Procurement Checklist: DPA, Confidentiality, Subprocessors, Data Location

When you buy transcription or caption services, legal and security review matters as much as price and turnaround. A good procurement checklist helps you check the basics fast: data processing agreement terms, confidentiality, subprocessors, data location, retention and deletion, and breach notification.

If a vendor cannot answer these points clearly, pause the purchase. Below, you will find a practical checklist, questions to ask vendors, and red flags that should stop or slow procurement.

Key takeaways

• Ask for a clear DPA before you send any files with personal or sensitive data.
• Check who can access your content, where data is stored, and which subprocessors are involved.
• Confirm retention, deletion, and breach notification terms in writing.
• Do not rely on sales calls alone; ask for documents and contract language.
• Pause procurement if answers are vague, incomplete, or inconsistent.

Why this procurement checklist matters

Transcription and caption vendors often handle recorded meetings, interviews, training videos, legal audio, research files, and customer calls. These files may contain personal data, confidential business information, or regulated content.

That means procurement should review more than features. You need to know what happens to your data from upload to deletion, and who touches it along the way.

If your organization is subject to privacy rules, your vendor review may also need to match legal duties under frameworks such as the GDPR. Even when no specific law applies, clear contract terms reduce risk and avoid confusion later.

DPA checklist: what to confirm before you buy

Your data processing agreement should explain how the vendor handles personal data on your behalf. If the vendor processes personal data for your organization, do not treat the DPA as optional.

Core DPA terms to review

• Roles of the parties: The contract should state who is the controller and who is the processor, or use the equivalent terms your legal team prefers.
• Purpose of processing: It should say why the vendor processes the data, such as transcription, captioning, quality checks, support, or delivery.
• Types of data: It should describe the categories of personal data and the kinds of data subjects involved.
• Instructions: The vendor should process data only on documented instructions from your organization.
• Security measures: The agreement should reference technical and organizational safeguards, even if full details sit in a separate security document.
• Subprocessor terms: It should explain whether subprocessors are used and how the vendor approves and manages them.
• Deletion or return: It should say what happens to your data at the end of the service.
• Audit or review rights: It should explain how you can verify compliance, whether by audit, questionnaire, or shared reports.
• Cross-border transfers: If data moves across borders, the agreement should name the transfer mechanism used.

What good DPA language looks like

Good DPA language is specific and easy to test. You should be able to point to a clause and match it to a real process.

• Clear timelines, not vague words like “as needed.”
• Named process categories, not broad catch-all uses.
• Written approval or notice rules for subprocessors.
• A stated deletion path, including backups where relevant.

What to watch out for

• The vendor says the DPA is only available after purchase.
• The DPA gives the vendor broad rights to use customer content beyond service delivery.
• The agreement does not explain deletion, subprocessor changes, or international transfers.
• Terms in the DPA conflict with the privacy policy or sales materials.

Confidentiality, subprocessors, and access controls

Confidentiality is not just a one-line clause in the master agreement. You need to know who can see, hear, edit, review, or support your files.

Confidentiality points to verify

• Staff and contractor obligations: Ask whether employees and contractors sign confidentiality commitments.
• Access limits: Check whether access is restricted to people who need it for service delivery or support.
• Training: Ask whether staff receive privacy or security training relevant to their role.
• Support access: Confirm whether support teams can open customer files, and under what conditions.
• Use restrictions: Make sure your content is not reused for product training, model training, or internal testing unless you have agreed to that in writing.

Subprocessor checklist

A subprocessor is a third party that helps the vendor deliver the service and may handle customer data. Common examples include cloud hosting, storage, support tools, or workflow platforms.

• Request a current subprocessor list.
• Check each subprocessor’s role.
• Ask where each subprocessor processes or stores data.
• Confirm whether the vendor gives advance notice before adding or changing subprocessors.
• Ask whether you have a right to object to new subprocessors.
• Confirm that subprocessor contracts impose data protection and confidentiality duties.

Decision criteria for procurement

• Low risk: the vendor provides a clear list, defined roles, and a notice process.
• Medium risk: the vendor names key subprocessors but does not explain change notices well.
• High risk: the vendor refuses to disclose subprocessors or says the list is proprietary.

