GDPR Customer Statement
GDPR Customer Statement
Introduction
The European Union (E.U.) has introduced the General Data Protection Regulation 2016/679 (“GDPR”), which is a new privacy regulation containing security and privacy requirements to fully protect data belonging to E.U. based individuals.
GDPR was adopted by the European Parliament in April 2016 and goes into effect on May 25, 2018.
GDPR is applicable for companies based in and out of the E.U. where data collection and personal data handling from EU-based individuals is in play. Any information which can be used on its own or with other information to locate, contact or identify a single person such as names, identification numbers, online identifiers, location data, or any other factors specific to the individual’s genetic, physical, mental, physiological, cultural, economic, or social identity is considered to be Personally Identifiable Information (PII).
In order to be in compliance with GDPR, any company handling or collecting PII. I pertaining to EU-based individuals needs to ensure their data management protocol adheres to all requirements detailed within GDPR.
GDPR requirements
Included in the requirements for GDPR are cross-border data flow mechanisms, technical/operational security measures, notice & consent, accountability and data minimization.
Specifically:
- Security audits: Records of security practices must be maintained by companies and regular audits to assess the effectiveness of the established security program must occur. If any breaches are identified, corrective measures must be taken immediately.
- Data security: It is mandatory that companies put in place strict controls, including physical, technical and administrative. In accordance with GDPR requirements, incident management, data integrity, confidentiality, encryption, availability and resilience are required as part of the security program for any company handling EU-based data. Implemented controls must serve to prevent information leaks, data loss and unauthorized data access.
- Data breach notification: Companies must immediately notify regulators, clients, and any and all impacted individuals once they become aware of a data breach which could potentially impact data controlled or processed by the Company.
BIG Language Solutions commitment
For over a year, BIG Language Solutions has been re-addressing security at all levels to account for broad changes. The Company has carefully assessed all relevant GDPR details and has ensured they have been appropriately matched with the Company’s privacy roadmap and security policies and controls. The Company has decided to offer the same level of compliance for any user, regardless of their nationality or place of residence, in anticipation of GDPR spreading globally.
BIG Language Solutions’ technology and service offerings have pre-established privacy and security features already in place, putting our customers in control. BIG Language Solutions’ commitment is to help customers, regardless of location or nationality, maintain stringent controls and accountability for all online and offline offerings through which a customer’s data may be attainable.
BIG Language Solutions’s Cloud-based offering relies on industry-leading partners and data providers, each with S.O.C. 2 reports that are re-issued on an annual basis. Data protection is managed throughout the entire data lifecycle, and our commitment is to continuously improve on data handling throughout our existence as a service provider.
As needed, please contact your BIG Language Solutions representative for further clarification.
Disclaimer: This document is not to be used as legal advice about any law or regulation. To understand the GDPR, customers must seek their own legal counsel.
Privacy Policy
Privacy Policy
Introduction
BIGlanguage.com (“Company” or “We“) respects your privacy and is committed to protecting it through our compliance with this policy.
This policy describes the types of information we may collect from you or that you may provide when you visit our corporate website, biglanguage.com (our “Website“), and our practices for collecting, using, maintaining, protecting, and disclosing that information.
This policy applies to information we collect:
- On our corporate website
- In email, text, and other electronic messages between you and the biglanguage.com domain
- Through mobile and desktop applications you download from this website, which provide dedicated non-browser-based interaction between you and this website
- When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this policy
- Information you provide to us when requesting services.
It does not apply to information collected by:
- us offline or through any other means, including on any other website operated by Company or any third party; or
- any third party, including through any application or content (including advertising) that may link to or be accessible from or on the website.
Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our website. By accessing or using this website, you agree to this privacy policy. This policy may change from time to time. Your continued use of this website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.
Children under the age of 13
Our website is not intended for children under 13 years of age. No one under age 13 may provide any information to or on the website. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on this website or on or through any of its features. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at: [email protected]
Information we collect about you and how we collect it
We collect several types of information from and about users of our website, including information:
- by which you may be personally identified, such as name, postal address, email address, telephone number, or any other identifier by which you may be contacted online or offline (“personal information”);
- that is about you but individually does not identify you, such as the languages you speak or can read; and/or
- about your internet connection, the equipment you use to access our website, and usage details.
We collect this information:
- Directly from you when you provide it to us.
- Automatically as you navigate the site, information collected automatically may include usage details, I.P. addresses, and information collected through cookies, web beacons, and other tracking technologies.
- From third parties, for example, our business partners.
Information You Provide to Us. The information we collect on or through our website may include:
- Information that you provide by filling in forms on our website, such as our Contact Form on the corporate website. This includes information provided when registering to use our website or requesting further services such as a quote request or project approval. We may also ask you for information when you report a problem with our website
- Records and copies of your correspondence (including email addresses) if you contact us
- Your responses to surveys that we might ask you to complete for research purposes
- Details of transactions you carry out through our website and details of the fulfillment of your orders, including payment information, as you may be required to provide financial information before placing an order through our website
- Your search queries on the website
You also may provide information to be published or displayed (hereinafter, “posted“) on public areas of the website or transmitted to other users of the Website or third parties (collectively, “User Contributions“). Your User Contributions are posted on and transmitted to others at your own risk.
Information We Collect Through Automatic Data Collection Technologies. As you navigate through and interact with our website, we may use automatic data collection technologies to collect certain information, not tied to your user profile on our portal, about your equipment, browsing actions, and patterns, including:
- Details of your visits to our website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the website
- Information about your computer and internet connection, including your I.P. address, operating system, and browser type
We also may use these technologies to collect information about your online activities on our corporate website (biglanguage.com) over time and across third-party websites or other online services (behavioral tracking). You may opt-out of behavioral tracking on this website by responding to the full site takeover when you first land.
The information we collect automatically may include personal information that we may maintain or associate with the personal information we collect in other ways or receive from third parties. It helps us to improve our website and to deliver better and more personalized service, including by enabling us to:
- Estimate our audience size and usage patterns.
- Store information about your preferences, allowing us to customize our website according to your individual interests.
- Speed up your searches.
- Recognize you when you return to our website.
The technologies we use for this automatic data collection may include:
- Cookies (or browser cookies): A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when necessary for the functioning of the website or to improve your browsing experience.
- Web Beacons: Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
Third-party use of cookies and other tracking technologies
Some content or applications, including advertisements, on the website are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your personal information, or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.
We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.
HOW WE USE YOUR INFORMATION
We use information that we collect about you or that you provide to us, including any personal information:
- To present our website and its contents to you
- To provide you with information, products, or services that you request from us.
- To fulfill any other purpose for which you provide it
- To provide you with notices about your account, including expiration and renewal notices
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection
- To notify you about changes to our website or any products or services we offer or provide though it
- To allow you to participate in interactive features on our website
- To deliver our language-based services to you
- In any other way, we may describe when you provide the information
- For any other purpose with your consent
- To comply with any relevant laws, regulations, ordinances, rules, directives, or statutes
If you chose to opt-in to receive marketing materials from us, possibly when you filled our “contact us” form on our corporate website (biglanguage.com), be aware that we may use your information to contact you about our own and third-parties’ goods and services that may be of interest to you. If you do not want us to use your information in this way, please check the relevant box to opt-out located on the “Contact Us” form on our website or at the bottom of any marketing emails you may receive from us. You can also opt-out by sending an email to [email protected].
Legal bases for processing (For EEA users): If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have a legal basis for doing so under applicable E.U. laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your information only where:
- We need it to provide you with the Services you requested, including to operate the Services, provide customer support and personalized features, and to protect the safety and security of the Services, which includes all processing necessary for the performance of our contract(s) with you;
- It satisfies a legitimate interest that is not outweighed by your data protection rights and interests, such as for research and development, to market and promote the Services and to protect our legal rights and interests;
- You give us consent to do so for a specific purpose; or
- We need to process your data to comply with a legal obligation.
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g. your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may mean no longer using the Services.
Location of your data: All of our information, including the information about you described in this Privacy Policy, is stored in the United States of America.
Disclosure of your information
We may disclose aggregated information about our users and information that does not identify any individual without restriction.
We may disclose personal information that we collect, or you provide as described in this privacy policy:
- To our subsidiaries and affiliates
- To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them
- To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Big Language Solutions’ assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Big Language Solutions about our Website users is among the assets transferred
- To fulfill the purpose for which you provide it. For example, if you give us an email address to use the “email a friend” feature of our website, or copy a coworker on a request being made through our portal, we will transmit the contents of that email/request and possibly your email address to the recipients
- For any other purpose disclosed by us when you provide the information
- With your consent
We may also disclose your personal information:
- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
- To enforce or apply our Terms & Conditions or Privacy Policy and other agreements, including for billing and collection purposes.
