Procurement Checklist: DPA, Confidentiality, Subprocessors, Data Location

If you are buying transcription or caption services, review privacy and security terms before you sign. A good procurement checklist helps you compare vendors on the issues that matter most: the data processing agreement, confidentiality, subprocessors, data location, retention and deletion, and breach notification.

This guide gives you a practical checklist, questions to ask vendors, and red flags that should pause procurement. It is written for teams that handle interviews, meetings, legal content, medical files, research data, or any audio and video with sensitive information.

Key takeaways

• Ask for the vendor’s data processing agreement before procurement is complete.
• Check who can access your files, where data is stored, and which subprocessors the vendor uses.
• Confirm retention, deletion, and breach notification terms in writing.
• Pause procurement if a vendor gives vague answers or refuses to document key controls.

Why this procurement checklist matters

Transcription and caption vendors often process recordings that contain personal, confidential, or regulated information. That means procurement should review more than price, speed, and accuracy.

You need clear contract terms that show how the vendor handles data through its full lifecycle. This includes upload, processing, storage, sharing, support access, deletion, and incident response.

If your team works under privacy or accessibility rules, vendor review becomes even more important. For example, if captions support accessibility, you may also need to understand relevant accessibility obligations such as the WCAG guidance from W3C.

Procurement checklist for transcription and caption vendors

1. Data processing agreement (DPA)

Start with the DPA or equivalent privacy terms. This document should explain what data the vendor processes, why it processes that data, and what each party must do.

• Define the subject matter and purpose of processing.
• List the categories of personal data and data subjects.
• State the duration of processing.
• Limit processing to documented customer instructions.
• Require the vendor to help with data subject requests when needed.
• Cover return or deletion of data at the end of the service.
• Explain audit rights, reviews, or available compliance documentation.

If your organization must meet privacy law requirements, make sure the DPA is detailed enough for your legal and security teams. If the vendor cannot provide one, that should slow the process down.

2. Confidentiality terms

Confidentiality should appear in both the contract and the vendor’s internal practices. Do not assume a generic NDA is enough.

• Confirm that employees and contractors are bound by confidentiality obligations.
• Ask whether access is role-based and limited to people who need it.
• Check how support staff can access customer files.
• Confirm whether files are used for model training or quality review, and under what terms.
• Ask whether the vendor can segregate highly sensitive projects.

If you need stronger controls, ask whether the vendor offers extra safeguards for legal, medical, or research content. This matters whether you buy professional transcription services or captioning support.

3. Subprocessors

Many vendors rely on cloud hosts, payment providers, support tools, or AI infrastructure partners. Procurement should know which subprocessors touch customer data.

• Request a current list of subprocessors.
• Ask what service each subprocessor provides.
• Confirm whether subprocessors can access content or only metadata.
• Check whether the vendor gives notice before adding new subprocessors.
• Review whether you have a right to object to new subprocessors.
• Ask how the vendor flows down privacy and confidentiality obligations to subprocessors.

A vendor should be able to explain its subprocessor model clearly. If the answer is incomplete, you may not know where your data actually goes.

4. Data location and residency

Data location affects legal review, customer commitments, and internal policy. It also matters when you work with public sector, healthcare, legal, or education data.

• Ask where data is stored at rest.
• Ask where data is processed, including human review and support access.
• Confirm whether data may move across borders.
• Ask whether the vendor offers regional storage or residency options.
• Check whether backups are stored in the same region or a different one.
• Ask which laws or transfer mechanisms apply to cross-border data transfers.

Do not stop at the main platform location. Subprocessors, backup systems, and remote workforce access may affect the real answer.

5. Retention and deletion

Retention terms should be specific. “We keep data as needed” is not enough for procurement.

• Ask for default retention periods for audio, video, transcripts, captions, and logs.
• Confirm whether you can set shorter retention periods.
• Ask what happens to backups after deletion.
• Confirm whether deletion is manual, automatic, or both.
• Ask whether the vendor can certify deletion on request.
• Check whether any copies remain in support systems, QA workflows, or training datasets.

If your team handles sensitive content, shorter retention usually reduces risk. Procurement should push for deletion terms that match the real business need.

6. Breach notification and incident response

Even strong controls do not remove all risk. Your contract should explain what happens if there is a security incident.

