Our Security Promise

Data security and confidentiality are non-negotiable

Lexxika was built with document security at its heart; throughout the translation process, we have implemented systems that keep sensitive data locked down.

Get Started

Maintaining The Highest Standards

Be confident in security compliance, wherever you’re based

To ensure Lexxika remains robust, we work with industry partners to stay up-to-date with the latest trends in fraud, cybercrime and legislation, minimising your exposure along the way. Your partners and your reputation rely on compliance with international data processing law. Wherever you’re based, we want you to be confident in that compliance.

Click here

World-Class Server Standards

Not only does Lexxika hold ISO 9001 and ISO 27001 standards, but our data servers are hosted in world-class enterprise environments by Azure. These hold ISO 9001, 27001, 27017 and 27018 and are monitored by CCTV, while access to the complex is controlled by security guards.

A closed platform

Our Assist portal provides a secure environment for the translation process as well. Linguists are beamed an image of the file, which they translate within our server, and access is removed immediately upon completion. All interactions are also fully audited.

A strong, trusted linguist network

Lexxika has been translating since 2007. We know our linguists well and have developed strong relationships. Rigour and background checks are a part of our approach, but we believe that an inclusive and familiar team approach creates mutual trust and great results.

Data and Info Security

Who is responsible for Information Security at Lexxika?

Our DPO (Data Protection officer) is Mr. Ryan Cracknell. All data-related questions and reporting issues should be directed to Tom Bool, Lexxika’s CEO.

Does Lexxika have an information security management framework in place, such as ISO 27001?

Yes, we hold ISO 27001.

Does Lexxika have a formal IT security policy?

Yes, we do. Our IT security policy covers:

Review cycle
Version history
References
Document details
Purpose
Definition
Scope
Policy compliance
Training
Compliance measurement
Exceptions
Non-compliance
Definitions & Terms
Policies
General policies
Data policies
Device policies
Systems access & Usage policies

Data Storage

When data is held by Lexxika, how is it protected?

Data is held securely in a cloud-based Microsoft Azure storage facility. It is encrypted while at rest, and all data transfers are TLS protected.

What ISO certifications do Lexxika’s cloud providers hold?

Our cloud providers all hold:

ISO 9001
ISO 27001
ISO 27017
ISO 27018
ISO 20000

How long does Lexxika store the translated documents for?

Documents are automatically deleted after a predetermined length of time after completed translations have been downloaded.

Clients can decide on the length of time. We recommend that this period is no longer than 14 calendar days, and we impose a strict maximum of 30 calendar days. Once deleted, the files are irretrievably destroyed and will no longer be available to Lexxika or our linguists.

In what jurisdiction does Lexxika store data?

System and application data is stored in Microsoft Azure, in the UK.

Personal data, including all documents submitted for translation and their respective translation versions, are stored separately. These can be located in a wide range of jurisdictions, as specified by the client. This means that the protected documents do not need to physically leave the jurisdiction of the client.

Mobile Devices

Are mobile devices used by Lexxika?

The majority of our work is carried out from desktop computers. Senior staff have company-issued iPhones, which are used for general communication purposes and in emergencies. They are fully encrypted and protected, in accordance with Lexxika’s mobile devices policy.

Operational work is not conducted from mobile devices.

What are Lexxika’s security policies regarding mobile devices?

All phones and laptops have full data encryption and our business systems require 2-factor authentication to gain access. Mobile devices are remotely trackable and can be wiped remotely.

Data Breach Management

Does Lexxika have an Incident Management / Incident Response Plan in place to deal with data breaches or similar incidents?

Yes, we do. It’s part of our IT security policy and we’re happy to share it.

Is this policy regularly tested?

Yes. We test our incident management and business-continuity practices annually.

Is Lexxika’s Incident Response Plan fully compliant with GDPR?

Yes. Our Incident Response Plan addresses all of the requirements on data processors under the EU personal data breach regime contained in the GDPR, including breach notification and subject data access request timelines.

Is there automated system logging in place with the components necessary to reconstruct events to detect or respond to potential security incidents?

Yes. We generate full audit logs of all operational tasks. These contain references of every page viewed and all key user actions. These logs are auto-generated and are used to detect penetration attempts, attempted misuse and to protect against future threats.

How many incidents or data breaches has Lexxika had in the last 3 years?

Lexxika has had no data breaches, and has never had cause to report any data losses to the relevant authorities.

Encryption

Does Lexxika employ security protocols to safeguard data (including, but not limited to, passwords) during transmission over untrusted (e.g. public) networks?

Yes. Lexxika uses industry standard cryptographic functions and TLS for all data in transit. Our security policies forbid the use of public networks, and all staff are equipped with a VPN, if accessing remotely.

How are passwords stored within Lexxika?

All passwords are stored using bcrypt. Our password policy follows NIST guidelines and our portal enforces that policy.

