Due Diligence Reviews (DDRs)

Due diligence reviews are systematic evaluations that organizations conduct to assess the risks associated with suppliers, vendors, or business partners. For language services companies, this means evaluating freelance translators, agencies, or technology providers before establishing working relationships.

What is a Due Diligence Review?

A due diligence review investigates whether a potential vendor has:

  • Appropriate security policies and procedures
  • Financial and legal stability
  • Adequate insurance and legal protections
  • Necessary certifications or qualifications
  • Processes for handling confidential information
  • Contingency plans for business disruptions

Why it matters: According to Agostino Carrideo in Vendor Management: An Insider’s Strategies to Win and Create Long Lasting Change, failing to conduct due diligence reviews exposes organizations to significant risks, including:

  • Legal liability if suppliers don’t meet regulatory standards
  • Reputational damage if confidential information is mishandled
  • Business disruption if suppliers fail unexpectedly
  • Financial losses from security breaches or quality failures

Red Flags in Vendor Due Diligence

Carrideo identifies critical warning signs when evaluating vendors:

Security Red Flags Financial/Legal Red Flags
- No processes for protecting confidential information
- No formal security policy
- No risk assessment or management procedures
- No periodic security auditing
- No contingency plans for disruptions		 - Prior bankruptcies or ongoing legal issues
- Poor credit ratings
- Unclear organizational structure
- Lack of appropriate insurance coverage

Due Diligence for Translation Vendors

The challenge: If language services companies disqualified every freelance translator who demonstrated one of the red flags listed above, they would eliminate most available talent. Many freelance translators:

  • Work as individuals without formal security policies
  • Don’t conduct formal risk assessments
  • May not have contingency plans documented
  • Operate as sole proprietors with limited organizational structure

The balance: Rather than automatically disqualifying vendors with red flags, organizations must:

  1. Assess proportionality: Match security requirements to the sensitivity of the work
  2. Provide support: Help vendors develop appropriate safeguards
  3. Implement contracts: Use NDAs and service agreements to establish legal protections
  4. Create tiers: Categorize vendors by capability and assign work accordingly
  5. Monitor ongoing performance: Regular reviews rather than one-time assessments

DDR Review Schedule

Due diligence isn’t a one-time activity. Carrideo recommends ongoing reviews tailored to each supplier:

  • Established, stable providers: Annual reviews may be sufficient
  • Newer providers or those handling sensitive data: Quarterly or semi-annual reviews
  • High-risk or critical suppliers: More frequent monitoring

Activity: DDR Self-Evaluation

Complete this self-evaluation to assess your readiness as a potential vendor in the language services industry. This activity helps you:

  • Identify security gaps in your current practices
  • Understand what clients look for when vetting translators
  • Develop a plan for professionalizing your operations
  • Recognize where you need additional resources or support

Instructions: Work through each section honestly. Note areas where you don’t meet best practices—these become your professional development priorities.

Part 1: Technology Basics

Before beginning, you may want to review Top 10 Tech Security Basics Every Person Should Follow by Lifehacker to familiarize yourself with fundamental security concepts.

Router Security

According to Bradley Mitchell of Lifewire, “Most routers ship from the manufacturer with a default password built-in. The password is easy to guess[, so]… [i]f you don’t change the password to your router, then anyone with access to it can change its settings and even lock you out.” According to Elsie Otachi of Help Desk Geek, “changing the SSID [wifi] name may keep network attackers or hackers away as it indicates the particular router is more carefully managed compared to routers using generic default SSIDs.”

  • Best Practice: Change administrator login and default password on your internet router
  • Best Practice: Change your wifi network name (SSID) from the default

Changing your SSID indicates that the router is carefully managed, which may deter potential attackers.

Device Protection

  • Best Practice: Install anti-virus protection on all devices that access client intellectual property
  • Best Practice: Install malware protection on all devices
  • Best Practice: Install spyware protection on all devices

Self-Assessment Questions:

  1. Have I changed my router’s default administrator password?
  2. Have I changed my wifi network name (SSID)?
  3. On which devices do I access or store confidential client information? (Desktop, laptop, tablet, phone, cloud storage, external hard drive, private server?)
  4. Do I have anti-virus, malware, and spyware protection on all my devices through which I access or store confidential client information?

Important Note: As Boxcryptor reminds us, “There is no cloud. It’s just someone else’s computer.” Consider carefully where you store client data.

Part 2: Translation-Specific Security

Translation Memory Management

Mixing confidential intellectual property from various clients in a single translation memory violates non-disclosure agreements.

  • Best Practice: Maintain separate translation memories for each client
  • Best Practice: Establish clear procedures for managing glossaries, termbases, and style guides

Self-Assessment Questions:

  1. Do I house translations for multiple clients in a single TM, or do I keep them separate?
  2. How do I organize and protect client-specific glossaries, termbases, and style guides?
  3. What happens to client materials when a project ends? Do I have a data retention policy?

Part 3: Data Protection Measures

Safeguarding Client Information

Common data protection measures include:

  • Password protection: Using strong, unique passwords for files and systems
  • Encryption: Converting data into code to prevent unauthorized access
  • Private storage: Keeping sensitive files in secure, non-public locations
  • Access controls: Limiting who can view or edit specific information

Self-Assessment Questions:

  1. Which data protection measures do I currently use?
  2. How do I protect files in transit (when sending them to clients)?
  3. How do I protect files at rest (when stored on my devices)?
  4. If someone gained access to my computer, could they easily access client files?

