How SOC 2 is Redefining Trust in Translation Tech

Episode 358 November 11, 2025 00:20:51
How SOC 2 is Redefining Trust in Translation Tech
Localization Today
How SOC 2 is Redefining Trust in Translation Tech

Nov 11 2025 | 00:20:51

/

Hosted By

Eddie Arrieta

Show Notes

In this episode, we explore how SOC 2 is actively redefining what "trust" means in translation technology. Adam Klar, CISO at Memoq, provides a candid look at the "overwhelming" journey to achieving Type 1 certification. He breaks down the critical difference between a Type 1 "snapshot" and a Type 2 "period-in-time" audit, explains why a GRC platform is essential for success, and makes the case for why this standard is the new, non-negotiable baseline for enterprise-grade localization.

View Full Transcript

Episode Transcript

[00:00:03] Speaker A: Hello and welcome to Localization Today where we explore how language, technology and community converge to unlock ideas for everyone everywhere. I'm Eddie Arrieta, CEO here at Multilingual Media. Today's episode takes us into one of the most critical but often overlooked aspects of translation technology. Enterprise security. Translation workflows handle some of the most sensitive content in imaginable contracts, critical trials and M and A documents. And enterprises are demanding stronger guarantees of trust, compliance and resilience. To unpack what this means, I'm joined by Adam Clark, Chief Information security officer at Memoq. With over a decade of IT and security leadership, Adam has overseen 24, seven operations centers, trained teams on agile transformation and led organizations through rigorous certifications. And Memoq is spearheading the journey to SoC2, setting a new bar for enterprise grade security in translation technology. Adam, welcome and thank you for being here. [00:01:16] Speaker B: Thank you for having me, Eddie. [00:01:18] Speaker A: Absolutely. Adam, of course this is one of the topics that for Multilingual magazine and for our audience is very attractive, very interesting when we look into regulated industries. Can you tell us a little bit more about why is enterprise security such a critical issue for translation workflows today? [00:01:37] Speaker B: Absolutely. So as you can imagine, translation systems process high amount of information. This kinds of information can range from large volumes of confidential data, business data, sensitive data, and it's very important for us to provide such service where our clients can feel their data in safe hands. [00:02:10] Speaker A: That's great, Adam. Of course it comes with some of the, let's say the add ons of these, call it regulated industries. The add on is that you will have sensitive documents. The add on is that you will have to really pay attention what kinds of sensitive documents and risk are typically at play in this type of documents that you see. [00:02:36] Speaker B: Imagine that through our systems, organizations Translate legal contracts, NDAs, marketing materials, materials that are not even out yet to the public. And we have to make sure that we secure these documents like M and A documents, HR files full with sensitive data, personal data. [00:03:04] Speaker A: And this data of course looks into standardization in a way to make sure that security is put in place for those. I was very, and I'm still very unfamiliar with what SOC 2 is, even type 1 or type 2. But what, what exactly is SOC 2 and why do specifically US enterprises demand it today? [00:03:26] Speaker B: So I would say, to put it simply, and it's maybe oversimplification, SOC2 is like a graduation exam or a language certificate for businesses. The abbreviation stands for system and organizational controls. And this is a standard way of looking at our, or looking at security and organizational controls. The output of a SOC 2 audit, maybe I'm ahead of myself, but the output of it is a so called SOC2 report or audit report. And compared to other certificates it's a very detailed, loaded with different kinds of control information document which gives a standard way to our prospects to have a look at our security controls and organizational controls. So we don't have to fill out security questionnaires in the future. We just hand out the audit report created or reviewed and created by a third party audit organization. And our prospects and clients will have a clear understanding about our security maturity. [00:04:57] Speaker A: And in that conversation there is, I believe, a type 1 and a type 2 SoC2. What are the differences? What is type 1 for? What is type 2 for? And I believe you are in type 1, correct? [00:05:12] Speaker B: Yes, absolutely. In August we went through the so called Type one audit. And I have to mention that there are certain domains within the SOC2 certifications. These domains are called trust, service criteria. There is security, availability, processing, integrity, confidentiality and privacy. And what the auditor does during these reviews is that in each domain they have a set of questions and there are a set of controls to which an organization needs to align to. They ask a set of questions related to these controls and collect evidences. During the Type 1 audit, the auditor gets a snapshot of our security and organizational controls. We have to make sure, or they need to make sure, they check if the policies and procedures are in place and they collect a sample on those policies and procedures. So