Data location, residency, retention, deletion, and breach notification

For many buyers, data location is a hard requirement. Some organizations need data to stay in a certain country or region for legal, policy, or customer reasons.

Data location and residency checklist

• Ask where files are uploaded, processed, stored, backed up, and deleted.
• Check whether production data and backup data stay in the same region.
• Ask whether human reviewers or support staff access files from other countries.
• Confirm whether you can choose a storage or processing region.
• Ask how the vendor handles cross-border transfers when they occur.

If your organization has regional accessibility or public sector duties, your review may also connect to wider compliance work, such as the WCAG guidance from W3C for captions and accessibility programs. That does not replace privacy review, but it often shapes vendor selection.

Retention and deletion checklist

• Ask for the default retention period for source files, transcripts, captions, and logs.
• Confirm whether you can set a shorter retention period.
• Ask what happens when a user deletes a file from the dashboard.
• Check whether deletion covers backups and derived outputs.
• Ask whether the vendor can provide deletion confirmation.
• Confirm what data the vendor must keep for billing, audit, or legal reasons.

Breach notification checklist

• Ask how the vendor defines a security incident and a personal data breach.
• Confirm the notification timeline after discovery.
• Ask what details the first notice will include.
• Check whether the vendor will provide updates during the investigation.
• Confirm the contact route for urgent notices outside business hours.

Red flags that should pause procurement

• No clear answer on where data is stored or processed.
• No written retention or deletion policy.
• Open-ended retention “for service improvement.”
• No breach notification timeline in contract language.
• Support or reviewer access from unknown locations with no explanation.

Questions to ask vendors before approval

Use these questions in your procurement form, security review, or vendor call. Ask for written answers and supporting documents where possible.

• Can you share your DPA and standard confidentiality terms before signature?
• Do you use customer content for AI training, product improvement, or testing?
• Who can access uploaded files, transcripts, and captions?
• Which subprocessors handle customer data, and what do they do?
• Where is data stored, processed, backed up, and accessed?
• Can we choose data residency by country or region?
• What are your default retention periods, and can we shorten them?
• How do you delete data from live systems and backups?
• How fast will you notify us about a breach or security incident?
• Can you support our required contract language for deletion, subprocessor notice, or regional processing?

How to compare vendors without getting stuck

Procurement reviews often slow down because teams ask everything at once. A simple scorecard helps you separate must-haves from nice-to-haves.

Build a practical scorecard

• Mandatory: DPA available, confidentiality terms, subprocessor disclosure, data location answer, deletion terms, breach notification clause.
• Important: regional hosting choice, shorter retention options, deletion confirmation, objection rights for new subprocessors.
• Nice to have: customer-facing dashboards for retention settings, self-serve deletion, detailed data maps.

Pitfalls to avoid

• Choosing on price alone before legal review.
• Relying on website copy instead of contract terms.
• Assuming “encrypted” answers all privacy questions.
• Ignoring support access, backups, and temporary files.
• Approving a pilot with real sensitive data before review is complete.

If you are comparing delivery models, it also helps to separate human review from automated transcription, because access, workflows, and risk points may differ. Ask each vendor to map the exact path your files will take.

Common questions

Do all transcription and caption vendors need a DPA?

If the vendor processes personal data for your organization, a DPA is often the right starting point. Your legal team can confirm the exact requirement for your use case and region.

Is confidentiality enough on its own?

No. Confidentiality helps, but it does not replace clear terms on subprocessors, data location, deletion, and breach notification.

Why do subprocessors matter so much?

Because your data may pass through other companies you did not review at first. Procurement needs to know who they are and what they do.

What if the vendor says subprocessor details are confidential?

That is a concern. A vendor should still be able to tell you which third parties handle customer data and for what purpose.

Should we ask about backups when we discuss deletion?

Yes. A deletion promise is incomplete if it only covers live systems and not backups or stored copies.

Can a vendor meet our needs if data must stay in one region?

Possibly, but you need a clear written answer. Ask about storage, processing, support access, and backup locations, not just primary hosting.

What is the biggest procurement mistake in vendor review?

Sending real files before the review is complete. Use sample or non-sensitive content until legal and security checks are done.

Once you finish your checklist, compare service fit as well as contract terms. If you need help balancing privacy review with delivery needs, GoTranscript provides the right solutions, including professional transcription services.