Photo by Randarey. CC-BY-2.0

Journalistic work often depends on transcription services for creating written logs of recorded audio to assist in research, caption videos, and publish interviews. But uploading audio to a transcription service means giving a copy of that — sometimes sensitive — recording over to a company. While there is no single service that meets all of our data privacy needs, here we unpack security and privacy practices for popular transcription services, weigh when journalists should use remote transcription services, and explore how to minimize risk when working with sensitive audio.

In an informal poll, we heard from more than 50 journalists about their favorite transcription services and what they liked about each. Given the necessity of transcription, we emailed and researched the top five most referenced services — Descript, Otter.ai, Rev, Temi, and Trint — and asked: How safe are these services, and what are they doing to protect your data, private recordings, and transcripts?

We wanted to better understand:

  • Does the platform support two-factor authentication to help you protect your data from password breaches?
  • Does the service have the ability to access your audio and/or transcripts?
  • Under what circumstances would an employee have access to your audio and/or transcripts?
  • Are there any third parties who also get access to your transcripts and audio?
  • Do these tools allow customers’ audio to be used for training AI models?
  • Does the platform offer a transparency report to disclose whether or not they have received or complied with law enforcement requests for user data?
  • How does the company use encryption to protect this data?

Many of the security features of popular transcription services are similar. They all use standard TLS encryption to protect your traffic to and from the website, as well as AES-256 encryption to store data on their Amazon Web Services servers. In addition, Descript also uses Google Cloud servers and Rev uses Microsoft’s Azure cloud servers. Trint uses a cloud service called Filestack to help upload files from cloud storage tools like Google Drive into Amazon Web Services.

Regardless, each of these companies has the technical ability to access the audio you’ve uploaded. Likewise, to provide these services, the companies also have the technical ability to read the transcripts the company created and stored, and they each have a different policy surrounding when it’s necessary to do so.

Even if you’re OK with people inside the company, or those who are contracting for the company, accessing your data, you may feel differently about government requests for data. Unfortunately, none of the five services we looked at offer a transparency report, so there’s no way to know how frequently they receive or disclose user data responsive to law enforcement requests. We would love to see all major transcription service providers join the growing list of organizations that provide a transparency report so we can include that information when weighing privacy concerns.

Descript

Descript says in its security documentation that while it has the technical capability to look at users’ data, it commits to not doing so except in certain circumstances, such as when processing specific computer-generated voices or when a user has requested a review from a customer service representative. Users can also opt in to share information to help improve the service.

Behind the scenes, Descript is using a small handful of services to process transcripts. Descript uses Google Cloud Speech-to-Text to provide automatic transcription. Google says it deletes your data from its servers after the transcription is completed. According to its documentation, Descript also uses Rev to provide automatic or human transcription. Descript says, “If you request a White Glove transcription, we will share your audio files with Rev, which has strict confidentiality agreements with all of its employees.” (See the Rev section for our notes on that agreement and its caveats.)

Descript offers a powerful feature called Overdub, which allows users to insert realistic computer-generated voices into the transcript. To accomplish this, Descript uses Google Cloud to process and reproduce your voice. Descript will generate “nondefamatory” samples of your voice, and human reviewers on Amazon’s Mechanical Turk will listen to this sample audio to confirm the resulting voice sounds accurate. The company is clear that if you use Overdub, “We train and host your artificial voice using Google Cloud. Also, we use the audio that you shared as ‘Training Audio’ to improve our service.” Descript says its employees may also review the uploaded audio, as well as computer-generated output audio for quality assurance.

Descript does not offer two-factor authentication, except for Enterprise accounts, which can optionally enable this feature through a single sign-on provider such as Azure Active Directory or Google Workspace. Descript users may optionally use SSO with Google or SAML, a standard way to implement SSO. Due to the cost, this is likely out of reach for most newsrooms.

Otter.ai

Otter.ai encrypts its data on Amazon Web Services servers and holds the encryption keys. As of Sept. 1, 2024, its privacy policy suggests it uses this access to provide the service and to train its transcription artificial intelligence. It uses both OpenAI and Anthropic to aid in processing audio, though Otter says these processors will not store user data on their platform. It says, “We obtain explicit permission (e.g., when you rate the transcript quality and check the box to give Otter.ai and its third-party service provider(s) permission to access the conversation for training and product improvement purposes) for manual review of specific audio recordings to further refine our model training data.”

Otter.ai told Freedom of the Press Foundation (FPF) in an email, “Otter uses a fully automated, encrypted process to train on recordings and transcripts. While the training data may contain sensitive and personally identifiable information, it is disassociated from user account details (such as names and emails).”

Otter.ai offers two-factor authentication for all accounts.

Rev

According to its list of processors, in addition to Google Cloud Services and Amazon Web Services, Rev also uses Microsoft’s Azure cloud service to store user data. It hires freelancers from eClerx Services, and relies on Speechmatics and Rammer Technologies for language processing. Likewise, it uses Recall.ai for summarizing and transcribing voice and video meetings.