for example, if we say that we have a security incident management policy, they have a look at our policy, have a look at how we have set up that process and what are the key cornerstones of that policy. And afterwards they look at a few examples to make sure that there are evidences or artifacts related to that process. During the type 2 review, providing one or two examples for these controls or processes is not enough. Together with the auditor, we have to identify a time frame. It can be 3 months, 6 months or 12 months long time frame. And during that time frame, we need to make sure that we align to our processes and be aligned to the SoC2 controls. So instead of the auditor asking for just one or two examples for the specific control, they would ask for all the examples given the period defined. So in this case, let's say we are talking about incident management. We would need to provide all the security incidents that were handled during that period. This makes sure, this sampling process makes sure that that we are able to maintain the process that is as a guideline defined by SOC2 and internally for ourselves, defined by a policy. Thank you, Adam, for I hope it was. [00:08:19] Speaker A: It is clear. And of course this means that there are many changes inside of memoq that need to happen to make sure that all these steps are understood by your team, but also that it are well communicated with your clients or your partners. What challenges did Memoq face in achieving this SOC 2 type 1 to begin. [00:08:42] Speaker B: With, we started our journey, let's say two, two years ago. I have joined the company and I had to first do an assessment on where we are and there are multiple processes, multiple controls defined by SOC 2. And I need to, I had to identify the gaps, where we need to improve, where we need to provide more resources and focus on. And I would say the first challenge was this, to identify what's missing. And from that we started to work on the different controls and areas and wanted to or started to make sure that we are aligning to SOC 2. And usually there is a comparison in this industry between an international standard called ISO 27001 and SoC2. And ISO 27001 provides a framework for security management systems. It's not too specific, so it's not detailing, hey, you need to have this kind of encryption or you need to have this kind of network set up, but it's just a set of guidelines. SOC 2 is a little bit more, how should I say it, more precise in their requirements. But there are some cases where we need to figure out how to align to that more specific requirement. We need to figure out if a central change management system is required or not, or we need to set up different change management system for the different departments if we need to have this or that kind of vulnerability management process set up. So even if everything is set on paper, set in stone, we have to figure out how to do these activities. [00:11:01] Speaker A: Thank you. Of course, like I mentioned, this means something for your team. What was it like for your team to actually become certified, to put it that way, to be able to do SOC 2 type 1? What does it mean for the team? What is it like? [00:11:17] Speaker B: At the beginning, I focused on setting up the necessary conversations, setting up the necessary set of meetings and communication channels with the different teams and this kind of continuous communication with everyone, with the IT services team, with development team, with the compliance team. I believe this provided a very good framework on top of we started to focus on these different processes and controls we had to set up. So I believe, to answer your question, it was overwhelming and stressful for the teams at the beginning, but I Wanted to make sure that I informed the teams, I wanted to keep everyone in the loop and from there I had to communicate the requirements and we started from there. But I believe I have to mention a very important point in our journey and how it was to the team. I think we made a big leap this year when we introduced GRC platform. GRC stands for governance, risk and compliance. And we have this. I believe it's now an industry standard to collect every compliance related requirement in one single platform. Because for example, ISO 27001 talks about access management and SoC2 has requirements about access management too. And in case of gdpr, there are some elements we need to consider when it comes to access management. So we have multiple different kinds of requirements, different frameworks, guidelines, laws and regulations we need to align to. And after a certain point it makes sense to introduce a GRC platform. This is what we did and it made our lives much, much, much easier because it provided even more clarity as to what is required by SOC 2. I think at that point the team was able to relief, get relieved a bit. But at the beginning it was stressful. [00:13:53] Speaker A: I can't imagine. I mean this is a very important topic, especially in these times where right now we believe we're in the times of AI. Eventually this is going to be just like any other thing, right? Like today we don't say we're in the times of the Internet, the Internet is there. And similarly it's going to happen with artificial intelligence. And if you can give us a few words around where why is now the time for enterprises to make security a top priority? And of course it's