- If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Big Language Solutions, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.
Choices about how we use and disclose your information
We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:
- Marketing Emails: You can review and change your personal information in our marketing systems by using the unsubscribe function on our marketing emails.
- Tracking Technologies and Advertising: You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of our website may then be inaccessible or not function properly.
- Promotional Offers from the Company. If you do not wish to have your contact information used by the Company to promote our own, you can opt-out by checking the relevant box located on the form on which we collect your data (the order/registration form) or at any other time by sending us an email stating your request to [email protected]. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions or use the opt-out feature on the email.
Accessing and correcting your information
We do our best to respect your privacy rights and provide you access and control over your data. You may make any of the following requests regarding your data by contacting us at [email protected]:
- Access and review your data.
- Correct your data or request that we delete some or all of it.
- Obtain copies of your data in human or and/or machine-readable format suitable for importing to other software.
- Restrict us from using or processing your data.
Be advised that we use a differential backup system; this means that we cannot delete your specific information from our inactive backups. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change or delete information if we believe the change or deletion would violate any law or legal requirement or cause the information to be incorrect.
If you delete your User Contributions from the website, copies of your User Contributions may remain viewable in cached and archived pages or might have been copied or stored by other Website users. Proper access and use of information provided on the website, including User Contributions, is governed by our Terms & Conditions.
Your California privacy rights
California Civil Code Section § 1798.83 permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] or write to us at 3424 Peachtree Rd NE, Suite 2060, Atlanta, GA 30326.
Data security
We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on secure servers behind firewalls. Any payment transactions and all sensitive personal data will be encrypted using commercially reasonable technology.
We classify your information, but we require your assistance to most capably protect your data. We will ask you to mark data as (1) Unclassified, (2) Confidential, or (3) Sensitive, depending on your classification of any data you submit to us. If you believe that the data you send to us contains personal data or other sensitive information, you must notify us by marking that information as Sensitive.
When classifying your data, you should consider the following definitions:
- Confidential data is any proprietary data subject to non-disclosure and confidentiality contract obligations that would cause or create legal liability if accessed by unauthorized parties
- Restricted data is any Personal Data as that term is defined by the European Union’s General Data Protection Regulation and/or any similar laws or regulations, including but not limited to “personally identifiable information”, “private health information”, and/or “non-public information” as such terms are used in HIPAA, PCI-DSS, the Gramm-Leach-Bliley Act, or Sarbanes-Oxley. Sensitive data also includes valuable and proprietary information (including trade secrets), for which the loss, unauthorized access to, or unauthorized publication of would result in substantial or severe harm.
Your data is processed in our system as either Confidential or Restricted, depending on your classification. If you fail to classify your data, we will consider that data Confidential. Both Unclassified and Confidential data is Unrestricted. Our secure portal uses commercially reasonable technologies, processes, and procedures to maintain the confidentiality, integrity, and availability of all Confidential and Restricted data. While we still make commercially reasonable efforts to protect Unrestricted data, such data is not subject to our most expensive and stringent controls.
The safety and security of your information also depend on you. Where we have given you (or where you have chosen) a password for access to certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. We urge you to be careful about giving out information in public areas of the website like message boards. The information you share in public areas may be viewed by any user of the website.
Unfortunately, the transmission of information via the internet is not entirely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our website, particularly the end computer that you may be using to interact with our website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the website, in this Privacy Policy, or on our Terms and Conditions.
Changes to our privacy policy
It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the corporate website. If we make material changes to how we treat our users’ personal information, we will notify you through a notice on the corporate website home page, via email, or when you log in to use our portal. The date the privacy policy was last revised is identified in the policy itself. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, or for periodically visiting our website and this privacy policy to check for any changes.
Contact information
To ask questions or comment about this privacy policy and our privacy practices, contact us at: [email protected].
Terms & Conditions
Terms & Conditions
Last Modified: 10/29/2020
Acceptance of the Terms & Conditions
These Terms & Conditions are entered into by and between You and Big Language Solutions (“Company“, “we” or “us“). The following terms and conditions, together with any documents they expressly incorporate by reference (collectively, these “Terms & Conditions”), govern your access to and use of BIG-IP.com, including any content, functionality, and services offered on or through biglanguage.com (the “Website“), whether as a guest or a registered user. In order to request and obtain our translation and localization services (our “Services”), you must agree to these Terms & Conditions.
Please read the Terms & Conditions carefully before you start to use the website. By using the website or by clicking to accept or agree to the Terms & Conditions when this option is made available to you during account registration, you accept and agree to be bound and abide by these Terms & Conditions and our Privacy Policy, found at biglanguage.com/privacy, incorporated herein by reference. If you do not want to agree to either these Terms & Conditions or the Privacy Policy, you must not access or use the website.
This website is offered and available to users who are 18 years of age or older, competent to enter into contracts, and authorized to provide us with all necessary information to perform any Services you request from us. By using this website, you represent and warrant that you are of legal age to form a binding contract with the Company and meet all of the foregoing eligibility requirements. If you do not meet all of these requirements, you must not access or use the website.
Changes to the Terms & Conditions
We may revise and update these Terms & Conditions from time to time in our sole discretion. All changes are effective immediately when we post them and apply to all access to and use of the website thereafter. However, if you have a registered account with us, you will be given an opportunity to stop accessing and using the website if you do not agree to our revisions or updates. Additionally, any changes to the dispute resolution provisions set forth in Governing Law and Jurisdiction will not apply to any disputes for which the parties have actual notice on or prior to the date the change is posted on the website.
Your continued use of the website following the posting of revised Terms & Conditions means that you accept and agree to the changes. You are expected to check this page from time to time so you are aware of any changes, as they are binding on you. However, we will make commercially reasonable efforts to notify you of any material changes if you are a registered user of the website.
Accessing the Website and Account Security
We reserve the right to withdraw or amend this website, and any service or material we provide on the website, in our sole discretion without notice. We will not be liable if for any reason all or any part of the website is unavailable at any time or for any period. From time to time, we may restrict access to some parts of the website, or the entire website, to users, including registered users.
You are responsible for:
- Making all arrangements necessary for you to have access to the website
- Ensuring that all persons who access the website through your internet connection are aware of these Terms & Conditions and comply with them
To access the website or some of the resources it offers, you may be asked to provide certain registration details or other information. It is a condition of your use of the website that all the information you provide on the website is correct, current, and complete. You agree that all information you provide to register with this website or otherwise, including but not limited to through the use of any interactive features on the website, is governed by our Privacy Policy, and you consent to all actions we take with respect to your information consistent with our Privacy Policy.
If you choose or are provided with a user name, password, or any other piece of information as part of our security procedures, you must treat such information as confidential, and you must not disclose it to any other person or entity. You also acknowledge that your account is personal to you and agree not to provide any other person with access to this website or portions of it using your user name, password or other security information. You agree to notify us immediately of any unauthorized access to or use of your user name or password or any other breach of security. You also agree to ensure that you exit from your account at the end of each session. You should use particular caution when accessing your account from a public or shared computer so that others are not able to view or record your password or other personal information.
We have the right to disable any user name, password, or other identifier, whether chosen by you or provided by us, at any time if, in our opinion, you have violated any provision of these Terms & Conditions.
Intellectual Property Rights
The website and its entire contents, features, and functionality (including but not limited to all information, software, text, displays, images, video and audio, and the design, selection, and arrangement thereof), are owned by the Company, its licensors or other providers of such material and are protected by the United States and international copyright, trademark, patent, trade secret and other intellectual property or proprietary rights laws.
Trademarks
The Company name, the Company logo, and all related names, logos, product and service names, designs, and slogans are trademarks of the Company or its affiliates or licensors. You must not use such marks without the prior written permission of the Company. All other names, logos, product and service names, designs, and slogans on this website are the trademarks of their respective owners.
Prohibited Uses
You may use the website only for lawful purposes and in accordance with these Terms & Conditions. You agree not to use the website:
- In any way that violates any applicable federal, state, local or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the U.S. or other countries)
- For the purpose of exploiting, harming, or attempting to exploit or harm minors in any way by exposing them to inappropriate content, asking for personally identifiable information or otherwise
- To send, knowingly receive, upload, download, use, or re-use any material which does not comply with the Data Classification & Content Standards set out in these Terms & Conditions.