System Audit and Logging

Does Lexxika log user activities?

Yes, we log a wide range of user interactions. We auto-generate audit logs of all operational system interactions. These contain references of every page viewed and all key user actions.

What user activities are logged by Lexxika?

Currently, among other actions, we log:

Upload of request
Last login time
Download of translations (by client)
Allocation of requests to linguists
Acceptance of requests by linguists
Completion of requests by linguists (translator & Lexxika only)
Failed log in attempts
Password change requests
Any changes to user details
Length of user sessions

We measure these partly to provide accurate auditing data to clients, but also in the interests of service improvement.

Are these logs retained?

Our logs are retained for a minimum of 6 years in accordance with HIPAA, however we will retain logs indefinitely until database size requires their deletion.

Is there a process in place to monitor/review the access log to detect anomalies?

Yes. There are both automated and manual processes in place to detect user access anomalies. Protocols are in place to block access to users displaying suspicious behaviour or any attempted conduct falling outside of their role-based access rights.

Business Continuity and Disaster Recovery

Does Lexxika have a documented Business continuity plan in place?

Yes, we do.

Our Business Continuity Plan includes disaster continuity, and a wide range of scenarios including loss of office, incapacitation of key staff, and pandemics.

During the COVID outbreak of 2020, service and security levels were fully maintained throughout.

How often are Lexxika’s business continuity measures tested and updated?

Our business continuity plans are fully tested and reviewed once per year.

What key business continuity measures does Lexxika have in place?

All of Lexxika’s data is cloud-based; no data is ever stored on Lexxika’s machines. If our office and all of the equipment in it were stolen or destroyed, we would have access to all business-critical data within minutes.

Staff have clear training and understand protocols in the event of any business disruption, and our team are geographically spread between 3 countries to prevent any service outages.

Do you hold data backups?

All personal or protected data is purged and deleted in line with our data retention policy. This means that documents are automatically deleted after a predetermined length of time after completed translations have been downloaded. All other non-personal data (including transaction data) is backed up securely within Microsoft Azure. We do not hold physical backups of any data.

Access Controls

How does Lexxika manage access to the portal and to the documents within it?

This is one of the primary purposes of the portal.

The portal is managed on a ‘least privilege’ or ‘need-to-know’ basis. Access is granted based on the users’ requirements and access to data is restricted appropriately.

This means that we grant access to one linguist at a time, for the time necessary for a task to be completed. Upon completion, access to the file is automatically revoked.

All other users are granted role-based access to necessary content only.

Are all users uniquely identifiable?

Yes.

All Lexxika users have a unique ID, which means any activity by that ID can be tracked back to a specific person.

Can Lexxika facilitate single sign-on, or Active Directory Federation Services?

Yes. Lexxika is happy to work with your IT department to facilitate single sign-on (SSO). Doing this puts your IT team in charge of access right and users. It also enables you to implement any 2-factor authentication protocols, in accordance with your own policies.

Does Lexxika’s portal have a public API?

No. Our portal does not have any public or published API access. All private API access is handled over TLS and is correctly configured with reference to CORS and authentication.

Passwords

What are Lexxika’s accepted password rules?

Lexxika has a password policy for all staff, which is part of our IT security policy.

Passwords are stored and generated by a secure password management tool, which is centrally configured to ensure adherence to our password policy.

This conforms to the NIST standard.

Does the application/system time-out after a specific period of inactivity?

Yes, Lexxika’s portal will time out after 2 hours of inactivity.

Third parties and sub-contractors

Does Lexxika use third parties and sub-contractors?

Yes. Many of Lexxika’s linguists are external partners who have been contracted to provide language services.

What contractual controls are in place to ensure that personal information transmitted, processed, stored, or disclosed to, or retained by third parties is limited to defined parameters for access, use and disclosure?

All linguists are required to sign a DPA (Data Processor Agreement), NDA and contract prior to receiving access to client data. The Lexxika portal is also built to prevent transferring data to unauthorised individuals.

Please describe the due diligence process in place prior to engaging with linguists?

All linguists are required to provide evidence of appropriate qualifications, complete test translations and provide references. Background checks are completed if deemed necessary.

How is data shared with third parties?

The portal enables documents and images to be shared with linguists as a read-only, locked format version, which means they never have ownership of the document. Linguists can never download, copy or print the document.

Who has access to the documents that are uploaded to the portal?

Authorised Lexxika employees have access to the documents on a strict need-to-know basis.

Linguists are given visibility of a read-only, secured version of the documents for the time they are producing the translation only. This is revoked immediately once the translation is complete.

Does Lexxika track user actions internally?

Yes. The portal holds a full audit trail of every interaction with the file, by Lexxika’s staff, linguists and clients.

Do you use Role-Based Access Control (RBAC)?

Yes. Access is granted on a “least-privilege” basis. Linguists have read-only, secured visibility of files once they have been allocated to a project, and this is instantly revoked on completion.

