Procurement Checklist: DPA, Confidentiality, Subprocessors, Data Location

Choosing a transcription or caption vendor means checking more than price and turnaround time. You should review the vendor’s data processing agreement, confidentiality terms, subprocessors, data location, retention, deletion, and breach notification before you buy.

A simple procurement checklist helps you compare vendors in a consistent way, spot risk early, and avoid delays with legal or security review. This guide shows what to ask, what to document, and which red flags should pause procurement.

Key takeaways

• Review the DPA before purchase, not after onboarding.
• Confirm who can access files, where data is stored, and which subprocessors are involved.
• Ask for clear retention, deletion, and breach notification terms in writing.
• Pause procurement if a vendor gives vague answers on security, confidentiality, or data flows.

Why this procurement checklist matters

Transcription and caption vendors often handle sensitive audio, video, and text. That can include interviews, legal material, research data, medical content, HR calls, or internal meetings.

If procurement skips privacy and security review, your team may face rework later. Legal, compliance, and IT teams often need clear answers on data use, storage, and third-party access before they approve a vendor.

A practical checklist helps you do three things:

• Compare vendors on the same criteria.
• Find gaps before signing a contract.
• Create a record for internal approval.

DPA checklist: what to review before signing

The data processing agreement is the core document for vendors that process customer data on your behalf. If a vendor will handle personal data, this document should explain what they process, why they process it, and how they protect it.

Core DPA terms to check

• Roles of the parties: controller, processor, or subprocessor.
• Subject matter and purpose of processing.
• Types of data and categories of data subjects.
• Documented processing instructions.
• Confidentiality obligations for staff and contractors.
• Security measures and access controls.
• Subprocessor approval and notification process.
• Cross-border transfer terms, if data leaves your required region.
• Retention, return, and deletion obligations.
• Audit rights or alternative review options.
• Breach notification obligations and timing.
• Support for data subject requests, if needed.

Decision criteria for the DPA

• Is the DPA available before purchase?
• Does it match your internal privacy and security standards?
• Does it clearly describe the service you are buying?
• Does it avoid broad rights to use your content for unrelated purposes?
• Does it define timelines and responsibilities in plain language?

If the DPA is missing, incomplete, or only available after payment, pause procurement. You need the legal terms early enough for review.

Confidentiality: who can access your files and under what rules

Confidentiality terms should explain who may access your content and why. They should also state how the vendor limits access to the minimum needed to deliver the service.

What to verify

• Whether employees, freelancers, or both can access files.
• Whether each person with access is under a written confidentiality obligation.
• Whether access is role-based and limited to assigned work.
• Whether the vendor logs or monitors access to customer data.
• Whether support teams can view customer content.
• Whether files are used for training, quality review, or product improvement.

What good answers look like

• Confidentiality obligations are written into contracts.
• Access is restricted by role and business need.
• The vendor can explain when humans may view or hear content.
• Optional workflows exist for higher-sensitivity content.

Do not accept vague language like “authorized personnel may access data as needed” without detail. Procurement should ask what “as needed” means in practice.

Subprocessors: map every third party in the workflow

Many vendors rely on cloud providers, AI providers, support tools, or freelance networks. That does not automatically create a problem, but you need a clear list of subprocessors and what each one does.

Checklist for subprocessors

• Request a current subprocessor list.
• Ask what service each subprocessor provides.
• Confirm which subprocessors can access customer content or metadata.
• Check where each subprocessor processes or stores data.
• Ask how the vendor reviews and approves subprocessors.
• Ask whether the vendor will notify customers before adding new subprocessors.
• Confirm whether you can object to new subprocessors in defined cases.

Common procurement pitfalls

• The vendor lists only infrastructure providers and omits other third parties.
• The list is outdated or not publicly available.
• The vendor cannot explain data flows between systems.
• The vendor says it uses “industry-standard partners” but will not name them.

If a vendor cannot tell you who touches your data, you cannot assess the risk properly. That is a strong reason to stop and ask for clarification.

Data location, residency, retention, deletion, and breach notification

Data location matters when your organization has regulatory, contractual, or internal requirements about where information may be stored or accessed. Retention, deletion, and breach notification matter because they define what happens after upload and what happens if something goes wrong.

Data location and residency checklist

• Where is data stored at rest?
• Where is data processed?
• Can support staff or subcontractors access data from other countries?
• Can you choose a storage or processing region?
• Does the contract define international transfer terms when needed?