- To transmit, or procure the sending of, any advertising or promotional material, including any “junk mail”, “chain letter” or “spam” or any other similar solicitation
- To impersonate or attempt to impersonate the Company, a Company employee, another user or any other person or entity (including, without limitation, by using email addresses associated with any of the foregoing)
- To engage in any other conduct that restricts or inhibits anyone’s use or enjoyment of the website or which, as determined by us, may harm the Company or users of the website or expose them to liability.
Additionally, you agree not to:
- Use the website in any manner that could disable, overburden, damage, or impair the site or interfere with any other party’s use of the website, including their ability to engage in real-time activities through the website
- Use any robot, spider, or other automatic device, process, or means to access the website for any purpose, including monitoring or copying any material on the website.
- Use any manual process to monitor or copy any of the material on the website or for any other unauthorized purpose without our prior written consent
- Use any device, software, or routine that interferes with the proper working of the website
- Introduce any viruses, trojan horses, worms, logic bombs, or other material which is malicious or technologically harmful
- Attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the website, the server on which the website is stored, or any server, computer, or database connected to the website
- Attack the website via a denial-of-service attack or a distributed denial-of-service attack
- Otherwise, attempt to interfere with the proper working of the website
User Data
The website includes access to your customer portal, which contains chat functionality, file upload and download systems, and access to our Services, and may include other interactive features (collectively, “Interactive Services“) that allow users to post, submit, publish, display or transmit to other users or other persons (hereinafter, “post“) content or materials (collectively, “User Data“) on or through the website, including User Data you ask us to translate or localize.
All User Data must comply with the Data Classification & Content Standards set out in these Terms & Conditions.
Any User Contribution you post to the site will be considered non-confidential and non-proprietary unless you properly comply with the Data Classification & Consent Standards set forth below. By providing any User Contribution on the website, you grant us and our affiliates and service providers, and each of their and our respective licensees, successors, and assigns the right to use, reproduce, modify, perform, display, distribute, and otherwise disclose to third parties any such material for the purpose of providing you with any requested Services.
You represent and warrant that:
- You own or control all rights in and to the User Data and have the right to grant the license granted above to Big Language Solutions, our affiliates, and service providers and us, and each of their and our respective licensees, successors, and assigns
- All of your User Data do and will comply with these Terms & Conditions
You understand and acknowledge that you are responsible for any User Data you submit or contribute. You, not the Company, have full responsibility for such content, including its legality, reliability, accuracy, and appropriateness.
We are not responsible or liable to any third party for the content or accuracy of any User Data posted by you or any other user of the website
Monitoring and Enforcement; Termination
We have the right to:
- Remove or refuse to process any User Data for any or no reason in our sole discretion
- Take any action with respect to any User Contribution that we deem necessary or appropriate in our sole discretion, including if we believe that such User Contribution violates the Terms & Conditions, including the Data Classification & Content Standards, infringes any intellectual property right or other rights of any person or entity, threatens the personal safety of users of the website or the public or could create liability for the Company
- Disclose your identity or other information about you to any third party who claims that material posted by you violates their rights, including their intellectual property rights or their right to privacy.
- Take appropriate legal action, including without limitation, referral to law enforcement, for any illegal or unauthorized use of the website.
- Terminate or suspend your access to all or part of the website for any violation of these Terms & Conditions.
Without limiting the foregoing, we have the right to fully cooperate with any law enforcement authorities or court order requesting or directing us to disclose the identity or other information of anyone posting any materials on or through the website. YOU WAIVE AND HOLD HARMLESS THE COMPANY AND ITS AFFILIATES, LICENSEES AND SERVICE PROVIDERS FROM ANY CLAIMS RESULTING FROM ANY ACTION TAKEN BY ANY OF THE FOREGOING PARTIES DURING OR AS A RESULT OF ITS INVESTIGATIONS AND FROM ANY ACTIONS TAKEN AS A CONSEQUENCE OF INVESTIGATIONS BY EITHER SUCH PARTIES OR LAW ENFORCEMENT AUTHORITIES.
However, we cannot review all material before it is posted on the website and cannot ensure prompt removal of objectionable material after it has been posted. Accordingly, we assume no liability for any action or inaction regarding transmissions, communications, or content provided by any user or third party. We have no liability or responsibility to anyone for performance or nonperformance of the activities described in this section.
Data Classification & Content Standards
These data classification and content standards apply to any and all User Data and use of Interactive Services, including our translation Services. User Data must, in their entirety, comply with all applicable federal, state, local, and international laws and regulations. Without limiting the foregoing, User Data must not:
- Knowingly infringe any patent, trademark, trade secret, copyright or other intellectual property or other rights of any other person
- Knowingly violate the legal rights (including the rights of publicity and privacy) of others or contain any material that could give rise to any civil or criminal liability under applicable laws or regulations or that otherwise may be in conflict with these Terms & Conditions and our Privacy Policy
- Promote or constitute any illegal activity, or advocate, promote or assist any unlawful act.
- Give the impression that they emanate from or are endorsed by a third party if this is not the case
Further, you agree that you are solely responsible for classifying your data and notifying us if your User Data contains Sensitive information, including Personal Data, as defined by Article 4(1) of the European Union’s General Data Protection Regulation. When submitting User Data to us, you must mark the data as one of the three following classes as defined in our Privacy Policy :
- Confidential data is any proprietary or otherwise non-public information subject to non-disclosure and confidentiality contract obligations that would cause or create legal liability if accessed by unauthorized parties. We will treat User Data classified as Confidential as Unrestricted
- Restricted data is any Personal Data as that term is defined by the European Union’s General Data Protection Regulation and/or any similar laws or regulations, including but not limited to “personally identifiable information”, “private health information”, and/or “non-public information” as such terms are used in HIPAA, PCI-DSS, the Gramm-Leach-Bliley Act, or Sarbanes-Oxley. Sensitive data also includes valuable and proprietary information (including trade secrets), for which the loss, unauthorized access to, or unauthorized publication would result in substantial or severe harm. Ultimately, you are responsible for deciding if your data is sensitive or not. We will treat User Data classified as Sensitive as Restricted information.
Your data is processed in our system as either Unrestricted or Restricted, depending on your classification. If you fail to classify your data, we will consider that data Unrestricted. Both Unclassified and Confidential data is Unrestricted. Sensitive data is Restricted. Our secure portal uses commercially reasonable technologies, processes and procedures to maintain the confidentiality, integrity, and availability of all Confidential and Restricted data. While we still make commercially reasonable efforts to protect Unrestricted data, such data is not subject to our most expensive and stringent controls.
You must properly classify your data as required under these Terms & Conditions for us to leverage our technical and organizational measures designed to protect the confidentiality, integrity, and availability of your User Data. If you do not use portal.BIG-IP.com to send us User Data, we make no guarantees or warranties related to the security or safety of such improperly submitted User Data. To request access to portal.BIG-IP.com please write to us at [email protected].
Changes to the Website
We may update the content on this website from time to time, but its content is not necessarily complete or up-to-date. Any of the material on the website may be out of date at any given time, and we are under no obligation to update such material.
Information About You and Your Visits to the Website
All information we collect on this website is subject to our Privacy Policy. By using the website, you consent to all actions taken by us with respect to your information in compliance with the Privacy Policy.
Linking to the Website and Social Media Features
You may link to our homepage, provided you do so in a way that is fair and legal and does not damage our reputation or take advantage of it, but you must not establish a link in such a way as to suggest any form of association, approval or endorsement on our part without our express written consent.
This website may provide certain social media features that enable you to:
- Link from your own or certain third-party websites to certain content on this website.
- Send emails or other communications with certain content or links to certain content on this website.
- Cause limited portions of content on this website to be displayed or appear to be displayed on your own or certain third-party websites.
You may use these features solely as they are provided by us, solely with respect to the content they are displayed with, and otherwise in accordance with any additional terms and conditions we provide with respect to such features. Subject to the foregoing, you must not:
- Establish a link from any website that is not owned by you.
- Cause the website or portions of it to be displayed, or appear to be displayed by, for example, framing, deep linking, or in-line linking, on any other site.
- Link to any part of the website other than the homepage.
- Otherwise, take any action with respect to the materials on this website that is inconsistent with any other provision of these Terms & Conditions.
- You agree to cooperate with us in causing any unauthorized framing or linking immediately to cease. We reserve the right to withdraw linking permission without notice.
