Transcription Vendor Security Checklist (ISO/SOC, Data Location, Subprocessors)

Choosing a transcription vendor is not only about price, speed, or accuracy. You also need to know how the vendor handles your data, where files are stored, who can access them, and which outside companies help deliver the service.

A good transcription vendor security checklist helps you review the basics in plain language: ISO certifications, SOC reports, data location, subprocessors, access controls, and contract terms. This guide explains what each item means, what questions to ask, which red flags should stop adoption, and how to score vendors in a simple, practical way.

Key takeaways

• Ask for plain answers, not only certificates and policy PDFs.
• Check where data is stored, processed, backed up, and supported.
• Review subprocessors because they often handle storage, AI, support, and analytics.
• Look for controls around access, encryption, retention, and deletion.
• Use a scorecard so teams compare vendors in the same way.
• Block adoption if the vendor refuses basic security answers or cannot explain data flows.

Why a security checklist matters for transcription vendors

Transcription vendors often handle sensitive material such as interviews, legal recordings, medical dictation, internal meetings, customer calls, and research audio. Even when the content seems routine, it can still include personal data, confidential plans, or regulated information.

That is why a security review should happen before you upload files or connect systems. The goal is simple: confirm that the vendor can protect your data in transit, at rest, during processing, and after the job is complete.

This matters whether you use automated transcription, human transcription, or a mixed workflow. Different delivery models create different risks, but every vendor should still explain its controls clearly.

The core transcription vendor security checklist

1. SOC reports: what they mean in practice

A SOC report is an independent audit report about a service organization’s controls. In practice, buyers usually ask whether the vendor has a SOC 2 report and whether it covers security, availability, confidentiality, processing integrity, or privacy under the AICPA SOC framework.

For day-to-day vendor review, the key question is not only “Do you have a SOC report?” It is also “Which systems, services, and time period does it cover, and are there exceptions I should know about?”

What to ask

• Do you have a current SOC 2 report?
• Is it Type I or Type II?
• Which products, environments, and teams are in scope?
• Can you share the bridge letter if the report period is old?
• Were there any exceptions, qualified opinions, or major gaps?
• Do your critical subprocessors also undergo independent audits?

What good looks like

• The vendor knows the difference between Type I and Type II.
• The scope matches the service you plan to use.
• The vendor can explain exceptions in plain language.
• The report is recent enough to reflect the current environment.

Red flags

• The vendor says “SOC compliant” but has no report.
• The report covers a different product than the one you will use.
• The vendor avoids sharing scope details.
• The vendor cannot explain audit findings.

2. ISO certifications: what they mean in practice

ISO certifications show that an accredited auditor has assessed a management system against a published standard. For security reviews, buyers often look for ISO/IEC 27001, which covers information security management.

In practical terms, ISO 27001 tells you the vendor has a formal security management system. It does not mean every workflow is risk-free, so you still need to ask how controls apply to your audio files, transcripts, integrations, and support process.

What to ask

• Which ISO certifications do you hold, and are they current?
• What is the certification scope?
• Does the scope include the exact transcription platform or service we will use?
• Which legal entities and locations are covered?
• Can you share the certificate and statement of applicability or scope summary?

What good looks like

• The vendor can show a current certificate.
• The certification scope is specific, not vague.
• The covered systems and offices match your engagement.

Red flags

• The vendor says “ISO aligned” but is not certified.
• The certificate belongs to a parent company with unclear relevance.
• The scope excludes the service you will buy.

3. Data location and data residency

Data location means where data is stored, processed, backed up, or accessed. Data residency usually means the vendor can keep your data within a chosen country or region to meet legal, policy, or customer requirements.

For transcription, this is especially important because one file may move through upload servers, production systems, support tools, backup systems, and human reviewer access points. A vendor should be able to map those steps clearly.

