Data Security Policy of BURG Translations

BURG Translations Data Security Policy

At BURG Translations, we prioritize the security and confidentiality of our clients’ information. Our robust Information Security Management System (ISMS) is designed to protect your data and ensure the highest standards of information security. This commitment is formalized through our ISO/IEC 27001:2022 certification, demonstrating our adherence to internationally recognized security practices.

ISO/IEC 27001:2022 certification badge for BURG Translations We handle various types of sensitive information including Protected Health Information (PHI) under HIPAA, educational records under FERPA, and other Personally Identifiable Information (PII) requiring specialized security controls and compliance measures.

Our Security Framework

Information Security Management System (ISMS)

Our comprehensive ISMS provides the foundation for our security practices, ensuring:

Confidentiality: Information is accessible only to authorized individuals
Integrity: Information is altered only by authorized individuals in permitted ways
Availability: Information is accessible to authorized individuals when needed

ISO/IEC 27001:2022 Certification

Our commitment to security excellence is validated through our ISO/IEC 27001:2022 certification, which covers our core operational processes. This certification:

Demonstrates our adherence to international security standards
Validates our systematic approach to managing sensitive information
Provides assurance of our ongoing commitment to security best practices

To view our ISO 27001:2022 certificate, please contact: security@burgtranslations.com

Data Security Practices

Data Transfer

We implement stringent measures to secure data during transfer:

Protected Health Information (PHI): Transmitted exclusively through secure, encrypted channels using SSL, in compliance with HIPAA requirements
Educational Records: Transferred using FERPA-compliant secure channels with appropriate institutional authorizations
General PII and Sensitive Documents: Encrypted transmission for all legal, government, immigration, and business documents
Encrypted email communications for sensitive information via Microsoft’s access rights management
HIPAA-compliant Webform for secure collection of client-submitted PHI
Secure file transfers via OneDrive, SharePoint, or client-provided SFTP servers
Omission of sensitive information from email subject lines and body content

Data Storage

Our secure storage solutions ensure data remains protected:

Multi-layered Security: AES-256 encryption for all stored sensitive information including PHI, educational records, and general PII
Access Controls: Strict role-based access controls limiting information access to authorized personnel based on data type and client requirements
FERPA Compliance: Educational records stored with additional protections meeting FERPA requirements and institutional security standards
HIPAA Compliance: PHI stored in dedicated secure environments meeting all HIPAA technical safeguards
Multi-factor authentication and strong password requirements for all system access
Regular data backups and Data Loss Prevention (DLP) policies
Segregated storage environments for different data classification levels

Data Destruction

We maintain secure destruction processes for data that is no longer required:

HIPAA Compliance: Permanent destruction of PHI using secure methods to prevent unauthorized access, following HIPAA-compliant retention policies
FERPA Compliance: Educational records destroyed according to FERPA requirements and institutional record retention policies
General PII: Secure destruction of all personally identifiable information following industry best practices
Physical document shredding and secure digital file erasure in compliance with NIST and DOD standards
Detailed record maintenance documenting date and method of disposal for all data types
Certificate of destruction provided when required by client contracts or regulatory requirements

Data Security Governance

Risk Management

Our approach to security risk management includes:

Regular risk assessments to identify potential vulnerabilities
Implementation of appropriate controls to mitigate identified risks
Ongoing monitoring and improvement of security measures
Compliance with legal, regulatory, and contractual requirements

Incident Management

We have established procedures for managing security incidents:

Clear reporting channels for security incidents or weaknesses
Prompt investigation and resolution of reported incidents
Documentation and review of incidents to prevent recurrence
Regular testing of incident response procedures

Policy Compliance

We ensure adherence to our security policies through:

Regular security awareness training for all team members
Periodic audits and assessments of policy compliance
Clear consequences for policy violations, up to and including termination
Support for implementation and continual improvement of security measures

Data Security Objectives

We have established measurable objectives to continuously improve our security posture:

Reducing security incidents through proactive risk management
Enhancing team members’ security awareness through regular training
Ensuring reliability of services with an annual 99% uptime target
Leveraging our ISO/IEC 27001:2022 certification for growth and enhanced security posture

Frequently Asked Questions

Information Security Program

Does BURG have an established, published, and approved security program in place?

Yes. Our information security program is managed by our Technology Department and overseen by the Executive Team to ensure alignment with our business goals.

Does BURG have a dedicated information Security team?

Yes. Our Technology Manager and Security Officer are responsible for the day-to-day management of our Information Security Management System (ISMS) and ensuring compliance with security requirements.

Is there an Information Security Policy approved by management and communicated to all personnel?

Yes. Our Information Security Policy is approved by our CEO and communicated to all team members. It establishes the requirements that allow us to maintain and continuously improve our information security management system.

Data Security Risk Management

What are the key elements of BURG’s security risk management program?

Our security risk management program follows the methodology outlined in our Risk Assessment and Risk Treatment Policy. This includes asset identification, impact analysis, risk assessment, implementation of controls, and monitoring of control effectiveness. Risks are assessed periodically and when significant changes occur.

Does BURG have a risk assessment program approved by management?

Yes. Our risk assessment program is owned by the Executive Team and is communicated to relevant team members.

