5 Questions You Should Ask Your Transcription Service
You upload a recording, the AI transcribes it, and a few minutes later you have your transcript. The process seems simple – but what happens between upload and result? Who has access to your data? Where is it stored? And is it ever deleted?
These five questions help you assess a transcription service’s data protection practices before you upload confidential content.
Question 1: “Where is my data processed and stored?”
Why it matters: the processing location determines which legal system your data is subject to. US servers mean the CLOUD Act and potential government access without an EU court order.
Many transcription services store data in the US. This is problematic from a data-protection standpoint: the US CLOUD Act permits government access, and the legal basis for EU-US data transfers has been struck down repeatedly (Safe Harbor 2015, Privacy Shield 2020).
Good answer: “Our servers are in the EU, operated by a European company with ISO 27001 certification.”
Bad answer: “We use AWS/Google Cloud with EU regions.” (Still a US company, still the CLOUD Act.)
Question 2: “Who can read my transcripts?”
Why it matters: if the provider processes your data in plain text, employees, administrators or attackers can potentially view it – even if the provider does not intend it.
The decisive question is not whether the provider wants to read your data, but whether it technically can. With server-side encryption, the provider holds the key. With client-side encryption only the user holds the key.
Good answer: “We cannot read your transcripts. Encryption happens in your browser, and only you hold the key.”
Bad answer: “Your data is private and confidential. Only you can view your transcripts.” (Evasive – says nothing about technical access.)
Question 3: “What happens to my audio files after transcription?”
Why it matters: audio recordings that remain on servers after processing are a permanent attack risk. Data minimization is not only a GDPR principle, but also practical protection.
Some services store original recordings permanently. This contradicts the GDPR principle of data minimization (Art. 5(1)(c)) and increases the attack surface: more stored data means more potential damage in the event of a breach.
Good answer: “Original recordings are automatically deleted after transcription. Only an encrypted playback version is retained.”
Bad answer: “You can delete your files at any time.” (Meaning: as long as you do not delete them, the originals stay on the server.)
Question 4: “Do you use cookies or tracking tools?”
Why it matters: cookies and trackers reveal usage patterns and can allow conclusions to be drawn about the content. A service that embeds Google Analytics or the Facebook Pixel shares usage data with US companies.
Tracking tools on transcription platforms are particularly problematic: they document when you uploaded, edited and exported which files. Combined with file names (which are visible in plain text at most services), this creates a detailed usage profile.
Good answer: “We use no cookies and no tracking tools. Authentication runs via secure tokens in the browser.”
Bad answer: “We use cookies in accordance with our cookie policy.” (Points to a legal text instead of to architectural decisions.)
Question 5: “Is my data used to train AI models?”
Why it matters: if your recordings feed into training, they become part of the model – and thus potentially reproducible in results for other users. Deleting the original data no longer helps at that point.
Some providers word their terms of use deliberately vaguely: “We may use your data to improve our services.” With client-side encryption, AI training on user data is technically impossible – the server sees only encrypted blobs.
Good answer: “No. We do not train models on customer data. Our architecture makes that technically impossible.”
Bad answer: “No.” (Without a technical explanation – purely a question of trust.)
Summary
- Location: An EU company with an EU data center and ISO 27001 certification.
- Encryption: Client-side in the browser, not only server-side.
- Data minimization: Originals are deleted after processing.
- No cookies, no tracking: Architecturally excluded, not just via a cookie banner.
- No AI training: Technically impossible, not just promised.
These five questions separate services that take data protection seriously from those that merely advertise it. The difference does not lie in the answers – but in the architecture behind them.