SOC 2, ISO 27001, and Translation Vendors: What Your Auditor Will Actually Ask

You are preparing for your SOC 2 audit. You have documented your cloud providers, your email service, your CRM, your payment processor. Your vendor risk assessment spreadsheet has 40 rows.

Then your auditor asks: "What translation tools does your organization use, and how are they classified in your vendor inventory?"

If translation tools are not in your vendor inventory, you have a gap. And auditors are increasingly looking for exactly this gap, because they know employees use translation tools and they know most organizations have not evaluated them.

This post maps SOC 2 Trust Service Criteria and ISO 27001 Annex A controls to translation vendor requirements. It provides the specific questions auditors ask and the evidence you should have ready.

Why translation tools end up in audit scope

Translation tools become in-scope when they process, transmit, or store data that is covered by your compliance program. This includes:

• Customer data — any content translated on behalf of or containing information about customers
• Personal data — employee records, client PII, any data subject to GDPR or privacy regulations
• Confidential business information — contracts, financial documents, strategic plans
• Regulated data — healthcare records, financial data, data subject to industry-specific regulations

If your employees use a translation tool to process any of these data categories, that tool is a subprocessor. It must be evaluated, documented, and monitored — just like your cloud hosting provider or your email service.

The fact that employees self-provision translation tools (shadow IT) does not exempt the organization from compliance obligations. It makes the compliance problem worse, because the tool is in use without controls.

SOC 2 Trust Service Criteria mapped to translation

SOC 2 evaluates controls against five Trust Service Criteria. Here is how each one applies to translation vendors:

CC6: Logical and Physical Access Controls

What the auditor checks: who can access data processed by the translation tool?

Translation-specific concerns:

• Can the vendor's employees access translated content?
• Is there role-based access control within the vendor?
• What authentication is required to access the translation service?
• Are API keys or credentials managed securely?

Evidence to have ready:

• Vendor's access control documentation
• Confirmation of zero-access or minimal-access architecture
• API key management procedures (if using an API)

CC6.7: Restriction of Access to System Components

What the auditor checks: how is data protected during processing and transmission?

Translation-specific concerns:

• Is data encrypted in transit (TLS)?
• Is data encrypted at rest (if stored)?
• What happens to data in the translation pipeline — how many systems touch it?

Evidence to have ready:

• Vendor's encryption documentation
• Network architecture diagram showing data flow
• Subprocessor list (every entity that touches the data)

CC7: System Operations

What the auditor checks: how does the vendor monitor and manage system operations?

Translation-specific concerns:

• Does the vendor have incident detection and response?
• How are system changes managed (change control)?
• What monitoring exists for unauthorized access or data exfiltration?

Evidence to have ready:

• Vendor's incident response plan
• Change management procedures
• Monitoring and alerting documentation

CC8: Change Management

What the auditor checks: how are changes to the translation service managed?

Translation-specific concerns:

• How are model updates deployed? Could a model update change data handling behavior?
• How are subprocessor changes communicated?
• What testing occurs before production changes?

Evidence to have ready:

• Vendor's change management policy
• Subprocessor change notification process
• Release management documentation

Confidentiality Criteria

What the auditor checks: how is confidential information protected?

Translation-specific concerns:

• Is translated content classified as confidential by the vendor?
• What is the retention policy? Is deletion verifiable?
• Can the vendor distinguish between confidential and non-confidential translations?

Evidence to have ready:

• Vendor's data classification policy
• Retention and deletion documentation
• Confirmation of no-training policy

ISO 27001 Annex A controls relevant to translation

ISO 27001 uses a risk-based approach with controls defined in Annex A. The most relevant controls for translation vendor management:

A.5.19: Information Security in Supplier Relationships

Requires establishing and maintaining information security within supplier relationships.

For translation vendors: you must assess the vendor's security posture, establish contractual requirements (DPA, no-training commitment, retention limits), and monitor compliance.

A.5.21: Managing Information Security in the ICT Supply Chain

Requires managing security across the supply chain, including subprocessors.

