Transcription Vendor NDA + Security Questionnaire Template (Legal Version)

Use an NDA checklist plus a security questionnaire to vet a transcription vendor the same way you vet any other legal service provider: define confidentiality duties, confirm security controls, and document answers for audits and renewals.

Below you’ll find a legal-focused NDA checklist and a copy‑paste security questionnaire covering data handling, subcontractors, encryption, access logging, retention/deletion, breach notification, and jurisdiction/data residency.

Primary keyword: transcription vendor NDA

Key takeaways

• Start with an NDA checklist so you don’t miss basics like definition of “Confidential Information,” permitted use, and return/destruction.
• Use a security questionnaire to validate how the vendor actually protects audio, transcripts, and client files.
• Require clarity on subcontractors (who they are, what they can access, and how they are controlled).
• Set retention and deletion rules that fit legal holds, client obligations, and internal policies.
• Reuse the same questionnaire at renewals and whenever scope, systems, or jurisdictions change.

Before you send files: what an NDA and security questionnaire should cover

For legal teams, transcription work often includes privileged, confidential, or regulated information, so you need both contract terms (the NDA) and operational proof (the questionnaire).

Think of the NDA as “what must happen,” and the questionnaire as “how they do it.”

Typical risks legal teams want to prevent

• Unauthorized access to recordings, exhibits, or transcripts.
• Subcontracting without approval or weak subcontractor controls.
• Files stored longer than allowed, or not deleted when requested.
• Cross‑border storage or access that conflicts with client commitments or court orders.
• Unclear breach notification steps, timelines, or points of contact.

What “good” looks like (plain language)

• Clear confidentiality obligations that cover audio, video, transcripts, metadata, and notes.
• Access limited to people who need it, with logs and regular reviews.
• Encryption in transit and at rest, plus secure file transfer options.
• Written retention schedule, deletion methods, and a way to certify deletion.
• Documented incident response and prompt, contract-aligned notification.

Downloadable NDA checklist (legal version)

You can copy this checklist into a document and attach it to your vendor intake packet, or use it as redline guidance when reviewing the vendor’s NDA or MSA.

Note: This is general information, not legal advice, and you should tailor it to your firm, matter type, and jurisdiction.

NDA checklist: clauses to confirm (and questions to ask)

• Parties and scope: Does it cover the vendor entity and any affiliates that will access data?
• Definition of Confidential Information: Does it include audio/video, transcripts, exhibits, case strategy, client identities, metadata, and derived data?
• Purpose limitation: Is use limited to providing transcription/captioning/subtitling services and support?
• No training / no secondary use: Does it prohibit using your content to train models or for analytics beyond service delivery (unless you explicitly approve)?
• Need-to-know access: Does it restrict access to authorized personnel only?
• Subcontractors: Are subcontractors prohibited by default or allowed only with written approval?
• Subcontractor flow-down: Must subcontractors sign equivalent confidentiality and security obligations?
• Standard of care: Does it require reasonable/industry-standard security and administrative controls?
• Security controls reference: Does it reference written security policies or a security addendum (and attach it)?
• Encryption: Does it require encryption in transit and at rest (or an equivalent documented control)?
• Access logging: Does it require logging and the ability to provide logs on request (as appropriate)?
• Data residency / location: Does it state where data will be stored and where it may be accessed from?
• Jurisdiction and governing law: Does it align with your firm/client requirements and dispute process?
• Retention: Is there a defined retention period (or retention tied to your instructions)?
• Deletion / destruction: Does it describe deletion methods, timelines, and certification on request?
• Legal hold support: Can the vendor suspend deletion when you issue a legal hold?
• Breach / incident notification: Does it define what counts as an incident and the notification timeline?
• Incident cooperation: Does it require cooperation, forensics support, and reasonable remediation steps?
• Return of materials: Can you request return of files/transcripts in a usable format?
• Privileged information handling: Does it commit to confidentiality consistent with privileged materials (where applicable)?
• Exclusions: Are exclusions to confidentiality narrow and standard (e.g., independently developed without access)?
• Compelled disclosure: Does it require prompt notice and cooperation if disclosure is legally compelled?
• Remedies: Does it allow injunctive relief for unauthorized disclosure?
• Insurance: If required, does it state cyber/privacy coverage types and proof on request?
• Audit rights: Are you allowed to review security documentation or receive third-party reports?
• Term and survival: Do confidentiality obligations survive termination for an appropriate period (or indefinitely for trade secrets)?