We may disable all or any social media features and any links at any time without notice at our discretion.
Links from the Website
If the website contains links to other sites and resources provided by third parties, these links are provided for your convenience only. This includes links contained in advertisements, including banner advertisements and sponsored links, if applicable. We have no control over the contents of those sites or resources and accept no responsibility for them or for any loss or damage that may arise from your use of them. If you decide to access any of the third-party websites linked to this website, you do so entirely at your own risk and subject to the terms and conditions of use for such websites.
Geographic Restrictions
The owner of the website is based in the state of Florida in the United States. We provide this website for use only by persons located in the United States and any other location where accessing this website is legal. We make no claims that the website or any of its content is accessible or appropriate outside of the United States. Access to the Website may not be legal by certain persons or in certain countries. If you access the website from outside the United States, you do so on your own initiative and are responsible for compliance with local laws, except for laws relating to privacy rights and responsibilities, including the GDPR.
Warranties
You understand that we cannot and do not guarantee or warrant that files available for downloading from the internet or the website will be free of viruses or other destructive code, except for files that Big Language Solutions has provided for you to download using our Restricted security option via our portal. You are responsible for implementing sufficient procedures and checkpoints to satisfy your particular requirements for anti-virus protection and accuracy of data input and output and for maintaining a means external to our site for any reconstruction of any lost data. WE WILL NOT BE LIABLE FOR ANY LOSS OR DAMAGE CAUSED BY A DISTRIBUTED DENIAL-OF-SERVICE ATTACK, VIRUSES OR OTHER TECHNOLOGICALLY HARMFUL MATERIAL THAT MAY INFECT YOUR COMPUTER EQUIPMENT, COMPUTER PROGRAMS, DATA OR OTHER PROPRIETARY MATERIAL DUE TO YOUR USE OF THE WEBSITE OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE OR TO YOUR DOWNLOADING OF ANY MATERIAL POSTED ON IT, OR ON ANY WEBSITE LINKED TO IT.
YOUR USE OF THE WEBSITE, ITS CONTENT, AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE IS AT YOUR OWN RISK. THE WEBSITE, ITS CONTENT AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. NEITHER THE COMPANY NOR ANY PERSON ASSOCIATED WITH THE COMPANY MAKES ANY WARRANTY OR REPRESENTATION WITH RESPECT TO THE COMPLETENESS, SECURITY, RELIABILITY, QUALITY, ACCURACY OR AVAILABILITY OF THE WEBSITE. WITHOUT LIMITING THE FOREGOING, NEITHER THE COMPANY NOR ANYONE ASSOCIATED WITH THE COMPANY REPRESENTS OR WARRANTS THAT THE WEBSITE, ITS CONTENT OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE WILL BE ACCURATE, RELIABLE, ERROR-FREE OR UNINTERRUPTED, THAT DEFECTS WILL BE CORRECTED, THAT OUR SITE OR THE SERVER THAT MAKES IT AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS OR THAT THE WEBSITE OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE WILL OTHERWISE MEET YOUR NEEDS OR EXPECTATIONS.
THE COMPANY HEREBY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR PARTICULAR PURPOSE.
THE FOREGOING DOES NOT AFFECT ANY WARRANTIES WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
Limitation on Liability
IN NO EVENT WILL THE COMPANY, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR USE, OR INABILITY TO USE, THE WEBSITE, ANY WEBSITES LINKED TO IT, ANY CONTENT ON THE WEBSITE OR SUCH OTHER WEBSITES OR ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE OR SUCH OTHER WEBSITES, INCLUDING ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE.
THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.
Indemnification
You agree to defend, indemnify and hold harmless the Company, its affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses or fees (including reasonable attorneys’ fees) arising out of or relating to your violation of these Terms & Conditions or your use of the website, including, but not limited to, your User Data, any use of the website’s content, services and products other than as expressly authorized in these Terms & Conditions or your use of any information obtained from the website.
Governing Law and Jurisdiction
All matters relating to the Website and these Terms & Conditions and any dispute or claim arising therefrom or related thereto (in each case, including non-contractual disputes or claims) shall be governed by and construed in accordance with the internal laws of the State of Georgia without giving effect to any choice or conflict of law provision or rule (whether of the State of Georgia or any other jurisdiction).
Any legal suit, action or proceeding arising out of, or related to, these Terms & Conditions or the website shall be instituted exclusively in the federal courts of the United States or the courts of the State of Georgia in each case located in the City of Atlanta and County of Fulton although we retain the right to bring any suit, action or proceeding against you for breach of these Terms & Conditions in your country of residence or any other relevant country. You waive any and all objections to the exercise of jurisdiction over you by such courts and to venue in such courts.
Waiver and Severability
No waiver of by the Company of any term or condition set forth in these Terms & Conditions shall be deemed a further or continuing waiver of such term or condition or a waiver of any other term or condition, and any failure of the Company to assert a right or provision under these Terms & Conditions shall not constitute a waiver of such right or provision.
If any provision of these Terms & Conditions is held by a court or other tribunal of competent jurisdiction to be invalid, illegal or unenforceable for any reason, such provision shall be eliminated or limited to the minimum extent such that the remaining provisions of the Terms & Conditions will continue in full force and effect.
Entire Agreement
Provided that you have not executed a Master Services Agreement or Data Processing Agreement with Big Language Solutions, these Terms & Conditions and our Privacy Policy constitute the sole and entire agreement between you and Big Language Solutions with respect to the website and supersede all prior and contemporaneous understandings, agreements, representations and warranties, both written and oral, with respect to the website.
Your Comments and Concerns
This website is operated by Big Language Solutions, located at 3424 Peachtree Rd. N.E., Suite 2060, Atlanta, GA 30326
All other feedback, comments, requests for technical support and other communications relating to the website should be directed to: [email protected].
I.S.P.
Information Security Policy (I.S.P.)
1 Introduction
- According to standard definitions, an Information Security Policy is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the regulations regarding the security of data stored digitally within the boundaries where the organization stretches its authority. Attaining this goal involves setting up an Information Security Policy for the organization and ensuring its adherence. The ISP is governing the protection of information, which is an asset that the organization needs to protect. Information may be printed, written, spoken, or visually explained.
- The organization has a formal information protection program based on an accepted industry framework that is reviewed and updated as needed. The organization has adopted the NIST as a framework and ISO 27001 standard for its security posture, in addition to covering the HITRUST and PCI/DSS certifications. The SOC 2 Type II report is issued annually. External audit is performed annually.
- The adherence to these compliance artifacts are audited yearly and documented in the 05M04 Service Organization Controls, where controls from these different artifacts are mapped.
- Upper management along with the Information Security Steering Group (ISSG) are committed to be engaged and participate in the approval process of all policies by approving and signing such. Members of the ISSG are defined as IAW 07F18 Information Management Structure.
- User security roles and responsibilities are clearly defined and communicated.
- The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance requirements for its human resources security protection program.
- Sanctions are fairly applied to employees following violations of the information security policies once a breach is verified and includes consideration of multiple factors. The organization documents personnel involved in incidents, steps taken, and the timeline associated with those steps, steps taken for notification, the rationale for discipline, and the final outcome for each incident.
- Notifies the manager within 24 hours when a formal sanction process is initiated, identifying the individual sanctioned and the reason for the sanction. Further, the organization includes specific procedures for license, registration, and certification denial or revocation and other disciplinary action. In addition, a Corrective Action Request (CAR) and/or disciplinary action may be created if deemed necessary IAW 10P01 Corrective Action SOP.
- Record of employees involved in security incident(s) is maintained with the resulting outcome from the investigation.
2 Purpose
The organization has implemented the ISP with the goal of identifying, assessing, and taking steps to avoid or to mitigate risk to the organization’s information assets. Information security is achieved by implementing a suitable set of controls, including policies, organizational structures and software, and hardware functions.
2.1 Security Objectives (ISO 27001 5.1)
The ISSG has established security objectives to:
- Confidentiality
- Availability
- Integrity
The security objectives are monitored and analyzed yearly and recorded IAW the 05M01 CMS. These controls are established, implemented, monitored and controlled to ensure that the specific security and business objectives of the organization are met. The same is executed in conjunction with ISO 9001 and ISO 27001 processes implemented by the organization.