Part 4: Security Policies and Procedures

Ongoing Security Management

Professional vendors conduct regular risk assessments and security checks to identify vulnerabilities before they become problems.

Privacy Policies

Under many international data security laws, processors of personally identifiable information must have a privacy policy that discloses:

  • Where confidential information is stored
  • How it is protected
  • How it can be destroyed upon request
  • Who has access to it

Privacy Policy Levels:

  • 🟢 Excellent: Formal privacy policy updated annually
  • 🟡 Good: Formal privacy policy updated within last 5 years
  • 🟠 Needs Improvement: Formal privacy policy last updated more than 5 years ago
  • 🔴 Insufficient: Informal privacy policy or no privacy policy

Self-Assessment Questions:

  1. Do I conduct regular risk assessments of my security measures?
  2. Do I have documented procedures for handling security incidents?
  3. Do I have a privacy policy? When was it last updated?
  4. If a client asked to see my privacy policy, could I provide one?

Part 5: Contingency Planning

Working Environment

  • Avoid: Working with confidential client information on public wifi networks (coffee shops, airports, hotels)
  • Better: Use a mobile hotspot from your cellular phone when working in public spaces

Exception: In countries without affordable universal internet access, working at internet cafés may be necessary. In these cases, use additional security measures like VPNs and encryption.

Data Backup

Regular backups protect against data loss from hardware failure, theft, or accidents.

Device Loss or Theft

Modern devices can be remotely wiped to prevent unauthorized access to sensitive information if lost or stolen.

Self-Assessment Questions:

  1. Do I ever work with client files on public wifi networks?
  2. What is my data backup process? How frequently do I back up important files?
  3. If my computer crashed today, could I still meet my deadlines? What is my backup plan?
  4. If I lost my laptop or phone, what would happen to the client information stored on it?
  5. Can I remotely wipe my devices if they’re lost or stolen?

Data Security Improvement Planning

After completing this self-evaluation:

  1. Identify Your Strengths: Which areas are you already handling well?
  2. Prioritize Improvements: Which gaps pose the highest risk or are easiest to address?
  3. Create a Timeline: What can you implement this week? This month? This year?
  4. Seek Resources: Where do you need help or additional tools to improve your security?

Remember: The goal isn’t perfection, but continuous improvement. Even small steps toward better security practices demonstrate professionalism and protect both you and your clients.

Key Terminology

Term Definition
Vendor Management Systematic process for selecting, monitoring, and maintaining relationships with suppliers
Contingency Planning Preparing backup plans for business disruptions, technology failures, or other crises
Default Password Pre-configured password that comes with new devices or software; should always be changed
SSID (Service Set Identifier) The name of a wifi network; changing from default increases security
VPN (Virtual Private Network) Technology that creates a secure, encrypted connection over a less secure network
Remote Wipe Feature that allows you to delete all data from a device remotely if it’s lost or stolen

Self-Reflection

As you work through the DDR self-evaluation, consider these questions:

  1. Future Preparedness: What specific security measures do you need to implement before you can ethically accept professional translation work involving confidential information? Create a prioritized list of steps to take in the next 6-12 months.
  2. Resource Constraints: Many of the “best practices” described assume access to resources (multiple devices, paid software, private servers). How can you balance ideal security practices with practical constraints as a student or emerging professional?
  3. Professional Standards: After reviewing what clients look for in vendors, how does your current setup compare? What investments (time, money, learning) would give you the best return in terms of professional readiness?
  4. Client Communication: If a potential client asked about your data security practices today, how would you respond? Would you feel confident explaining your measures, or would you need to defer work until you improved your systems?
  5. Continuous Improvement: Security isn’t a one-time achievement but an ongoing practice. How can you build regular security reviews into your professional routine? What triggers should prompt you to update your practices?

📥 Download this Content

Find this file on our repo and download it.

🤖 GAI Study Prompts

Copy the downloaded content and try it with these prompts:

  • “I completed a DDR self-evaluation and identified these security gaps: [list gaps]. Help me create a realistic action plan to address these issues, prioritized by risk level and ease of implementation.”
  • “Explain the difference between encryption, password protection, and access controls. When should I use each one?”
  • “Help me create a simple privacy policy appropriate for a freelance. What key elements must it include?”
  • “I’m a student with limited budget. What are free or low-cost security tools I can implement now to protect client data?”
  • “Walk me through what ‘separate translation memories for each client’ means in practice. How would I organize my files and folders?”
  • “What questions should I ask a translation agency about their security practices before agreeing to work with them?”
  • “Create a checklist I can use to audit my own security practices quarterly. What should I review regularly?”
  • “Help me understand the relationship between NDAs, confidentiality agreements, and due diligence reviews. How do they work together?”
  • “I use [specific cloud service] to store translation files. What security settings should I enable? What are the risks?”

Next: Business Technology Quick Start Guide Assignment

Copyright © 2026 LocEssentials. Course materials for educational use.

This site uses Just the Docs, a documentation theme for Jekyll.