For organizations subject to the GDPR, international transfers need an appropriate legal mechanism. The GDPR framework sets the baseline for how personal data should be handled.

Retention and deletion checklist

• What is the default retention period for uploaded files and transcripts?
• Can customers set a shorter retention period?
• What happens to backups after deletion?
• Does deletion apply to production and backup environments?
• Will the vendor certify deletion on request, if needed?
• What happens to data when the contract ends?

Breach notification checklist

• How does the vendor define a security incident or breach?
• How quickly will the vendor notify customers?
• What details will the notice include?
• Who is the contact point for incident response?
• Will the vendor support investigation and remediation?

The U.S. Department of Health and Human Services breach notification guidance is one example of a rule set that may affect some organizations, depending on the type of data involved.

Practical procurement steps: how to compare vendors side by side

A checklist works best when every vendor answers the same questions in the same format. Keep the review short, specific, and tied to approval criteria.

Use this simple process

• Create one review sheet for all vendors.
• Group questions into legal, privacy, security, operations, and pricing.
• Mark each item as approved, unclear, not offered, or requires exception.
• Request documents early, including the DPA and subprocessor list.
• Ask follow-up questions in writing.
• Save final answers with contract records.

Suggested evaluation table

• DPA available before signature: yes or no.
• Confidentiality terms for staff and contractors: clear or unclear.
• Subprocessor list available: yes or no.
• Data location options: meets requirement or does not meet requirement.
• Retention and deletion controls: acceptable or not acceptable.
• Breach notification timing: acceptable or not acceptable.
• Escalation path for legal or security questions: present or missing.

Price still matters, and you can review transcription pricing alongside compliance requirements. A lower price does not help if your team cannot approve the vendor.

Questions to ask vendors

Use these questions during procurement calls or in a written security review. Keep them direct so answers are easier to compare.

• Can you share your DPA before contract signature?
• Who can access our files, transcripts, and captions?
• Are employees, contractors, or freelancers bound by written confidentiality terms?
• Do you maintain a current list of subprocessors?
• Which subprocessors can access customer content?
• Where do you store and process customer data?
• Can we choose or limit data residency by region?
• What is your default retention period?
• How do you handle deletion in live systems and backups?
• How and when will you notify us of a security incident?
• Do you use customer content for model training or product improvement?
• Can you support higher-sensitivity workflows when needed?

Red flags that should pause procurement

Some issues should trigger a pause until the vendor gives a clear answer or changes the terms. These are common signs that review is incomplete or risk is too high.

• No DPA is available before signature.
• The vendor will not identify subprocessors.
• Data location is unknown or changes without notice.
• Retention periods are undefined.
• Deletion terms are vague or exclude backups without explanation.
• Breach notification timing is missing.
• Confidentiality terms do not clearly cover contractors or freelancers.
• The vendor claims broad rights to reuse customer content.
• Support, QA, or training access is not explained.
• Answers change across sales, legal, and security teams.

If you need a vendor for sensitive or regulated work, ask whether the service model fits that use case before you move forward. In some cases, standard professional transcription services may need extra review steps based on your internal policies.

Common questions

Do all transcription and caption vendors need a DPA?

If the vendor processes personal data on your behalf, a DPA is often part of the review. Your legal team can confirm whether it is required for your use case.

What is the difference between confidentiality and a DPA?

Confidentiality focuses on keeping information private. A DPA covers broader data processing terms, including instructions, security, subprocessors, and deletion.

Why do subprocessors matter so much?

Subprocessors may store, process, or access your data. You need to know who they are and what they do to assess risk and meet internal requirements.

What should we ask about data residency?

Ask where data is stored, where it is processed, and whether support or third parties can access it from other countries. Those details matter as much as server location.

How specific should retention and deletion terms be?

They should state the default retention period, available customer controls, backup handling, and what happens at contract end. Vague promises are not enough for procurement review.

What breach notification language should we look for?

Look for a clear trigger for notification, a defined timeline, and a description of the information the vendor will provide. You also want a named response path for follow-up.

Should procurement pause if answers are incomplete?

Yes. If a vendor cannot explain its data handling clearly, your team should pause until the gaps are resolved.

A careful vendor review makes future projects easier, especially when your team handles sensitive audio or video. If you need help assessing workflow options, GoTranscript provides the right solutions, including professional transcription services.