Optional add-ons for higher-risk matters

• Client-specific terms: Add client-required confidentiality language and outside counsel guidelines where needed.
• Dedicated environment: Require tenant isolation, segregated storage, or matter-specific access groups.
• Restrictions on printing/download: Limit local copies, printing, and removable media use.
• Secure transfer only: Require SFTP/portal upload and prohibit email attachments for files.

Security questionnaire template (legal-focused)

This questionnaire is designed for transcription vendors handling sensitive legal content, including privileged material.

Ask the vendor to answer in writing and attach evidence where possible (policy excerpts, diagrams, sample logs, certifications, or a SOC report summary if available).

How to use this questionnaire (intake and renewals)

• During vendor selection: Use it as a gate before you share real client data, and score answers against your minimum requirements.
• During onboarding: Convert “yes” answers into contract obligations (security addendum) and document any exceptions.
• At renewals (at least annually): Re-issue the questionnaire and ask, “What changed?” for systems, subprocessors, locations, and incident history.
• After a change: Re-run it after major events like a platform migration, acquisition, new subcontractor, or expanded jurisdiction.

Suggested scoring (simple and defensible)

• Meets: Clear answer + evidence + aligns with your NDA/security addendum.
• Partially meets: Control exists but has gaps, unclear scope, or lacks evidence.
• Does not meet: Control absent, vendor refuses, or risk cannot be accepted for the matter type.
• Needs legal review: Impacts privilege, jurisdiction, breach terms, or client commitments.

Section A: Company, contacts, and accountability

• Legal entity name, headquarters location, and primary service locations.
• Security contact (name, title, email, phone) and escalation contact for incidents.
• Do you have a written information security program? If yes, provide a table of contents or summary.
• Who owns security decisions (role/title), and how often do you review security risks?

Section B: Data handling and workflow

• Describe the end-to-end workflow from file upload to delivery (include where files are stored and processed).
• What data types do you handle (audio, video, transcript text, timestamps, speaker labels, notes)?
• Do you separate customer data by tenant/matter? Describe how.
• Do you use any third-party tools for processing (e.g., storage, editing platforms)? List them.

Section C: Subcontractors and subprocessors

• Do you use subcontractors for transcription, editing, QA, or support? If yes, list roles and locations.
• Do subcontractors access raw audio/video, transcripts, or both?
• What vetting do you perform before onboarding subcontractors (background checks, references, training)?
• Do subcontractors sign confidentiality agreements with terms at least as strict as yours? Provide a summary.
• How do you remove access when a subcontractor leaves (timelines and process)?

Section D: Access control and authentication

• How do you enforce least privilege (role-based access control, approvals, periodic reviews)?
• Do you support multi-factor authentication (MFA) for staff and admins? Describe coverage.
• How do you manage passwords (policy, rotation, minimum length, SSO options)?
• Do you restrict admin access and require separate admin accounts?

Section E: Encryption and secure transfer

• Do you encrypt data in transit? Specify protocols (e.g., HTTPS/TLS, SFTP).
• Do you encrypt data at rest? Specify where (databases, object storage, backups).
• How are encryption keys managed (KMS, key rotation, access restrictions)?
• What secure file delivery options do you support (portal, SFTP, encrypted download links)?

Section F: Logging, monitoring, and auditability

• What access logs do you keep (file access, downloads, admin actions)?
• How long do you retain logs, and are they protected from tampering?
• Do you monitor for suspicious access (anomalies, failed logins, mass downloads)?
• Can you provide matter-specific access logs upon request (when appropriate)?

Section G: Retention, deletion, and backups

• What is your default retention period for source files and delivered transcripts?
• Can customers set custom retention (per client/matter)? Describe the process.
• How do you delete data (soft delete vs. secure deletion), and how long until deletion completes?
• How do deletions apply to backups? Provide timelines and limitations.
• Can you provide a deletion certificate or written confirmation on request?

Section H: Incident response and breach notification

• Do you have a written incident response plan? Provide a summary of phases and owners.
• How do you define an incident vs. a breach?
• What is your notification timeline after confirming unauthorized access to customer data?
• What information will you include in a notification (scope, dates, affected data, remediation steps)?
• Do you maintain an incident log and conduct post-incident reviews?

