Compliance · security · audit
Audited, certified, current.
OndLingua operates as a regulated processor under UK GDPR, EU GDPR and US HIPAA. We renew on schedule, publish certificates on request, and ship an audit pack with every onboarding.
01Certifications
Eight certifications, six live today.
Every line below is honest about its current status — valid, in progress under audit, or formally on the roadmap. We publish renewal dates as we receive them.
GDPR
EU / UK data protection
Data Processing Agreement (DPA), Records of Processing (ROPA), SCCs for international transfers. EU and UK representatives on file.
Compliant · audited Mar 2025
EU 2016/679 · UK GDPR
Scope · EU + UK
ISO 27001
Information security
Full ISMS — risk register, access control, change management and supplier review. Stage 1 audit complete; Stage 2 audit scheduled.
On roadmap · Stage 2 audit Q3 2026
BSI · ISO/IEC 27001:2022
Scope · Global
DSPT
NHS Data Security & Protection
Standards Met for the current year — covers data flows, training, breach response and supplier assurance across all NHS engagements.
Standards met · renewed annually
NHS Digital
Scope · UK NHS
Cyber Essentials Plus
Government cyber baseline
External and internal testing of perimeter, endpoint hardening and patch posture. Renewed every twelve months under the IASME-NCSC scheme.
Certified · valid to Feb 2027
IASME · NCSC scheme
Scope · UK government
HIPAA
US healthcare data
Business Associate Agreement (BAA) available for US covered entities. Administrative, physical and technical safeguards mapped to 45 CFR 160 / 164.
Compliant · BAA on request
BAA · US covered entities
Scope · US healthcare
SOC 2 Type II
Service Organization Controls
Trust Services Criteria — security, availability, processing integrity, confidentiality. Twelve-month observation window in progress.
In progress · audit Q4 2026
AICPA-aligned auditor
Scope · US / Global enterprise
ISO 9001
Quality management
Service delivery, interpreter recruitment and QA workflows independently audited. Closed-loop corrective action and continuous improvement.
Certified · valid 2025
BSI · ISO 9001:2015
Scope · Global
PCI DSS
Payment card data
Self-Assessment Questionnaire (SAQ-A) — payment card data is fully outsourced to PCI Level-1 processors; no card data touches OndLingua systems.
SAQ-A · current attestation
PCI SSC
Scope · Global
Vendor assessment
Request the assurance pack.
Sent under NDA within one working day to your DPO or security team.