What to ask

• Where are files stored at upload, during processing, and after delivery?
• Where are backups stored?
• Can you keep data in a specific country or region?
• Can support staff access data from other countries?
• Do human transcribers or reviewers work from multiple locations?
• Do logs or metadata leave the chosen region?
• Can we choose retention and deletion timelines?

What good looks like

• The vendor can describe storage, processing, backup, and access locations separately.
• Regional controls are documented in contracts or product settings.
• Retention and deletion rules are clear and configurable.

Red flags

• The vendor answers only with a server location and ignores support, backups, or access.
• The vendor cannot commit to a region in writing.
• The vendor stores data longer than needed without a clear reason.

4. Subprocessors: who else touches your data

A subprocessor is a third party that helps the vendor deliver the service and may process customer data. Common examples include cloud hosting providers, customer support platforms, AI providers, analytics tools, and email systems.

This area gets missed often, but it matters because your data protection depends on the whole chain, not only the primary vendor. Under the GDPR processor rules, controllers and processors must pay attention to downstream processing arrangements.

What to ask

• Do you maintain a current subprocessor list?
• What does each subprocessor do?
• Which subprocessors can access customer content versus only metadata?
• Where is each subprocessor located?
• How do you assess and approve new subprocessors?
• Will you notify customers before adding or changing subprocessors?
• Can we object to a new subprocessor for reasonable security or compliance concerns?

What good looks like

• The list is public or available on request.
• The vendor distinguishes content access from operational support.
• The vendor has a change-notice process.

Red flags

• No subprocessor list exists.
• The vendor says subprocessors are “standard” but will not name them.
• The vendor cannot explain which third parties can access raw audio or transcripts.

5. Access controls and human handling

Security is not only about certificates. You also need to know who can see your files and how that access is limited.

What to ask

• Who can access customer files inside your company?
• Do you use role-based access control?
• Do you require multi-factor authentication for staff access?
• Are access logs kept and reviewed?
• How do you approve and remove employee or contractor access?
• If humans transcribe or review content, what controls apply to them?

Red flags

• Shared accounts.
• No clear joiner-mover-leaver process.
• Broad access for support or operations teams.
• No explanation for how contractors are screened or managed.

6. Encryption, retention, deletion, and incident response

These controls affect the full life cycle of your content. You should know how the vendor protects data, how long it keeps it, how deletion works, and what happens if something goes wrong.

What to ask

• Is data encrypted in transit and at rest?
• What are the default retention periods for files and transcripts?
• Can customers set shorter retention periods?
• What is your deletion process for production systems and backups?
• Do you have an incident response process and customer notification timeline?
• Can you support legal hold or deletion certificates if needed?

Red flags

• The vendor cannot explain deletion beyond “we delete on request.”
• Backup deletion is vague or unlimited.
• No incident notification language appears in the contract.

Questions to ask before you shortlist a vendor

Use these questions in your first call or security questionnaire. They help you move fast without missing major risk areas.

• What certifications and audit reports do you currently hold?
• Which exact service, region, and legal entity do those documents cover?
• Where will our audio, transcripts, logs, and backups be stored and processed?
• Who are your subprocessors, and which ones can access customer content?
• Can human transcribers or reviewers access our data, and under what controls?
• What are your default retention and deletion settings?
• How do you handle incidents, breach notification, and customer communication?
• Can you sign our data processing terms or provide your own DPA?
• Can you meet any regional or contractual data location requirements we have?

Simple evaluation scorecard for transcription vendor security

A scorecard helps procurement, IT, legal, and business teams compare vendors on the same basis. Keep it simple and focus on evidence, not promises.

