the appropriate owner within the organization. Additional risk assessments may, where necessary, be carried out to determine appropriate controls for specific risks, for example during special projects that are completed within the context.

Our Information Security & Privacy Policy applies to all activities, systems, processes, and information assets managed or controlled by Welocalize and its relevant Interested Parties. It encompasses physical and electronic information assets and extends to employees, contractors, suppliers, and stakeholders.

Objectives

We are committed to maintaining and continually improving our Information Security & Privacy Management System to support organizational goals, protect stakeholders’ interests, and ensure compliance with applicable standards and regulations. Our objectives include:

  1. Confidentiality: Protecting information from unauthorized access or disclosure by ensuring that access is restricted to authorized individuals, in alignment with business and compliance needs.
  2. Integrity: Ensuring the accuracy, consistency, and trustworthiness of information and processing methods by preventing unauthorized alterations or destruction of data.
  3. Availability: Guaranteeing that information and associated systems are accessible to authorized users when required, minimizing downtime and disruption to business operations.
  4. Privacy: Upholding the principles of data protection and ensuring compliance with global privacy laws by protecting personal data and respecting individuals’ privacy rights.
  5. Risk Management: Identifying, assessing, and mitigating risks related to information security and privacy through a robust risk-based approach that supports the organization’s overall strategy.
  6. Compliance and Legal Adherence: Continuously ensuring alignment with applicable legal, regulatory, and contractual obligations, including those related to Personal Identifiable Information (PII) and emerging AI regulations.
  7. Awareness and Training: Promoting a culture of security awareness and privacy compliance across the organization by providing regular training, resources, and communication to all relevant stakeholders.
  8. Innovation and Resilience: Embracing innovative technologies, such as AI, securely and ethically, while strengthening the organization’s ability to detect, respond to, and recover from security incidents.
  9. Continuous Improvement: Monitoring, measuring, and reviewing our Information Security & Privacy Management System objectives regularly to ensure effectiveness and drive continual improvement in response to evolving threats, technologies, and business needs.

Leadership Commitment: The VP of Global IT chairs the PIMS Board, ensuring governance, resource allocation, and alignment of our Information Security & Privacy Management System objectives with organizational goals.

Risk-Based Approach: We implement a risk-based approach to identify, assess, and mitigate risks. OurStatement of Applicability defines controls based on internationally recognized standards.

Third-Party Management: We require our suppliers and partners to comply with our information security and privacy standards, regularly reviewing compliance as part of our risk management approach.

Training & Awareness: All relevant Interested Parties must complete mandatory information security and privacy training, with additional specialized training for those in high-risk roles.

Compliance: Adherence to this policy is mandatory for all employees and contractors. Non-compliance is subject to the consequences outlined in our Code of Conduct.

Improvements and Certification

We are committed to achieving and maintaining certifications based on internationally recognized standards to ensure the effectiveness and credibility of our Information Security & Privacy Management System. This commitment includes:

  1. Continuous Improvement:
    • Establishing a structured approach to regularly evaluate and enhance the System in response to evolving threats, technologies, and organizational changes.
    • Encouraging feedback from internal and external stakeholders to identify opportunities for improvement.
  2. Internal Audits:
    • Conducting regular internal audits to assess compliance with established policies, controls, and international standards.
    • Ensuring that findings are documented, analyzed, and addressed in a timely and effective manner.
  3. Management Reviews:
    • Performing periodic management reviews to assess the adequacy of the System, including risks, objectives, and performance metrics.
    • Ensuring leadership commitment to implementing improvements that align with organizational goals and compliance requirements.
  4. Risk Management and Monitoring:
    • Proactively identifying and assessing risks to ensure controls remain effective and relevant.
    • Implementing mitigation strategies and tracking the effectiveness of controls through regular monitoring.
  5. Corrective Actions:
    • Promptly addressing non-conformities or identified weaknesses by implementing corrective actions aimed at preventing recurrence.
    • Continuously analyzing root causes and lessons learned to enhance system resilience and effectiveness.
  6. Certification and Compliance:
    • Pursuing and maintaining certifications based on internationally recognized standards to demonstrate our commitment to best practices in information security and privacy management.
    • Actively monitoring regulatory landscapes to ensure our systems remain compliant with evolving global requirements.
  7. Integration with Business Strategy:
    • Aligning continuous improvement initiatives with the organization’s strategic objectives, ensuring that the System supports business growth, innovation, and operational excellence.