Why do you use a portal instead of email?

Email transfer opens a range of risk factors. The risk of interception, the risk of documents being sent to an unintended recipient, the risk of documents simply disappearing, and the risk of data breach through fraud or identity cloning.

Our portal allows secure and encrypted file transfers and mitigates risks of cyber-crime.

What data encryption standards do you use?

All data in transit is protected using 256-bit, SSL/TLS technology.

What is Lexxika’s policy for secure deletion and destruction of any documents once they are no longer needed?

We retain the documents for a short, pre-determined period. The maximum is a period of 30 days after completed translations have been downloaded.

Do Lexxika’s development partners also hold ISO certification?

Yes, our development partners also hold ISO 27001.

How do you manage vendors and third-parties to mitigate IT risks?

All vendors, suppliers and partners are screened for potential IT security impact. They are all subject to a contract that enforces compliance with our own policies and all regulatory responsibilities.

Do you perform due diligence on your partners?

Yes. All suppliers are vetted and due diligence is carried out.

Sign up process

How are new Lexxika user accounts created?

New accounts must be created by Lexxika staff, and with the approval of our designated client manager.

This gives us the ability to pre-verify user accounts.

Are automated emails sent to users to confirm their registration?

Yes. All users are sent an email, which they must confirm in order to access their account, using their password.

Does Lexxika capture any financial data, such as credit card details?

No, we do not capture any data of this sort. No payments are processed through the portal.

What happens when one of your employees leaves the business?

Managers in your organisation can be given visibility of all team members. Adding or removing team members is instant and this gives you full control over which team members have access to Lexxika’s portal. Our help desk team is also happy to assist with this at any time. Using ADFS also puts you fully in charge of your staff’s access rights and they can be instantly barred by your own IT department.

When Lexxika’s staff leave the business, they are barred from our Active Directory and a protocol exists to ensure they lose all access to all business systems.

Is the portal pen-tested regularly?

Yes, we conduct pen testing annually.

Are all users provided with a privacy notice?

Yes, this is available to all users on the portal.

GDPR

Does Lexxika have an appointed Data Protection Officer?

Yes we do. Our DPO is Mr Ryan Cracknell. Please get in touch and we’ll happily provide his contact details.

Do you process personal data?

Yes – in order to complete the medical translations, we do process personal data of the insured parties.

We also handle what is called “special categories” of personal data.

What personal data categories might be processed?

Ultimately, this is determined by the contents of the reports that you provide to us for translation. Examples would be:

Name
Age
Date of Birth
Address
Occupation
Marital Status
Nationality

These details are processed only if they are contained within the medical reports provided, and they are irretrievably deleted once the translation has been completed, in accordance with the auto-deletion policy agreed with our client.

What special categories of personal data might be processed?

Ultimately, this is determined by the contents of the reports that you provide to us for translation. Examples would be:

Racial or ethnic origin.
Religious beliefs or other beliefs of a similar nature.
Physical or mental health or condition.
Sex life and sexual orientation.
Generic data and biometric data.
Details of medical interventions and medical records.
Details of prescribed medicines.
Contents of police and coroners reports.

Are documents pseudonymised or redacted?

We strongly advise that clients pseudonymise or redact documents before providing them to Lexxika to minimise any transfer or personal data. We realise that this is not always possible for clients to facilitate.

Who are the data subjects?

The data subjects are the insured parties, to whom the claim or supporting documentation relates.

As a processor, we have no direct relationship with the data subjects and under no circumstance would we ever enter direct communication with any data subjects.

How does Lexxika process the data that we provide?

Lexxika will receive the document(s) requiring translation from the client via a secure online portal. This will then be reviewed by our team and made visible in a read-only, secure format for translation to an independent translator, via the portal.

The translator then sees an image of the document(s) and completes the translation within our interface (never downloading or saving the document(s)).

Once the translation is complete the translator permanently loses all access to the document(s) and the translation is reviewed by our team and returned to the client. The data and document never leave the portal environment.

Is Lexxika able to delete the data at the end of our contractual relationship?

Data is auto-deleted after every completed request, in accordance with our agreed policy. All data is assigned with a client ID, and we can delete all content relating to a given client easily, at any time.

We will have to retain basic transactional records for the purposes of tax and legal responsibilities, but this will never include personal data.

Where will the personal data be stored?

The personal data is stored on Azure Microsoft servers. These are located in the territory and jurisdiction specified by our clients. We are happy to house personal data in isolated servers in a wide range of jurisdictions, to support compliance for our clients.

Will personal data be transferred and processed outside the EEA?

Translators see a read-only, highly secured image of the document(s) uploaded by the client. The data never leaves the data centre. This data can be shown to linguists outside of the EEA.

Personal Data processed outside of the EEA is transferred under the standard contractual clauses approved by the European Commission.