We use AI responsibly to enhance speed, consistency, and accuracy while maintaining strict data protection. 

• No training on your content — Client data is never used to train public models. 

• Privately hosted and isolated models — Private cloud options for regulated workloads. 

• Human in the loop review for high-risk or confidential material. 

• Prompt and output safeguards to prevent unintended disclosure. 

• PII and PHI detection to flag sensitive content before processing. 

• Transparent model evaluation and documentation for accountability. 

We assess and manage risk continuously to identify, evaluate, and mitigate threats before they impact clients. 

• Annual risk assessments identify vulnerabilities, evaluate internal controls, and prioritize remediation. 

• Incident response procedures follow strict SLAs with timely client notifications and documented resolution steps. 

Security is embedded into our software development lifecycle. 

• Secure SDLC controls from design to deployment. 

• Change management with CAB oversight and security review. 

• Monthly external vulnerability scans and quarterly internal assessments. 

• Annual third-party penetration testing, with executive summaries available under NDA. 

Every partner and contractor upholds the same standards we do. 

• Supplier onboarding includes risk assessment and tiering. 

• Mandatory NDAs and confidentiality clauses for all linguists and subcontractors. 

• Annual reviews for critical suppliers and technology providers. 

• Comprehensive training in data privacy and security best practices.

Our people are our first line of defense. 

• Mandatory annual security and privacy training for all employees and contractors. 

• Role-based training for technical and privileged users. 

• Pre-employment screening appropriate to each role and jurisdiction. 

• Regular phishing simulations are carried out to assess employees’ awareness of social engineering threats 

BIG maintains certifications that meet or exceed international standards for secure, high-quality operations: 

• SOC 2 Type II 
  An independent audit confirming the effectiveness of our internal controls for data protection. 

• ISO 27001:2022 (Information Security Management System) 
  Demonstrates a systematic approach to managing information security risks and continuous improvement. 

• ISO 17100:2015 (Translation Services) 
  Defines the qualifications and processes required for professional linguistic work, ensuring accuracy and consistency. 

• ISO 9001:2015 (Quality Management) 
  Confirms our dedication to continuous improvement and customer satisfaction. 

BIG complies with the most widely recognized data protection and regulatory frameworks to ensure your information remains private, secure, and under your control. 

• HIPAA (Health Insurance Portability and Accountability Act) 
  All BIG processes are HIPAA-compliant. Protected Health Information (PHI) is stored and processed exclusively in U.S.-based data centers. Access is limited to authorized personnel under strict role-based access controls (RBAC), and PHI is encrypted both at rest and in transit in accordance with our internal Data Encryption Policy. 

• GDPR & CPRA (General Data Protection Regulation / California Privacy Rights Act) 
  BIG complies with global data protection regulations including GDPR and CPRA. We offer Data Processing Agreements (DPAs), Standard Contractual Clauses (SCCs), and regional hosting options to support customer-specific residency requirements and uphold data subject rights such as access, correction, and deletion. 

• PCI DSS (Payment Card Industry Data Security Standard) 
  For clients processing payments, we adhere to the Payment Card Industry Data Security Standard (PCI DSS), ensuring cardholder data is handled securely and in accordance with industry best practices. 

• HITRUST  (Health Information Trust Alliance) 
  We are HITRUST compliant and hold a HITRUST certification. This applies to our U.S.-based data centers and demonstrates alignment with rigorous, industry-defined requirements for managing risk, privacy, and security in regulated environments. 

Our Information Security Policy and Service Organization Controls are implemented to meet all privacy and security obligations. Data is encrypted both in transit and at rest under our Data Encryption Policy, ensuring all processing occurs in encrypted environments. 

Our privacy program is built around transparency and control: 

• Data Processing Agreements with SCCs and regional addenda. 

• Retention and deletion aligned with contract and regulation. 

• Government or third-party requests reviewed by Legal under strict protocols. 

• Customer data ownership — clients can export or erase data upon request. 
• Breach notification procedures comply with all applicable laws. 

• U.S. Department of Defense (DoD) -aligned data destruction ensures deleted data cannot be recovered. 

• Client-defined retention policies determine how long data is stored. 

• LanguageVault™ isolation — all client data resides in separate, access-controlled directories with field-level RBAC, 2FA, and IP authentication.