• Define what counts as a breach or security incident.
• Set a notification timeline.
• Require notice without undue delay after confirmation or awareness, depending on your legal standard.
• Ask what information the vendor will provide in the first notice.
• Confirm whether the vendor will support investigation, containment, and customer communications.
• Check whether the vendor keeps an incident response process and designated contacts.

If you operate under specific legal deadlines, make sure the vendor’s contract can support them. For example, organizations subject to the GDPR should understand the 72-hour breach notification rule in Article 33 and how vendor notice timing affects compliance.

How to compare vendors in practice

Use the checklist in a simple scorecard. This helps procurement, legal, security, and the business team compare vendors on the same criteria.

• Documented: The vendor provides written terms or policies.
• Specific: Answers include named controls, timeframes, and responsibilities.
• Flexible: The vendor can support your required terms or configurations.
• Transparent: The vendor explains limits, exceptions, and dependencies.

You can also separate requirements into two groups.

• Must-have: DPA, confidentiality obligations, subprocessor visibility, deletion terms, and breach notice terms.
• Nice-to-have: Regional storage options, custom retention controls, or advanced reporting.

Price matters, but it should not erase legal and security gaps. A lower-cost option can create more work later if the contract leaves open questions.

Questions to ask vendors

Use these questions during procurement calls, security review, or contract redlines.

• Can you share your DPA and standard privacy terms before we sign?
• Who can access our recordings, transcripts, or captions?
• Do you use customer content for training, testing, or quality improvement?
• Which subprocessors process or store customer data?
• Where is data stored, processed, and backed up?
• Can we choose a data region or limit cross-border transfers?
• What are your default retention periods?
• Can we request immediate deletion or shorter retention?
• How do you handle backups after deletion?
• What is your breach notification process and timing?
• Will you notify us before adding a new subprocessor?
• Can you support extra controls for sensitive projects or regulated data?

Red flags that should pause procurement

Some answers should trigger a deeper review before you move forward. These red flags do not always mean “do not buy,” but they do mean “do not rush.”

• The vendor cannot provide a DPA or refuses to negotiate key data terms.
• The vendor cannot explain who accesses customer data.
• The vendor does not maintain a subprocessor list.
• The vendor gives unclear answers about where data is stored or processed.
• The vendor has no defined retention or deletion schedule.
• The contract does not state when breach notice will be sent.
• The vendor reserves broad rights to use customer content without clear limits.
• The vendor relies on verbal assurances instead of written commitments.
• Different teams at the vendor give conflicting answers.

When you see one of these issues, pause procurement and request written clarification. It is better to fix uncertainty before onboarding than after a sensitive file is uploaded.

Common questions

Do all transcription and caption vendors need a DPA?

Not always in every situation, but many procurement teams still ask for one. If the vendor processes personal data on your behalf, a DPA is often the cleanest way to document responsibilities.

What is the difference between confidentiality and privacy terms?

Confidentiality limits who can disclose or access information. Privacy terms explain how personal data is collected, processed, shared, retained, and protected.

Why do subprocessors matter so much?

Subprocessors can store, process, or help analyze your data. If you do not know who they are, you may not know the full chain of data handling.

Is data residency the same as data security?

No. A vendor can store data in your preferred region and still have weak controls, or store data elsewhere with stronger controls. You need both location clarity and security review.

Should procurement ask about deletion of backups?

Yes. Deletion from the main system does not always remove backup copies right away, so procurement should ask how backup retention works.

What if a vendor uses AI tools?

Ask whether AI providers are subprocessors, whether customer content is sent to them, and whether your content is used for model training. Get the answer in writing.

Can automated services meet procurement needs?

Sometimes, but the same review still applies. If you are considering automated transcription, ask the same questions about data handling, retention, subprocessors, and breach notice.

Final checklist for procurement teams

• Get the DPA early.
• Review confidentiality terms for staff, contractors, and support access.
• Request the current subprocessor list.
• Confirm data location for storage, processing, and backups.
• Document retention and deletion timelines.
• Check breach notification timing and process.
• Ask follow-up questions where answers are vague.
• Pause procurement when key terms are missing from the contract.

If your team needs help turning audio or video into accurate text while still reviewing vendor requirements carefully, GoTranscript provides the right solutions, including professional transcription services.