For customers· 4 min read

Data Security in Annotation Services: What to Verify

Essential security questions for data annotation providers. Encryption, access controls, confidentiality agreements, and compliance certifications.

When you send thousands of images, audio files, or text documents to an annotation service for labeling, you're handing over assets that may contain proprietary information, customer data, or sensitive business logic. Your annotation vendor becomes a critical link in your supply chain—and a potential vulnerability if security practices are weak or opaque. Here's what you need to verify before signing a contract.

Encryption in Transit and at Rest

Ask your annotation provider directly: do they encrypt data both when it's being transmitted to their systems and while it sits in their databases? Encryption in transit typically uses TLS 1.2 or higher; at rest, look for AES-256 or equivalent standards. Request specifics rather than vague assurances. Many mid-tier providers use standard cloud infrastructure (AWS, Google Cloud, Azure) with built-in encryption, which is generally solid, but some smaller operations may store data on local servers with weaker protections.

Don't assume compliance certifications guarantee encryption. SOC 2 Type II compliance, for instance, requires security controls but doesn't mandate encryption at rest—you still need to verify the actual implementation.

Data Isolation and Access Controls

Your datasets should be logically separated from other clients' data. Ask whether the provider uses separate databases, separate buckets within cloud storage, or some other isolation mechanism. Single shared databases are a red flag.

Next, understand who can access your data:

  • Are annotators assigned only to your projects, or do they rotate between multiple clients?
  • Is access logged and auditable?
  • Do they use role-based access controls (RBAC) so junior staff can't view everything?

Reputable vendors will provide access logs on request and limit annotation staff to only the files they need to label.

Data Retention and Deletion Policies

What happens to your data after the project ends? A solid provider should offer either automatic deletion within a set window (30, 60, or 90 days) or on-demand deletion upon project completion. Get this in writing in your service agreement—not just on a general privacy page.

If you're in a regulated industry (healthcare, finance, legal), deletion timelines matter significantly. HIPAA-covered entities, for example, typically expect data deletion within days, not months. Confirm the provider's infrastructure supports verified deletion rather than just soft-deletes that leave recoverable traces.

Certifications and Compliance Standards

Check for industry-recognized credentials relevant to your sector:

  • SOC 2 Type II: Standard for US-based vendors handling sensitive data
  • ISO 27001: International information security management standard
  • HIPAA compliance: Required if you're handling healthcare data
  • GDPR adherence: Necessary if annotators or data subjects are in the EU
  • FedRAMP authorization: For government contracts

These certifications cost vendors $10,000–$50,000+ annually to maintain, so smaller annotation services may not carry them. That doesn't disqualify them, but it means you need to dive deeper into their security practices during due diligence.

Vendor Security Questionnaires and Audits

Most enterprises ask vendors to complete a security questionnaire covering areas like incident response, employee screening, penetration testing, and disaster recovery. Expect to spend 30–45 minutes on this if the vendor takes it seriously. If they refuse or provide generic responses, move on.

For high-stakes projects ($50,000+), request references from other clients or a third-party security audit summary. Some vendors undergo annual penetration testing and can share redacted results.

Network and Infrastructure Details

Where are your files actually stored? A vendor using Amazon S3 in a US region is generally safer than files on a server in an unknown location. Ask about:

  • Geographic data residency (which countries/regions)
  • Backup and disaster recovery procedures
  • Uptime guarantees (99.5% vs. 99.9% matters for critical workflows)

Clarify whether they use shared infrastructure with other companies or dedicated resources for your account.

Due Diligence Checklist

Before committing, verify:

  • Encryption standards (TLS 1.2+, AES-256)
  • Data isolation mechanism
  • Written retention and deletion policy
  • Relevant compliance certifications
  • Access logs and RBAC capability
  • Employee NDA and background check practices
  • Incident response plan

If you're comparing multiple vendors, platforms like Mercoly let you review and compare data annotation providers side-by-side, making it easier to assess their stated security practices and client feedback in one place.

Frequently Asked Questions

Q: What's the typical cost difference between annotation services with SOC 2 Type II certification versus those without? Certified providers typically charge 15–30% more per unit labeling cost, though this varies by scale and complexity. For a project of 50,000 images at $0.25–$0.50 per image, that could mean $1,875–$7,500 additional cost.

Q: Can I require annotators to sign individual NDAs in addition to the vendor's corporate agreement? Yes, and reputable vendors already do this as standard practice. If they push back hard, it's a warning sign about their operational maturity.

Q: How often should my annotation vendor conduct penetration testing? Industry best practice is annual testing at minimum; high-security environments expect semi-annual or quarterly assessments. Always ask when the last test occurred and request a summary.

Ready to vet your next annotation partner? Start by comparing vetted providers and their security practices today.

Looking for Data Annotation & Labeling?

Compare trusted Data Annotation & Labeling providers on Mercoly — browse profiles, products, and services and reach out in one place.

Related articles

More in Data, AI & Emerging Tech · Data Annotation & Labeling