- To implement and properly maintain a robust information security function, the organization recognizes the importance of:
- Understanding the information security requirements and the need to establish policies and objectives for information security;
- Understanding, assessing, and measuring risks posed to and by the organization’s information assets;
- Implementing and operating controls to manage the organization’s information security risks in the context of overall business risks;
- Ensuring all employees, external vendors, and consultants of the organization are aware of their responsibilities as regards assets protection and security and to understand the importance of any legal and regulatory requirements.
- Monitoring and reviewing the performance and effectiveness of information security policies and controls; and
- Continually improving the assessments, measurements, and changes that affect risk.
- Developing an Information Security Policy that captures the mission of the organization.
- Establishing information security objectives.
- Conducting management reviews, as a minimum on an annual basis, to evaluate the organization’s progress.
- Ensuring the Information Security Management System is integrated within our processes.
- Ensuring the ISO reviews the expenditure and security compliance on the infrastructure, architecture and development.
- Ensuring that sufficient resources are always available.
- Communicating the importance of effective compliance management and Information Security Management System.
- Ensuring that Information Security Policy achieves its intended results.
- Engaging, directing, and supporting our employees to help contribute to the effectiveness of the Information Security Policy
- Promoting improvement.
- Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.
3 Scope
- This policy and all related documentation apply to the Information Security Management System (ISMS) as it relates to the translation, localization and transcreation of content IAW 06F04 ISMS Statement of Applicability.
It applies to the staff working from the office in Miami, Florida as well as all the remote staff, vendors, and clients that interact with the Language Vault application.
- The organization processes information with the help of third party providers, all of which hold their SOC 2 Type II reports and ISO 27001 Certifications. All operations are done remotely through the help of dual factor authentication (2FA) protected desktop as a service and a web application that exhibits IP protection, 2FA and custom security policies per client.
All departments that intervene in the delivery of services are covered in this scope including but not limited to Operations, Accounting, and IT personnel.
- Ultimately our stakeholders, vendors, staff members and clients are all protected by the scope of the CMS.
- All the information assets provided by clients and delivered by vendors and staff members are covered in this scope to satisfy their information assurance needs. To that end the CMS focuses on product development, delivery of services, people, and processes that the organization can control but also that we recommend our constituents to leverage .
4 Security Policies Management
4.1 Security Policies Review
- Upper Management assigns a group; the ISSG to ensure the effectiveness of the information protection program through program oversight; The organization’s approach to managing information security and its implementation are regularly reviewed by the members of the ISSG and are communicated throughout the organization.
- The ISO is appointed and is responsible for ensuring security processes are in place, communicated to all stakeholders, and consider and address organizational requirements.
- Managers are required to review and accept information security-related policies and procedures on a yearly basis. At the time of review, they must agree that these policies and procedures have been consistently applied within their area of responsibility.
- Annual compliance reviews are conducted. The internal SOC audit 05M04 Service Organization Controls document is executed IAW 09P01 Internal Audits SOP by the Compliance Officer. During this time, Policies, Procedures and Information systems are reviewed for compliance with the organization’s information security policies and standards. The organization has pursued a SOC 2 Type 2 report which is to be renewed yearly.
- The results of independent security program reviews are recorded and reported to upper management initiating the review; and the results are maintained for a predetermined period of 6 years. Any findings identified from External/Internal Audit are documented appropriately IAW 10P01 Corrective Action Request SOP.
4.2 Security Program Capital Planning
Capital planning and investment requests include the resources needed to implement the security program, employ a business case; and the organization ensures the resources are available for expenditure as planned. The Management Review Meeting captures any additional resources needed and any improvement projects IAW 09P01 Management Review SOP.
4.3 Roles and Responsibilities
Within the Information Security Policy, roles and responsibilities have been defined and assigned to specific individuals or groups within its organization. The Management Team, including the Information Security Officer (ISO), has established an 07F18 Security Management Structure document. Information security responsibilities are clearly defined, maintained, and communicated. These responsibilities include the security of the organization’s information assets and information technology that are accessed, processed, communicated to, or managed by external parties.
- Information Security Steering Group (ISSG): Responsible for information security in the organization to reduce risk exposure and ensure the organization’s activities do not introduce undue risk. The group is responsible for ensuring compliance with established security policies, processes, and initiatives, and with state and federal regulations. The ISSG is also responsible for reviewing security policies, assigning security roles, coordinating and reviewing the implementation of security across the organization. This group is also responsible for protecting assets from authorized access, disclosure, modification, destruction or interference. The following roles pertain to the ISSG:
- COO: Is the head of the Information Security Steering Group (ISSG). The head of the ISSG sets the security posture across the organization and takes an active role.
- Compliance Officer: Point of contact and represents the organization for compliance inquiries.
- Risk Officer: Is the owner of the 06F02 Risk and Opportunity Management Document and advises the COO on actions that shall be taken regarding risks that have been identified to possibly impact existing vulnerabilities.
- ISO (Information Security Officer): Is the organization’s Senior-Level Information Security Official Ensures the effectiveness of the information protection program through program oversight; establish and communicate the organization’s priorities for organizational mission, objectives, and activities; review and update of the organization’s security plan; ensure compliance with the security plan by the workforce; and evaluate and accept security risks on behalf of the organization. Advises the ISSG about privacy, security and compliance. The ISO develops, implements, and manages security matters. ultimately owns the organizational, physical and logical security. The ISO is responsible for ensuring compliance with and adherence to this policy. Responsible for the cybersecurity program, and for the oversight of the appropriate security program for the third -party service acquired by the organization. Ensures security processes are in place and communicated to all stakeholders.
- Information Asset Owner (IAO): Responsible for creating initial information classification, approving decisions regarding controls and access privileges, performing periodic reclassification, and ensuring regular reviews for value and updates to manage changes to risk.
- User: Responsible for complying with the provisions of policies and procedures.
The table below uses the RACI (R= Responsible, A= Accountable., C= Consulted, I= Informed) model for identifying roles and responsibilities during an organizational change process
Area of Responsibility
|
ISSG
|
ISO
|
IAO
|
User
|
Establish the Information Security Program (ISP)
|
A
|
R
|
C
|
N/A
|
Implement and Operate the ISP
|
A
|
R
|
C
|
N/A
|
Monitor and Review the ISP
|
A/R
|
R
|
C
|
N/A
|
Maintain and Improve the ISP
|
A/R
|
R
|
C
|
N/A
|
Management Responsibility
|
A/R
|
R
|
C
|
N/A
|
Resource Management
|
A
|
R
|
I
|
N/A
|
Provision of Resources
|
A/R
|
C
|
I
|
N/A
|
Training, Awareness and Competence
|
A/R
|
R
|
C
|
I
|
Internal ISP Audits
|
A/R
|
R
|
C
|
I
|
Establish Controls
|
A
|
R
|
C
|
I
|
Storage of Source Code
|
N/A
|
R
|
N/A
|
N/A
|
Asset Protection from unauthorized access, disclosure, modification, destruction or interference
|
|
|
|
|
Report of security event or risks
|
A/R
|
R
|
R?
|
I?
|
- Managers: Managers ensure employees are aware of the relevance and importance of their activities and how they contribute to the achievement of information security objectives. They also ensure that employees are aware of and comply with all information security policies and procedures of the organization relevant to their individual roles.
- Compliance Team: This team consists of the COO, the ISO, the Compliance Officer, and the IT members. This team ensures employees comply with established policies and procedures.
- IT Team: This team is responsible for the following areas related to information security:
- Managing related processes, such as incident and change management
- Providing technical expertise related to information security
- Implementing technical controls
- System administration; e.g., user creation, backups
- Security monitoring; e.g., network intrusions
- Reporting actual or potential security breaches
- Contributing to risk assessment where required
5 Identification and Authentication
The organization has defined the expectations and principles relating to how system setup and credential privileges should be managed. User accounts and privileges shall be managed correctly to ensure authorized user access to information systems is possible, while unauthorized access is not, including but not limited to:
- Authorization to manage user accounts and privileges. Requests are triggered by the HR Business Partner, and authorization may be given through line management, by the Manager and/or Director of the area in question.
- Management of user accounts and privileges. Specific staff members are authorized to control login accounts and permissions for systems that the IT team does not manage. The IT team may delegate specific limited responsibilities for managing accounts and permissions to staff in other departments. See 07F18 Security Management Structure for more details.
- The organization promotes the development and use of programs that avoid the need to run with elevated privileges and system routines to avoid the need to grant privileges to users.
- Users’ access rights must be adjusted in a timely manner to provide only authorized role based and necessary access. This should take place whenever there is a change in business needs, a change in an employee’s role, or when an employee leaves the organization. Managers of the user must be notified of change/termination IAW 07P08 IT Help Desk SOP.