Scoring method

• 0 = no answer, no evidence, or unacceptable risk
• 1 = partial answer or weak control
• 2 = acceptable answer with limited evidence
• 3 = strong answer with clear evidence

Suggested criteria

• Independent assurance: SOC and/or ISO evidence
• Scope fit: documents cover the actual transcription service
• Data residency: regional options and contractual commitments
• Data flow clarity: storage, processing, backup, and support locations explained
• Subprocessor transparency: current list and change notice process
• Access controls: least privilege, MFA, logging, offboarding
• Human handling controls: reviewer access restrictions and oversight
• Encryption: in transit and at rest
• Retention and deletion: clear timelines and customer options
• Incident response: documented process and notification terms
• Contract readiness: DPA, security addendum, and audit support

Example interpretation

• 28–33: strong candidate, pending legal and technical review
• 20–27: usable, but review gaps and contract terms carefully
• Below 20: high effort or high risk; do not proceed without major remediation

You can also add blockers so a vendor fails even with a decent total score. This helps prevent a good sales demo from hiding a basic security gap.

Red flags that should block adoption

Some issues should stop the process until the vendor fixes them. These are not small gaps.

• The vendor will not identify subprocessors.
• The vendor cannot explain where data is stored, processed, or backed up.
• The vendor refuses to discuss retention and deletion.
• The vendor claims certifications or compliance without evidence.
• The audit or certification scope does not cover the service you will use.
• The vendor cannot explain who can access raw audio or transcripts.
• The contract lacks basic incident notification or data protection terms.
• The vendor cannot support your required data location or access restrictions.
• The vendor gives inconsistent answers across sales, security, and legal teams.

If your team handles sensitive or regulated content, these blockers matter even more. It is often safer to delay rollout than to accept unclear answers.

Common mistakes buyers make

Many teams ask for a certificate and stop there. That misses the practical details that affect real-world risk.

• Confusing a certificate with proof that every workflow is secure.
• Checking server location but not backup, support, or reviewer location.
• Ignoring subprocessors because the main vendor seems trustworthy.
• Accepting vague promises instead of written commitments.
• Skipping deletion and retention questions until after launch.
• Reviewing security too late, after teams have already uploaded live data.

If you need a safer workflow, compare service models early. For example, teams often review whether human review, AI-only processing, or transcription proofreading services best fit their content sensitivity and quality needs.

Common questions

Is SOC 2 better than ISO 27001?

They do different jobs. SOC 2 is an audit report about control design and, for Type II, operating effectiveness over time, while ISO 27001 is a certification for an information security management system.

Do I need both SOC and ISO from a transcription vendor?

Not always. Many buyers accept one strong form of independent assurance, but you still need to review scope, data flow, subprocessors, and contract terms.

Why does data location matter if files are encrypted?

Encryption helps, but location can still affect legal obligations, internal policy, customer contracts, support access, and government data transfer rules.

What is the difference between a vendor and a subprocessor?

The vendor is the company you contract with. A subprocessor is a third party that the vendor uses to process customer data while delivering the service.

Should a vendor share its full SOC report with us?

Many vendors share SOC reports under NDA or through a trust portal. If they will not share the full report, they should still provide clear scope details and answer practical security questions.

What if the vendor uses AI providers in the background?

Treat those providers like any other subprocessor. Ask what data they receive, whether customer content is retained, where processing happens, and what contractual controls apply.

When should security review happen?

Before procurement is final and before any real customer or business data is uploaded. Early review avoids rework and reduces the chance of a risky pilot.

Final checklist you can copy into your review process

• Current SOC report and/or current ISO certification
• Scope matches the exact service, region, and entity
• Clear map of storage, processing, backup, and support locations
• Data residency options documented if needed
• Current subprocessor list with roles and locations
• Access controls, MFA, logging, and offboarding explained
• Human reviewer or transcriber controls documented
• Encryption in transit and at rest confirmed
• Retention and deletion settings documented
• Incident response and notification terms reviewed
• DPA and security contract terms approved
• No blocking red flags remain

If you are comparing vendors, this checklist gives you a practical way to ask better questions and document the answers. And if you need help choosing the right workflow for security, accuracy, and delivery, GoTranscript provides professional transcription services that can fit different business needs.