For translation vendors: identify all subprocessors in the translation pipeline. Ensure each subprocessor meets your security requirements. Document the supply chain.

A.5.23: Information Security for Use of Cloud Services

Requires specific controls for cloud service usage.

For translation vendors: translation tools are cloud services. They require the same evaluation framework: data location, access controls, encryption, incident response, and contractual commitments.

A.8.10: Information Deletion

Requires secure deletion of information when no longer needed.

For translation vendors: verify that translated content is deleted within a defined timeframe. Understand the difference between soft delete and hard delete. Confirm that deletion covers all copies (primary, backup, cache, logs).

A.8.11: Data Masking

Requires data masking where appropriate.

For translation vendors: consider whether sensitive data should be redacted before translation. This is particularly relevant for translations where not all content needs to be translated (e.g., redacting PII from a document before uploading).

What auditors actually ask

Based on real audit experiences, here are the questions you should be prepared to answer:

1. "What translation tools do your employees use?" — you need a complete inventory, including unauthorized tools
2. "Are these tools in your vendor risk assessment?" — if not, explain why and what you're doing about it
3. "Do you have DPAs with these vendors?" — produce signed DPAs
4. "What data is processed through translation tools?" — classification by data type
5. "What is the vendor's retention policy?" — specific timeframes, not "they delete it"
6. "Does the vendor use your data for training?" — contractual confirmation of no-training
7. "Where is data processed?" — geographic location, not just "the cloud"
8. "What access controls does the vendor have?" — who can see your data?
9. "How would you detect unauthorized use of translation tools?" — DLP configuration, monitoring
10. "What is the vendor's incident response process?" — SLA for breach notification

If you cannot answer these questions with documentation, you have a finding.

Evidence checklist

Prepare this evidence package before your audit:

Evidence	Source	Status
Translation tool inventory (approved + known unauthorized)	IT Security	☐
Vendor risk assessment for each tool	GRC team	☐
Signed DPA for each approved tool	Legal / Procurement	☐
No-training confirmation (contractual)	Vendor documentation	☐
Retention policy with specific timeframes	Vendor documentation	☐
Data residency confirmation	Vendor documentation	☐
Subprocessor list	Vendor documentation	☐
Access control documentation	Vendor documentation	☐
Incident response SLA	DPA / Vendor documentation	☐
Internal translation policy	IT Security / Compliance	☐
DLP configuration for translation tool monitoring	IT Security	☐
Employee awareness training materials	HR / Security	☐

When a vendor doesn't have SOC 2 or ISO 27001

Not every translation vendor has enterprise certifications. Smaller vendors, including noll, may not have SOC 2 or ISO 27001 yet.

This does not automatically disqualify them. What it means is:

1. You need compensating controls. If the vendor can't provide a SOC 2 report, you need alternative evidence: published security documentation, architectural descriptions, data handling policies, and a DPA.

2. The architecture matters more. A vendor with zero-retention, zero-access architecture and no SOC 2 may present lower risk than a vendor with SOC 2 that retains content for 30 days. Evaluate the actual risk, not just the certificate.

3. Document your reasoning. If your risk assessment concludes that a non-certified vendor is acceptable for your use case, document why. Reference the specific architectural controls that mitigate the risks the certification would cover.

4. Reassess periodically. What's acceptable for a startup vendor today may not be acceptable as your organization's compliance requirements mature. Build reassessment into your vendor management cycle.

Takeaways

• Translation tools are subprocessors that fall within SOC 2 and ISO 27001 audit scope
• Auditors are increasingly asking about translation tools specifically because they know shadow IT usage is widespread
• SOC 2 criteria (access controls, operations, confidentiality) and ISO 27001 controls (supplier management, cloud security, deletion) all apply
• Prepare a 12-point evidence package before your audit
• Vendors without certifications can still be acceptable — evaluate architecture and compensating controls, and document your reasoning

Further reading

• Shadow IT and Translation: How Employees Leak Company Secrets
• Which translation services should I use for sensitive documents?
• GDPR & AI Act compliance
• How your data is handled
• What we do collect