Policy Management

Does BURG have information security policies that are regularly reviewed?

Yes. Our policies are reviewed at least annually to ensure continued alignment with organizational changes and compliance with ISO/IEC 27001:2022 standards and HIPAA regulations.

What information security policies does BURG maintain?

BURG maintains a comprehensive set of information security policies, including but not limited to:

Information Security Policy
Information Transfer Policy
Information Classification Policy
IT Security Policy
Password Policy
Network Vulnerability Detection Policy
Threat Intelligence Policy
Risk Assessment and Risk Treatment Policy
Incident Management Policy

Access Control

Has BURG implemented an approval process for logical access based on least privilege principles?

Access to systems and data is granted strictly based on role, department, and specific business need. Team members are assigned to predefined access groups that align with their responsibilities, and permissions are restricted to the minimum necessary to perform their duties.

Access to sensitive data such as Protected Health Information (PHI) and Personally Identifiable Information (PII) is limited to personnel who have a direct and legitimate business need—such as project managers overseeing healthcare-related work.

All access permissions are subject to regular reviews to ensure continued relevance and to prevent unauthorized or excessive access. These controls are enforced as part of BURG’s Access Control Policy and support compliance with ISO/IEC 27001:2022 and HIPAA requirements.

Systems and Application Security

How does BURG identify and manage information security vulnerabilities?

BURG uses a proactive approach to vulnerability management, including regular vulnerability scans, threat intelligence monitoring, and security assessments. Identified vulnerabilities are evaluated for risk based on potential impact and likelihood, and are prioritized accordingly. Remediation actions are tracked through a formal risk treatment process in accordance with ISO/IEC 27001:2022 and HIPAA requirements.

Does BURG have a patch management process?

Yes. BURG maintains a documented patch management process to ensure timely application of security updates and software patches. Critical and high-risk vulnerabilities are patched within defined timeframes, based on severity and business impact. The patching process includes testing in a controlled environment before deployment to minimize operational disruption.

Does BURG have a change management process?

Yes. BURG has implemented a formal change management process that governs how changes to systems, applications, and infrastructure are proposed, reviewed, approved, and implemented. All changes are assessed for security, compliance, and operational impact. Documentation and rollback procedures are maintained to ensure traceability and minimize risk.

Incident Management

Does BURG have an information security incident response policy?

Yes. Our Incident Management Procedure is published and accessible to all team members and covers reporting, assessment, containment, mitigation, recovery, and follow-up.

How are security incidents handled?

Security incidents are reported to the Technology department via phone, email, IT ticket, or instant message. The Technology department addresses incidents according to our Incident Management Procedure.

Data Privacy and Protection

Does BURG consider data privacy in its operations?

Yes. We take data privacy very seriously across all sectors we serve. Our practices comply with HIPAA regulations for healthcare information, FERPA requirements for educational records, and applicable privacy laws for all personally identifiable information (PII).

What is the retention policy for customer data?

We retain client data only as long as necessary to fulfill the purpose for which it was collected or to comply with legal, regulatory, or internal policy requirements. Specific retention periods include:

PHI and general client data: 6 years (following HIPAA guidance)
Educational records: 3-5 years (following FERPA requirements and institutional contracts)
Financial information: 10 years (following financial record requirements)

Training and Awareness

Is security awareness training conducted for all personnel?

Yes. Information security awareness training is part of our onboarding process. Additionally, regular security awareness initiatives are conducted to maintain a strong security culture.

Supplier Management

Does BURG have a supplier management program for security?

Suppliers are required to implement and maintain baseline security controls appropriate to the sensitivity of the information they access or process. Before receiving any confidential or regulated information, suppliers must enter into contractual agreements that include specific security clauses. These clauses are aligned with BURG’s Supplier Security Policy and are designed to meet compliance requirements under HIPAA and ISO/IEC 27001:2022. Regular assessments and oversight ensure continued adherence to these requirements.

How does BURG select and assess suppliers/vendors?

All potential suppliers undergo a vetting process that includes background and education checks for individuals involved in service delivery, particularly linguists and translators. BURG also evaluates the supplier’s qualifications and experience in the relevant domain.

As part of the assessment, prospective translation vendors are required to complete a sample translation. This is reviewed by a qualified reviewer for linguistic accuracy, subject-matter expertise, and adherence to project specifications.

In addition, BURG assesses the supplier’s ability to comply with security requirements, including data protection measures aligned with HIPAA and ISO/IEC 27001:2022 standards. Only those who meet both quality and security criteria are approved and added to BURG’s trusted supplier network.

Compliance and Certification

Does BURG have ISO 27001 certification?

Yes. Clients may request to view our ISO/IEC 27001:2022 certification by contacting our Security Officer: security@burgtranslations.com.

Does BURG have a process for handling non-compliance with security policies?

Violations of security policies are taken seriously and are addressed in accordance with BURG Translations’ Sanction Policy. All incidents of non-compliance are reviewed based on their nature and severity. Disciplinary actions may range from retraining and written warnings to suspension or termination, depending on the circumstances.

Contact Information

For questions or concerns regarding our data security policy practices, please contact BURG Security Officer: security@burgtranslations.com

This security policy is reviewed annually to ensure continued alignment with organizational changes and compliance with relevant standards and regulations.