- Password management. Once access to a system or application is authorized, the user shall create their own password IAW 04M06 Password Policy.
- Deletion of user access upon exiting the organization is executed IAW 07P16 Technical Termination SOP.
- IT staff with access to system credentials and cryptographic keys are responsible and liable for maintaining them. Keys are rotated to a minimum of once a year and are kept out of the reach of any other person and shall report any suspicious activity immediately to the ISO.
- Cloud provider keys for AES-256 are rotated and managed by them. In all cases (cloud providers or IT personnel) are trained to provide key generation, key distribution, key storage, key rotation and key revocation. Cloud encryption keys are managed by AWS and GCP cloud providers. IT is responsible for the generation of Portal keys which are auto-generated and rotated every 2 months with a life of only 3 months via letsencrypt. Keys used to interact with services are rotated at a minimum annually or if an IT employee leaves.
- A monthly audit is conducted of login access to ensure accuracy and remove access to those users who are no longer eligible or required. See 07P08 IT Service Desk SOP for more details.
- The organization restricts access to privileged functions and all security-relevant information.
- The ISO is the only authorized person to grant privileged access to IT infrastructure or source code.
- Shared/group and generic user IDs are not used in exceptional circumstances where there is a clear business benefit. All admins have their own unique credentials.
- The authorization involves approval to hire a software engineer or IT infrastructure engineer to authorize additional privileges and the record of the JIRA ticket IAW 07P08 IT Help Desk SOP
6 Handling of External Party Requests and Support
All Customer requests for support must be submitted to [email protected] and vendor requests are to be submitted to [email protected]. Requests are categorized into three tiers:
- Tier 1: All customer requests are considered tier 1, with the SLA of 1 hour. Consists of 3 support staff to manage requests for this tier.
- Tier 2: Issues or assistance requested are considered tier 2. Our product owners are on call for these types of matters. Consists of 3 Support Staff to manage requests for this tier.
- Tier 3: DevOps are on call to provide support for requests that can be resolved internally or that might demand the needs of service provider support. GCP and AWS have 24/7 support. Consists of 3 support staff to manage requests for this tier.
All calls received after hours are routed to customer support who are on call. Otherwise during regular business hours the number of staff supporting the service. For all tier 3 requests, a ticket will need to be created with GCP or AWS.
7 Incidents Report and IT Requests
- The IT Team has established procedures to ensure a consistent and effective approach to the management of information security incidents and IT requests, including communication on security events and weaknesses. It enables the efficient and effective management of information security incidents by providing structure for the reporting and management of such incidents.
- Any possible information security event must be assessed, and the ISO together with the IT team shall determine if it should be classified as an information security incident.
- Information security incidents, complaints and IT requests can be made by employees by reporting promptly. All reported items are responded to in a quick, effective, and orderly manner in order to reduce the negative effect of incidents, repair any damage, and mitigate future risks. Tickets are to be submitted to the IT Help Desk IAW 07P08 IT Service Desk SOP.
- Weekly reports shall be generated by the IT Service Desk system for all tickets labeled ‘security.’ Trends shall be analyzed to determine if any discernible patterns require further investigation.
- The IT team has daily meetings where, if necessary, post-mortem and trend analysis is discussed. All knowledge acquired from information security incidents shall be used to reduce the likelihood or impact of future incidents. Any serious incidents shall be recorded in the Non-Conformance log, and a CAR may be originated (IAW 10P01 Corrective Action Request SOP), if deemed necessary.
8 Change Management
BigLS has deployed a change management process in order to prevent unintended service disruptions and to maintain the integrity of all company services. All changes identified as causing disruption are planned and approved by management, without exception.
- Managers responsible for application systems are also responsible for the strict control (security) of the project or support environment and ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment. Project and support environments must be strictly controlled. All proposed system changes must be reviewed to ensure that they do not compromise the security of the system or the operating environment.
- Changes to equipment, software, and procedures are strictly and consistently managed.
- Fallback procedures are defined and implemented, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events.
- The Company deploys strong segregation of duties wherever it is economically feasible, including physical access and business processes in compliance with AICPA recommendations. It is imperative for the organization to grant its VP of Technology, who works as an Information Security Officer (ISO), access to troubleshoot any problems that might occur in the production environment, including production deployments. In addition, it is necessary for the VP of Technology to be the gatekeeper for any source code change. The organization has procedures to include detective and monitoring controls to mitigate the risk of possible misuse or unintentional modification of the organization’s assets. Segregation of duties exists with a number of restrictions, such as:
- Source code changes are performed only by software engineers and Bitbucket logs are accessible in Bitbucket to confirm that that is the case.
- Email alerts exist for critical changes performed in the source code, such as pull requests. These alerts are sent to code reviewers.
- No code is merged into the master branch without being approved by two senior developers (per review).
- The VP of Technology only merges code that has been approved by the senior developers. Proof of this is also available from the Bitbucket merged pull request listing.
- Code won’t be released if it does not pass static security analysis. OWASP ZAP acts as a proxy for e2e tests which reveals any new vulnerabilities present in any new release.
- Logical access for the whole software development lifecycle (SDLC) is segregated through a JIRA Kanban System which enforces different players for each of the following concerns: specifications, prioritization, software development, QA, and deployment. Proof is available via JIRA history in each ticket.
- Deployment occurs after confirmation by the Product Owners and the pulling of the ticket into the deployment-in-progress stage, which is allowed only to deployers, all of which can be confirmed from JIRA. Management (as well as all users) is made aware of any new release. There is extra evidence from Google Chat, Portal header notification functionality, and emails that communicate the release notes after each deployment.
- Security audit logs are read only, without exception, and record all changes in the production environment. This can be confirmed by inspecting the Stackdriver logs. Stackdriver is managed by Google and logs cannot be tampered with or deleted.
- Logging of all privileged actions is in place and can be confirmed from Stackdriver logs.
- These privileged actions result in email alerts sent to the Compliance team.
- Developers do not have access to production systems, which can be asserted by looking at our AWS and GCP Inventories which are sent monthly and reviewed by IT as IAO. Test and production environments are segregated in their own projects, which can be asserted by looking into the Google Cloud Console.
- Changes to equipment, software, and procedure are strictly managed.
- The company’s strategy for changes implemented accounts for a rollback strategy which is set by default. All changes are documented starting in a JIRA ticket and applied to test environments before they are pushed into the production environment. In addition the database is backed up every six (6) hours in the case a rollback for a deployment that affected data is needed. Rollback procedures are followed IAW 07P13 Software Development Lifecycle SOP for aborting and recovering from unsuccessful changes and unforeseen events.
- Any Systems or system components in production that are no longer supported, the organization executes a formal migration plan approved by management to replace the system or system components.
- Every month, the company audits all systems, beyond the Portal production environment, for excessive privileges in its monthly IAO audit. The results of this audit are registered in JIRA.
All requests are processed per IAW 07P08 IT Service Desk SOP. Rollback procedures are documented in case there is a need to go back to a previous status, even though change plans are mostly related to minimal marketable features (MMF). All MMFs are tested thoroughly after a fully automated deployment in the testing environment, before authorizing the deployment into production. Layers of authorization and logging exist so that production changes are controlled and monitored. Only authorized engineers are able to perform production changes. The organization communicates to different stakeholders when the services might be adversely affected.
The organization supports and manages changes to Workspace in the cloud including their operating system and applications and covers major, minor and patches.
The Management team meets every month to discuss any upcoming change. This meeting is known as the Replenishment Meeting.
9 Risk Management
- The organization performs risk assessments in a consistent way and at planned intervals, or when there are major changes to the organization’s environment, and reviews the 06F02 Risk and Opportunity Document annually.
- Risk assessments include the evaluation of multiple factors that may impact security as well as the likelihood and impact from a loss of confidentiality, integrity and availability of information and systems.
- The organization uses a formal methodology with defined criteria for determining risk treatments and ensuring that corrective action plans for the security program and the associated organizational information systems are prioritized and maintained; and the remedial information security actions necessary to mitigate risk to organizational operations and assets, individuals, and other organizations are documented.
- The organization mitigates any harmful effect that is known to the organization of a use or disclosure of restricted information by the organization, vendors, or similar third-parties in violation of its policies and procedures.
- The organization has implemented an integrated control system characterized using different control types (e.g., layered, preventative, detective, corrective, and compensating) that mitigates identified risks.
