UK Transcription Ltd AI Security Policy

Overview

This security policy outlines the data handling, processing, and retention practices for our ring-fenced AI transcription service. Our manual service uses no AI.

Data Processing Infrastructure

AI-Powered Transcription Service

We utilise AssemblyAI as our primary automated transcription processing partner. We have custom agreements with AssemblyAI that no audio is retained after processing and no data is used for training their models.

• ISO 27001 certification - International standard for information security management
• SOC 2 Type 2 compliance - Comprehensive coverage across security, availability, integrity, and privacy controls
• EU data residency capabilities - All processing occurs within the European Union

AI Processing Location

Audio files for automated transcription processing are handled through AssemblyAI's EU data residency infrastructure (api.eu.assemblyai.com), ensuring:

• Data remains within the European Union at all times
• Full compliance with EU data protection requirements
• Optimised performance for European operations
• Detailed monitoring and audit capabilities

Audio File Handling

Temporary Processing

• Audio files are temporarily processed by AssemblyAI's EU servers solely for transcription purposes
• Audio files are automatically deleted immediately upon completion of transcription processing
• No permanent storage of audio files occurs on AssemblyAI's systems
• Intermediate processing artifacts (transcoded audio, temporary files) are automatically purged within 3 days

Audio File Security

• All audio data is encrypted in transit using industry-standard TLS encryption
• Files are processed in secure, isolated environments
• No human access to audio content during automated processing

Transcript Data Management

Transcript Storage and Retention

• Completed transcripts are retained for operational purposes and client access
• Transcripts are stored with encryption at rest
• Retention period: 12 months from the date of transcript creation
• Automatic deletion occurs after 12 months unless deleted by the user
• Users may delete transcripts at any time before the automatic deletion period

Redaction and Data Protection Features

PII Redaction Capabilities

Our service includes optional personally identifiable information (PII) redaction featuring:

• Automatic detection and redaction of sensitive information including:
  • Place names
  • Email addresses
  • Physical addresses and locations
  • Personal names
  • Phone numbers
• Post-processing redaction - Applied after initial transcription is complete

Original Transcript Retention

• Original, unredacted transcripts are retained as backups to enable:
  • Undo functionality for redaction operations
  • Quality assurance and accuracy verification
  • Client-requested modifications or corrections

Data Security Measures

Encryption Standards

• Data in transit: TLS 1.3 encryption for all API communications
• Data at rest: AES-256 encryption for stored transcripts
• API security: Authenticated access with secure API key management

Access Controls

• Role-based access controls for transcript data
• Audit logging of all data access and modifications
• Secure authentication mechanisms for client access

Client Rights and Controls

Data Management Rights

Clients maintain full control over their data and may:

• Delete transcripts at any time through our secure portal
• Request immediate data purging outside standard retention periods
• Export transcript data in multiple formats

Transparency Measures

• Clear notification of data processing activities
• Regular updates on security infrastructure changes
• Incident reporting and notification procedures
• Direct client communication channels for security queries

Our Compliance Commitment

As a UK transcription service, we:

• Comply with UK DPA 2018 Data Protection Act requirements
• Adhere to EU GDPR through our EU data processing arrangements
• Maintain Cyber Essentials certification with annual renewal (government-backed cybersecurity standard)
• Maintain transparent data handling practices
• Provide clear client rights and data control mechanisms

Contact Information

For questions regarding this security policy or our data handling practices: