Security Statement

Introduction

This security statement applies to the products, services and applications offered by 2M Language Services. The protection and reliability of customer data is our utmost priority. Our security system is based on the principles of high resilience, transparency and third-party evaluation in accordance with the globally recognised security standards.

Certifications

2M has been certified for ISO 27001 which proves that the information security management system (ISMS) which we have introduced conforms to the ISO standard. The ISO certificate can be found here along with our other ISO certificates.

We use a range of cloud providers for our systems including Amazon web services (AWS), Microsoft Exchange/Azure and Secure-ISS. These are compliant with a wide range of security standards including SOC 1/ISAE 3402, SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 9001, ISO 27001, ISO 27017, and ISO 27018.

We use a third-party payment provider that is PCI DSS compliant.

Audits and Vulnerability Detection

2M Language Services's privately hosted systems pass through third-party penetration tests and vulnerability scans each year. The tests are conducted in accordance with the OWASP ASVS standard. Systems provided by 3rd party also comply with our penetration testing requirements for vendors.

Our information security management system is subject to annual internal audits and third-party audits verifying our compliance with the ISO 27001 standard. Internal audits take place on a regular basis.

Data Privacy

Information about privacy can be found here.

Data Centers and Locations

2M's systems are hosted on AWS, Microsoft Exchange/Azure and Secure-ISS. The physical servers are located in Australia wherever possible.

Vendor Management

As part of our ongoing ISO 27001:2013 compliance, we assess 3rd party system vendors from a security and privacy standpoint to ensure that they meet standards set by ourselves and are in line with our ISO 27001:2013 compliance.

Change Management

2M uses a formalised IT change management process designed to ensure that changes are authorised and operate as intended.

The change management system at 2M follows these principles:

• All software development follows the best practices documented in 2 policies and documentation of particular components.
• All changes are documented and approved by the relevant team lead.
• All changes are tested in the QA and pre-production environments prior to deployment to the production environment. Changes are approved only if they fulfil predetermined criteria. The development and QA environments use testing data and do not include real customer data.
• All changes which affect applied security measures or the risk profile of the 2M services are assessed from the security standpoint.
• In case of a major change on our privately hosted systems, penetration tests and/or vulnerability tests are performed.

Access Control

Access management at 2M is guided by the following principles:

Principle of Least Privilege

Access privileges for any user should be limited to resources absolutely essential for the completion of assigned duties or functions, and nothing more.

Principle of Segregation of Duties

Whenever practical, no single person should be responsible for completing or controlling a task, or set of tasks, from beginning to end when it involves the potential for fraud, abuse, or other harm.

Personalised profiles

Whenever possible, user profiles are personalised, e.g. tied to the identity of one specific user.

Single identity

Wherever possible, user profiles use a single authentication provider (Azure ID) and single credentials. Multi-factor authentication is enabled when supported by the authentication provider.

User responsibility

The user is responsible for the protection of the authentication means (username, password, means of multi-factor authentication) and all actions performed under their profile. The administrator of the IT system/application is responsible for the use and protection of technical profiles.

Event Logging

Our audit logs meet ISO 27001:2013 requirements. We store logs related to our privately hosted system and application events and also related to any user activity within their application account. 3rd party systems used in service delivery comply with our logging requirements.

Encrypted Communication

All communication is encrypted in our systems by default. This includes communication between our servers and the user's web browser or application.

The connection to our systems is encrypted using the latest security standards and best practices. The connection uses TLS 1.2. The identity of the connection to our systems is verified by a secure certification authority.

Redundancy and Backups

Redundant architecture ensures a high service up-time. All data is kept in several redundant database instances. All data from our on-premise hosted systems is backed up through daily full backups to a highly durable storage hosted privately. Backups are encrypted. 3rd party systems used in service delivery comply with our backup requirements.

Disaster Recovery and Incident Response

We apply disaster recovery and incident response policies that ensure timely and effective reactions to incidents. Thanks to redundant architecture and rapid incident response we were able to reach 98% availability long-term. Thanks to a robust backup system, we are able to guarantee swift recovery and minimal data loss. The performance of our disaster recovery is measured by bi-annual tests.

Physical Security

Although most of the assets of 2M are cloud-based, company policy ensures the protection of the physical premises as well as the information assets stored herein.

In general, 2M's premises are only accessible to 2M employees. These persons are holders of access cards or keys granting access to the general office area.

Visitors are registered at the reception desk which operates during business hours. To access 2M premises, they must be accompanied at all times by a 2M employee. All 2M employees are responsible for keeping their visitors accompanied at all times during their visit and not granting them any unnecessary access to any information assets belonging to 2M.

Hard copies of classified information may be stored only in locked closets located in the 2M office. Access to those documents is granted only to employees who require it for the performance of their duties.

Employee Policies

Users are obliged to act in line with legislation, rules and procedures described in this and related policy documents. They are responsible for the security of assets entrusted to them by 2M. Any misconduct or violation of the aforementioned obligations may lead to disciplinary measures according to applicable labour legislation and internal policies.

An approved anti-malware solution is installed on all computers. All devices have full disc encryption enabled and are protected by strong password and/or biometrics. Clean desk policy provides rules for securing the devices when not attended and for safe storage of internal and classified information only in the designated protected areas.

Users have to create unique, complex and not guessable passwords for all work-related accounts.

All prospective 2M employees and contractors are subject to background checks in line with privacy legislation. Security awareness and policy training are part of our onboarding process and are repeated annually. All employees and contractors (linguists) have a signed NDA as part of their contract.