- The risk management program includes the requirement that risk assessments be re-evaluated at least annually, or when there are significant changes in the environment.
- The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with system and information integrity requirements and facilitates the implementation of system and information integrity requirements/controls.
- Information system specifications for security control requirements state that security controls are to be incorporated in the information system, supplemented by manual controls as needed, and these considerations are also applied when evaluating software packages, developed or purchased.
- Security requirements and controls reflect the business value of the information assets involved, and the potential business damage that might result from a failure or absence of security.
- A formal acquisition process is followed for purchased commercial products, and supplier contracts include the identified security requirements.
- Where the security functionality in a proposed product does not satisfy the specified requirement, the risk introduced and associated controls are reconsidered prior to purchasing the product.
- Where additional functionality is supplied and causes a security risk, the functionality is disabled or mitigated through application of additional controls.
- The organization requires developers of information systems, components, and developers or providers of services to identify (document) early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use.
Risk assessments shall identify, quantify, and prioritize threats that may become relevant to the organization. The results shall guide and determine appropriate organization action and priorities for managing information security risks and for implementing controls needed to protect information assets.
10 Related Security Policies (Public Section)
The organization protects its devices at all times by access controls, usage restrictions, connection requirements, encryption, virus protections, firewalls and physical protections.
10.01 04M06 Password Policy
Please see 04M06 Password Policy
Policy may be made available upon signing a non-disclosure agreement.
10.2 04M07 Data Classification and Processing Policy
10.2.1 Policy
The sensitivity of applications/systems is explicitly identified and documented. The organization’s solution to the Translation Industry is a security-first approach to the handling of any request. The classification of the data of our infrastructure, architecture and home grown software development is carefully selected to handle the most sensitive information available. The following information provides guidance and sets the expectation for the processing and classification of information and customer data:
- Information must be processed only in applications and systems where sensitive data can be protected by guaranteeing confidentiality, integrity and availability.
- To that end all services provided by the company are rendered from Language Vault, a Portal to vendors, clients and staff members, and Workspaces in the cloud, a windows desktop solution that guarantees no leaking of information on the end user side.
- The SDLC used for building Language Vault has several security layers IAW 07P13 Software Development Lifecycle Procedure.
- The Workspaces in the cloud are also built on top of a number of security layers IAW 07P12 Configuration Management SOP
- Information must be classified according to an appropriate level of confidentiality, integrity, and availability.
- All resources covered by the scope of this policy must handle information appropriately and IAW its classification level.
- All data within any system must be assigned to a Data Owner.
- The Data Owner is responsible for ensuring that all data are properly classified.
- Unless the risk is identified and accepted by the data owner, sensitive systems are isolated from non-sensitive systems.
Data Classification
Type
|
Description
|
Restricted Information
|
Highly sensitive data that should not leave managed systems. It includes any information that is extremely sensitive in nature such as, but not limited to, Personally Identifiable Information (PII); Payment Card Industry (PCI) and Intellectual Property (IP) is classified as Restricted. Its unauthorized disclosure could seriously and adversely impact the organization, its customers, its business partners, and its external providers.
|
Confidential Information
|
Sensitive data that could leave managed systems over secure communications channels only. Its unauthorized disclosure could adversely impact the organization, its customers, its business partners, and its external provider.
An example of confidential information may include knowledge regarding systems or processes used by the company that is not considered IP, secret, or a threat to the company’s security.
|
NOTE: Any information not explicitly classified as Confidential or Restricted shall be considered as Confidential and treated as outlined in this document.
Please see 04M07 Data Classification Policy for additional information. Policy may be made available upon signing a non-disclosure agreement.
10.3 04M08 Information Access Control Policy
The following information sets the rules and expectations for the security and accessing of information:
Resources (employee, external provider, and consultant) shall understand the sensitivity of their data and treat them accordingly per IAW 04M07 Data Classification Policy. Even if technical security mechanisms fail or are absent, every user should still attempt to maintain data security commensurate with its sensitivity.
The organization shall provide resources with access to the information they need to carry out their responsibilities in as effective and efficient a manner as possible.
- Restricted information can only be accessed from restricted environments. Circumventing this (e.g., by taking screenshots) is considered a violation of the established Security Policies.
- Access to systems and data information shall be given through the provision of unique credentials per IAW 07P08 IT Service Desk SOP and a complex password per IAW 04M06 Password Policy.
- Authentication is performed with user, password and 2FA over secure channels (PCoIP for workspaces and TLS 1.2 for servers). Language Vaults also require 2MFA.
- Shared credentials (individual, shared/group, system, application, guest/anonymous, emergency and temporary) are not authorized on systems. If exceptions exist, the ISO must approve the usage of them.
- An employee is held accountable for any activity performed under their login ID.
- Requests to modify or revoke access to the organizations’ internal systems shall be provided only after the written request is received and validated by the IAO IAW 07P08 IT Service Desk SOP.
- The information system employs replay-resistant authentication mechanisms such as nonce, one-time passwords, or time stamps to secure network access for privileged accounts. The company deploys “replay-resistant” authentication mechanisms on the workspaces with the help of Kerberos authentication and in Portal with the help of CSRF tokens and HTTP headers .
- Access to Restricted information shall be limited to authorized resources whose responsibilities require it, as determined by law, contractual agreement, or the Information Security Policy.
- The organization does not facilitate information sharing by enabling authorized users to determine a business partner’s. If exceptions exist, the President must authorize the use of them after being advised by the ISO IAW 07P18 Access Control SOP.
- Access rights to applications and application functions are limited to the minimum necessary using menus. Language Vault uses the concept of business hub which has been subject of study by its main architect for years. In simple terms absolutely all functionality from the system can be accessed via APIs using the same RBAC that applies to regular users that access the app via the UI.
- Access rights from an application to other applications are controlled.
- The translation process takes place within the Language Vault, where all user interactions are logged. These logs are accessible from the Audit Module where the date, the action, the request payload, the IP, the user agent of the user and the response code are all logged IAW 07P19 07P19 Access Audit Logging and Monitoring SOP.
The organization places reasonable restrictions on removal media. The use of removable media is prohibited on all equipment owned by the organization. Exceptions are managed IAW 07P10 Antivirus and Malware SOP and the 07P08 IT Service Desk SOP and must be approved by the ISO. Restricted Workspaces are prohibited to use removable media, no exceptions.
Please see 04M08 Information Access Control Policy for additional information. Policy may be made available upon signing a non-disclosure agreement.
10.4 04M10 Remote Access Control Policy
1 Policy
- Storage of restricted information and customer data on any personal device is prohibited.
- All remote access users are to comply with all security policies, may not perform illegal activities and may not use the access for outside business interests.
- It is the responsibility of employees, external vendors, and consultants with remote access privileges to the managed resources to ensure their remote access connection is used only for the organization’s related business purposes.
2 Requirements
- Remote access passwords and dual authentication tokens shall only be used by the individual to whom access was granted.
- All users are expected to report any loss of dual authentication devices immediately to the IT department, as well as any suspicious activity reported in their account.
- The session time-out mechanism is set at fifteen minutes of inactivity in the WS, and closes network activity at 15 mins of inactivity. Once the user resumes activity, the user will be required to reestablish authenticated access once the session has been paused or closed.
- Language Vault session times out after fifteen minutes of inactivity.
Please see 04M10 Remote Access Control Policy for additional information. Policy may be made available upon signing a non-disclosure agreement.
10.5 04M12 Acceptance Use Policy
1 Policy
- The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange.
- Employees, external vendors, and consultants are responsible for exercising good judgment regarding appropriate use of resources per IAW 05M03 Information Security Policy and Policies.
- Employees, vendors are aware of the limits existing for their use of the organization’s information and assets associated with information processing facilities and resources; and they are responsible for their use of any information resource and of any use carried out under their responsibility.
- Automated controls are in place to authorize and restrict the use of mobile code. Internet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts, electronic mail, WWW browsing, and additional services like SFTP and cloud services like GSuite, are the property of the organization. These systems are to be used for business purposes in serving the interests of the organization and its customers in the course of normal operations. The company does not allow the usage of browser versions that support Java, ActiveX, shockwave or flash animations as these components pose a number of threats and have been deprecated meaning there are no patches available for the engines responsible to processing this kind of media.
- Proprietary information stored on electronic and computing devices, whether owned or leased by the organization, the employee, or external providers, remains the sole property of the organization.
- Employees and external vendors may access, use, or share the organization proprietary information only under NDA and to the extent it is authorized and necessary to fulfill their assigned job duties.