related to everything that's happening around artificial intelligence. But why is now the time for them to focus on security? [00:14:29] Speaker B: If we have a look at the big players in the industry, we can see that it's getting even more important than it ever was. If you just look at the investments on, for example, Microsoft side, it became security became one of the top corporate priorities. And even if we don't experience the security issues on ourselves, even if you just look outside, you see it is getting more and more important. But if I look at the everyday issues and if I examine what's possible and try to think ahead, we can quickly identify that the kinds of attacks we have to face and defend ourselves against are getting more and more complex, even as complex. I believe we are far past this point, but the attacks are getting so complex but that we cannot act on the attacks as a human being. Even if we are top of the game with A large amount of technical knowledge. We have some sort of assistance assisting systems in place and we have started this kind of looking ahead and investigation quite early on. For example, when Microsoft started to offer Security Copilot, which is an AI solution specifically for handling security issues and incidents, we almost immediately started to have a conversation with Microsoft if it would be possible and feasible for us to use it. So I think it's very important to try to look ahead, try to look at the, look into the crystal ball and see what's coming and try to prepare. The types of attacks that are possible are straight out of a sci fi movie, I would say AIs or LLMs trying to impersonate someone and communicate on behalf of someone. It's not just an imaginary situation, it can happen. And with the emergence of AI video generations generation and voice generation as well, it's getting more and more frightening. [00:17:16] Speaker A: Yes, but I believe, yes, please go, please continue. [00:17:19] Speaker B: But I believe with a certain caution we can be ahead of not the competition, but ahead of the attackers. [00:17:29] Speaker A: And Adam? Yes, I mean the future is now and the future is today. You are certainly thinking about the future. As you mentioned, SOC 2 type 1 was achieved in August. Are you of course looking into SOC2 type 2? What are the plans? What does the future look like for your team in terms of security? [00:17:48] Speaker B: Absolutely, absolutely. We are right in the middle of the preparation for SOC 2 type 2. The audit process will start in a month. So we are looking forward to it. Utilize every tool and resource we can to make sure that everything is in place for the audit. And after SOC2 type 2 I would like to really solidify what we have and look at these other regulations and requirements I have started to mention. So for example, there is a lot of work around AI in eu. There's a so called AI act and I have to review the security aspects of it and we are basically going to focusing on solidifying the current security systems we have and improving, preparing for AI quantum encryption or quantum proof encryption methods. So yes, there's a huge amount of work ahead of us, but now the main priority is SOC 2 type 2. [00:19:10] Speaker A: Of course today we have a better understanding of what SOC 2 is type 1 type 2. Adam, before we go, are there any final thoughts, any final comments that you want to share with us, with the audience, with your team? [00:19:23] Speaker B: I think I mentioned partially and I don't want to advertise anything, but it's really important to set up our GRC platform or if it's not feasible, maybe use another third party GRC platform because it gives clarity. And I think this is the most important part, to have clarity, to have a solid baseline, to have a system in place which helps our work and helps our compliance and security efforts. [00:20:06] Speaker A: All right, Adam, thank you so much for your time today. [00:20:08] Speaker B: Thank you, Eddie. [00:20:13] Speaker A: All right, all right, all right, all right. Thank you for listening to Localization today. A special thank you once again to Adam Clark for joining us and breaking down what SOC2 means, why enterprise security in translation can't be ignored, and how memoq is setting a new standard for trust and compliance. Catch new episodes of Localization today on Spotify, Apple Podcasts and YouTube. Subscribe, rate and share so others can find the show. I'm Eddie Arrieta with Multilingual Media. Thanks for joining us. Until the next time, see you soon.
Previous Episode

Other Episodes

Episode 222

October 24, 2024 00:30:06
Episode Cover

Unlocking Localization Potential With a Successful TMS Migration

By Jan Hofmeister and Laszlo Varga Sticking with an outdated translation management system can hold a company back. The authors explain the benefits of...

Listen

Episode 73

July 13, 2023 00:13:23
Episode Cover

The Human in the Loop - Respecting the emotional toll of LangOps

In this episode, we explore the emotional toll of LangOps amidst rapid technological advancements in the localization industry. We look into the rising stress...

Listen

Episode 21

February 01, 2022 00:02:59
Episode Cover

The dispute over Sanremo Music Festival's sign language performances

The Sanremo Music Festival, which began this year on Feb. 1, began offering sign language accommodations in 2020. This year, however, sign language performances...

Listen