Section I: Jurisdiction, data residency, and cross-border access

• In which countries/regions is customer data stored by default?
• From which countries/regions can your staff or subcontractors access customer data?
• Can you restrict storage and access to specific jurisdictions? Describe limitations.
• How do you handle government or law enforcement requests for data (notice, review, transparency)?

Section J: Privacy, legal requirements, and client commitments

• Do you sign data processing terms if required (e.g., DPA)?
• Do you support confidentiality obligations tied to privileged materials and protective orders?
• Do you have a process to respond to client audits or security questionnaires from your customer’s customers?
• Do you provide training to staff on confidentiality and secure handling of client data? Frequency?

Section K: Business continuity and disaster recovery

• Do you have a business continuity/disaster recovery plan? Provide a summary.
• How do you back up customer data, and how often are backups tested?
• How do you ensure timely delivery during disruptions (staffing coverage, alternate workflows)?

Section L: Secure development (if the vendor provides a platform)

• Do you perform vulnerability scanning and patching? Describe frequency and ownership.
• Do you run penetration tests or independent security reviews? Provide a high-level summary if available.
• How do you manage third-party dependencies and critical security updates?

Decision criteria: how to evaluate vendor answers

Not every matter needs the same controls, so decide your minimum bar by risk tier (routine, sensitive, highly sensitive).

Use a short decision matrix so your team can apply it consistently.

Minimum requirements many legal teams set (example list)

• Written NDA (or confidentiality terms in an MSA) with clear purpose limitation and subcontractor controls.
• Secure transfer options (portal/SFTP) and encryption in transit.
• Access controls with MFA for staff and admins (or a documented compensating control).
• Defined retention schedule plus deletion on request, including backup timelines.
• Incident response process and breach notification timeline stated in contract.
• Declared data residency and cross-border access model (and ability to restrict when required).

Red flags that should trigger follow-up (or a “no”)

• “We don’t track subcontractors” or “we can’t tell you where data is accessed from.”
• No clear retention schedule, or deletion only described as “when we feel it’s no longer needed.”
• Refusal to explain encryption, logging, or incident notification steps.
• Broad rights to reuse content (especially for training or product improvement) without opt-in.
• Email-only workflows for sensitive files with no secure alternative.

Pitfalls to avoid when drafting NDAs for transcription vendors

Many NDA issues come from copying a generic template that doesn’t match how transcription work happens.

These fixes keep the document practical and enforceable.

• Vague “Confidential Information” definitions: Add audio/video, transcripts, and derived outputs explicitly.
• No subcontractor section: Transcription often uses distributed teams, so you need approval and flow-down obligations.
• Missing deletion language: Put the timeline and method in writing, and address backups.
• Unclear incident terms: Define “incident/breach,” timelines, and who gets notified.
• Conflicts with client guidelines: If your clients impose outside counsel guidelines, incorporate them or reference them.

Common questions

• Do we need an NDA if we already have an MSA?
  Not always, but you do need written confidentiality terms somewhere, and they should cover subcontractors, retention/deletion, and incident notification.
• Should we allow subcontractors at all?
  It depends on risk and turnaround needs, but if you allow them, require disclosure, approval (when needed), and equal confidentiality and security obligations.
• How often should we send the security questionnaire?
  Send it during selection, again at renewal, and anytime the vendor changes systems, locations, or subprocessors.
• What’s the simplest way to handle data retention?
  Set a default retention period, allow matter-specific overrides, and require deletion confirmation and backup deletion timelines.
• Is email an acceptable way to exchange legal audio files?
  Email can add risk because of forwarding and attachment handling, so many teams prefer a secure portal or SFTP for sensitive matters.
• What should breach notification include?
  Ask for scope, timing, affected data types, containment steps, and a contact for coordination, and put the timeline in contract terms.

Next step: standardize your vendor pack

To make this easy to repeat, keep a “vendor pack” with your NDA checklist, the questionnaire, and a one-page scoring sheet, then store completed versions with the vendor record.

If you also need accurate transcripts, captions, or multilingual support for legal content, GoTranscript can help with the right solutions, including professional transcription services.