Data Privacy Policy

Our Data Privacy Policy outlines the responsibilities and commitments for handling, processing, and protecting personal data in alignment with international regulations such as GDPR and other applicable privacy laws. It includes the following key principles:

  1. Privacy by Design and Default:
    • Incorporating privacy principles into the design and planning of all new or significantly modified systems or processes involving personal data.
    • Conducting Data Protection Impact Assessments (DPIAs) to evaluate risks and ensure the necessity and proportionality of data processing activities.
    • Implementing controls such as data minimization, pseudonymization, and encryption to safeguard personal data.
  2. Data Minimization and Purpose Limitation:
    • Ensuring that only data necessary for specified, explicit, and legitimate purposes is collected and processed.
    • Prohibiting the further processing of personal data in ways that are incompatible with the original purposes unless expressly permitted by law.
  3. Data Accuracy and Retention:
    • Maintaining personal data in an accurate and up-to-date form.
    • Retaining personal data only for as long as necessary to fulfill the specified purposes or comply with legal obligations.
    • Reviewing and securely disposing of outdated or unnecessary data in line with established retention schedules.
  4. Incident Reporting and Breach Notification:
    • Promptly identifying and addressing data breaches or incidents in accordance with our Incident Management Process.
    • Reporting breaches that pose risks to the rights and freedoms of individuals to the relevant supervisory authority within the required timelines.
    • Notifying affected individuals when required under applicable regulations.
  5. Training and Awareness:
    • Providing all personnel involved in handling personal data with training on data protection principles, their responsibilities, and the importance of compliance.
    • Conducting regular refreshers and updates to ensure ongoing awareness of data privacy best practices.
  6. Transparency and Data Subject Rights:
    • Ensuring individuals are informed about how their data is collected, processed, and stored through clear and accessible privacy notices.
    • Supporting individuals’ rights under applicable regulations, including theright to access, rectify, erase, restrict processing, object, and data portability.
    • Maintaining documented procedures to handle data subject requests within stipulated timeframes.
  7. Lawful Basis for Processing:
    • Clearly identifying and documenting the lawful basis for all personal data processing activities, including consent, contractual necessity, legal obligation, vital interests, public interest, or legitimate interests, as applicable.
    • Ensuring that when consent is used, it is explicit, informed, and freely given, with clear mechanisms for withdrawal.
  8. International Data Transfers:
    • Conducting thorough reviews of data transfers to ensure compliance with cross-border data transfer mechanisms, such as Standard Contractual Clauses (SCCs), the U.S. Data Privacy Framework (DPF) or equivalent safeguards, as required by international regulations.
  9. Accountability and Documentation:
    • Documenting all personal data processing activities, including purposes, categories of data, recipients, retention schedules, and technical and organizational measures in place.
    • Regularly reviewing and updating policies, processes, and records to ensure ongoing compliance with applicable regulations.

Incident Management and Response

  • Detect, report, and respond to incidents promptly.
  • Minimize damage and disruption to operations.
  • Learn from incidents to improve our management systems.

Legal and Regulatory Compliance

We ensure compliance with applicable laws and regulations, including but not limited to the GDPR, California Consumer Privacy Act (CCPA), and other applicable regional and global privacy regulations.

Policy Review

This policy is reviewed annually and in response to changes in business operations, risk assessments, or external factors or in case of updates to international standards or applicable regulations.

Document Ownership and version

The VP of Global IT is responsible for this document, ensuring it is reviewed and updated on regular intervals. The current version is accessible to all relevant stakeholders via our website.

The current version was released in December 2024.