- Physical and logical access is only given to vendors for support purposes when necessary, with management approval, and such access is monitored. The access to vendors must be given under the premise of the need to know and monitor monthly as part of the IAO audit IAW 07P08 IT Help Desk SOP
- Employees, external vendors, and consultants have a responsibility to promptly report any access error, theft, loss or unauthorized disclosure of proprietary information per IAW 07P08 IT Service Desk SOP.
- Employees and external vendors and consultants should not circumvent any restrictions imposed by IT on the usage of resources.
- All mobile and computing devices used to connect to the organization’s owned resources shall be done per IAW 04M08 Information Access Control Policy.
- System level and user level passwords must comply with the 04M06 Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
- All computing devices, including workspaces in the cloud and those devices used to connect to them, must be secured with a password-protected screensaver per IAW 07P03 Work Environment SOP.
- Employees, external vendors, and consultants must use extreme caution when opening email attachments or clicking on email links. The email address of the sender (not the sender name) of each email should be known to the addressee and verified by calling the sender in case such communication was not expected.
- The organization will store emails for seven years. All email communications, even after being deleted by the organization’s email holder, are archived and can be used for said time period.
- Under no circumstances is an employee, external vendor, or consultant authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing the organization’s resources. This includes, but it is not limited to:
- Using a computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee or external vendor is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Port scanning or security scanning is expressly prohibited unless a request is made to IT per IAW 07P08 IT Service Desk SOP and approved by the ISO.
- Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s or vendor’s normal job/duty.
- Circumventing user authentication or security of any host, network, or account.
- Introducing honeypots, honeynets, or similar technology on the network.
- Interfering with or denying service to any user other than the user’s host (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user’s terminal session, by any means, locally or via the Internet/Intranet/Extranet.
- Providing information about, or lists of, Company employees/external vendors/consultants to parties outside BigLS.
- The organization reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.
- Social media accounts must not be used to share any information about the company that has not been previously authorized by management and they must exercise caution when participating in chats, forums, surveys or any other means of interactions. All Employees must conduct themselves in accordance with 07F03 Employee handbook.
2 Software Use
- The organization has purchased fully licensed copies of computer software from a variety of publishers and vendors.
- Operational systems only hold approved programs or executable codes.
- Licensed and registered copies of software programs are placed on remote workspaces in accordance with the licensing agreements and company policies. No other copies of this software or its documentation can be made without the express written consent of the software publisher and of the organization.
- The organization prohibits users from installing unauthorized software, including data and software from external networks.
- The organization prevents program execution in accordance with a list of authorized (whitelisted) software programs and components and strict rules about the addition of any new component which demands the authorization of the VP of Technology.
- Only authorized administrators are allowed to implement approved upgrades to software, applications, and program libraries, based on business requirements and the security implications of the release.
3 Software from Other Sources
- The organization shall provide copies of legally acquired software to meet all legitimate needs in a timely fashion and in sufficient quantities for all remote desktops. The use of software obtained from any other source could present security and legal threats to the company, and such use is strictly prohibited.
- Any software, including commercial, OEM, retail, open source, shareware, and freeware software may present a security risk. Any software can only be used if the ISO has approved it. Requests shall be submitted via ticket per IAW 07P08 IT Service Desk SOP.
- Messaging and/or any type of communication is disabled on the restricted WS
Please see 04M12 Acceptable Use Policy for additional information. Policy may be made available upon signing a non-disclosure agreement.
10.6 04M16 Intellectual Property Policy
- Policy
- The organization’s intellectual property, such as information, processes, and technology are available to its employees, external vendors, and consultants to carry out their daily responsibilities.
- Employees, external vendors, and consultants are prohibited from any unauthorized use of the Company’s intellectual property, such as, but not limited to, audio and video tapes, print materials and source codes.
- It is the responsibility of every employee, external vendor, and consultant to help protect intellectual property. It is the responsibility of VPs, Directors and Managers to foster and maintain awareness of the importance of protecting intellectual property.
- While processing customer data, employees, external vendors and consultants are to use legal and ethical resources to prevent any type of data loss.
Please see 04M16 Intellectual Property Policy for additional information. Policy may be made available upon signing a non-disclosure agreement.
-
10.7 07P09 Equipment Destruction Disposal SOP; Confidential
-
10.8 07F18 Security Management Structure; Confidential
-
10.9 04M09 Data Encryption Policy; Confidential
-
10.10 04M11 Firewall Policy; Confidential
-
10.11 04M13 Disaster Recovery Policy; Confidential
-
10.12 04M14 Software Development Lifecycle Policy; Confidential
- 10.13 04M18 Mobile Device Policy; Confidential
- 10. 14 04M11 Firewall Policy; Confidential
- 10.15 04M14 Software Development Lifecycle Policy; Confidential
- 10.16 07P10 Antivirus and Malware SOP; Confidential
- 10.17 07P11 Penetration and Vulnerability SOP; Confidential
- 10.18 07P13 Software Development Lifecycle SOP; Confidential
- 10.19 07P14 Firewall SOP; Confidential
- 10.20 07P15 Encryption SOP; Confidential
- 10.21 07P17 Password SOP; Confidential
- 10.22 07P20 Third Party Service Provider SOP; Confidential
- 10.23 07P22 Business Continuity and Disaster Recovery Procedure; Confidential
- 10.24 07P23 Business Contingency Plan (BIA, BCP, DRP); Confidential
details of our selected controls and how they have been implemented and measured are considered confidential information and restricted to the organization. the following sections have been removed to make this document available to the public: security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development and maintenance, information security incident management, business continuity management, and compliance
Notice for California Residents
biglanguage.com Privacy Notice for California Residents
Effective Date: January 1, 2020
Last Reviewed on: January 31, 2020
This Privacy Notice for California Residents supplements the information contained in Big Language Solutions’ Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (CCPA) and any terms defined in the CCPA have the same meaning when used in this notice.
Information We Collect
Our website collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information“). In particular, Big Language Solutions’ Website has collected the following categories of personal information from its consumers within the last twelve (12) months:
Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
BIG IP obtains the categories of personal information listed above from the following categories of sources:
- Directly from you. For example, from forms you complete or products and services you purchase.
- Indirectly from you. For example, from observing your actions on our website.
- Directly from third parties who engage us to provide services. For example, from parties you have interacted with and who may require translation or localization services to conduct their business with you.
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.
- To provide, support, personalize, and develop our website, products, and services.
- To create, maintain, customize, and secure your account with us.
- To process your requests, purchases, transactions, and payments and prevent transactional fraud.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To personalize your Website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our website, third-party sites, and via email or text message (with your consent, where required by law).
- To help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve our website, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Big Language Solutions’ assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Big Language Solutions about our Website users is among the assets transferred.
Big Language Solutions will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing Personal Information
Big Language Solutions may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We share your personal information with the following categories of third parties:
- Service providers.
- Third-party customers who engage us to provide translation or localization services that may be related to your personal information.
Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:
Category A: Identifiers.
Category B: California Customer Records personal information categories.
Category C: Protected classification characteristics under California or federal law.
Category D: Commercial information.
Category F: Internet or other similar network activity.
Category H: Sensory data.
Category K: Inferences drawn from other personal information.
We disclose your personal information for a business purpose to the following categories of third parties:
- Service providers.
- Third-party customers who engage us to provide translation or localization services that may be related to your personal information.
Sales of Personal Information
In the preceding twelve (12) months, Company has not sold personal information.
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that BIG IP disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
- The categories of personal information we collected about you.
- The categories of sources for the personal information we collected about you.
- Our business or commercial purpose for collecting or selling that personal information.
- The categories of third parties with whom we share that personal information.
- The specific pieces of personal information we collected about you (also called a data portability request).
- If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
- sales, identifying the personal information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that Big Language Solutions delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Making a verifiable consumer request does not require you to create an account with us.
We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. We currently do not provide financial incentives.
Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] or write us at: Big Language Solutions, 3424 Peachtree Rd, NE, Suite 2060, Atlanta, GA 30326
Changes to Our Privacy Notice
Big Language Solutions reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the website and update the notice’s effective date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.
Contact Information
If you have any questions or comments about this notice, the ways in which Big Language Solutions collects and uses your information described below and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
Phone: 800-642-6290
Website: https://biglanguage.com#contact/
Email: [email protected]
Postal Address:
Big Language Solutions
Attn: Compliance
3424 Peachtree Rd, NE
Suite 2060
Atlanta, GA 30326