Rev offers both automatic and human transcription. According to Rev’s security documentation,

employees are “restricted to handle data required to perform their job. Our staff is trained on proper use of our systems and best practices for security & privacy.”

Staff may access user data for a variety of reasons. In an email with FPF, a representative of Rev told us, “Access to transcripts by employees is determined on a case-by-case basis, and there isn’t a strict set of circumstances.” A few examples where limited access may be necessary include:

  • If a user is unable to view their file within the editor tool, the Rev team may need to access the transcript to replicate and diagnose the issue.
  • If a transcript appears incomplete, it may need to check whether the source file provided is corrupted or if there was a processing error on Rev’s end.
  • If there are accuracy concerns within the file (AI Transcription), it may need to compare the audio against the output.

By default, Rev does leverage user data to train its AI models, though customers may opt out at [email protected].

Rev’s security documentation suggests it does not rely on third parties to automate transcription, but instead relies on its more than 60,000 freelance manual transcriptionists known as Revvers, who are bound by confidentiality agreements.

With that said, because these are human transcriptionists, you’ll want to think through your comfort level with uploading sensitive audio, particularly with sources. In a 2019 article from OneZero that interviewed a transcriptionist with Rev, recounting files they examined on the job, their personal favorite was when “a journalist recorded an interview with a prisoner in jail, using his name familiarly the entire time, and then saying that certain segments would be off-the-record or kept anonymous.”

Beyond Otter.ai, Rev is the only service of this group that offers two-factor authentication to all users.

Temi

Temi is an audio-to-text transcription service that uses advanced speech recognition software. Temi is operated by Rev, which processes data for Temi. Temi does not appear to use any third-party processing services. Unlike Rev, Temi does not offer human transcriptions and says on its website that, “Files are transcribed by machines and are never seen by a human.”

When asked whether Temi trains AI models on uploaded audio, a representative told FPF that user data is not used to train AI models.

They added, “Service is in the process of being sunset.” It seems Temi is not long for this world.

Temi does not offer two-factor authentication.

Trint

Trint is an AI-based transcription service for both audio and video files, popular with videographers because it integrates with the video editor Adobe Premiere Pro, as well as some other features.

Trint’s documentation is clear about its security measures. It does have the ability to decrypt users’ transcription and audio data, though it affirmatively commits to not doing so except in unusual cases and only with written consent from a client.

Trint’s platform privacy policy changes somewhat regularly, and with it, the companies it depends on to process user data. As of June 12, 2025, uploaded media is processed by Filestack and stored with Amazon Web Services. MongoDB Atlas has access to transcript metadata. In an email with FPF, a Trint representative said this metadata consists of media type, size, and duration. “Product usage logs are collected via a third party (Coralogix), who protect against tampering as part of their service.”

Much like Descript, Trint does not offer two-factor authentication, except for enterprise accounts that enable optional SSO. Users could also use SSO with Google, Facebook, or Apple to take advantage of their separate multifactor authentication offerings.

Threat modeling: When is a remote transcription service appropriate?

We recommend avoiding transcription altogether if your audio, in the wrong hands, could put people at risk. However, there are some situations where a transcription service is a necessary or easier choice, like when transcribing an interview that will be published in full. Because these services usually have access to your audio and transcripts, journalists must still make subjective decisions about when to share files with a transcription service.

To think about before uploading:

  • Do you intend to publish this transcript somewhere public?
  • How sensitive is this audio/transcript?
  • Have you committed to keeping this audio/transcript confidential?
  • How comfortable are you with a human transcriptionist listening to the audio, as opposed to an automated speech recognition tool?
  • Some transcription services based on automated speech recognition (e.g., Trint) commit to not look at your transcriptions. Are these reasonable enough assurances for this particular audio/transcript?
  • Similarly, many services (e.g., Rev) that offer human transcriptionists also require those transcriptionists to sign confidentiality and/or nondisclosure agreements. Are these reasonable enough assurances for this particular audio/transcript?
  • Many transcription services depend on third parties to help process the transcript. Are the third parties who have access to the audio acceptable for this particular file?
  • Does your account with the service store any particularly sensitive audio or transcripts? What assurances do you have from the platform to keep your account secure?

If you are working with sensitive material — recordings that could put someone at risk if they were made public or turned over to authorities — we suggest severely limiting who has access to that data. If you are working with an editor or on a deadline and your recordings are particularly sensitive, consider pushing for assistance in manual transcription or later deadlines due to the security of the recordings.

If you are working with material that’s sensitive until it’s published — embargoed research, for example — the risk of leaks is low and the outcome would be harmful, but not catastrophic. In this instance, using a service might make sense.

Minimizing risk with transcription services

Transcription services can be an important part of the journalistic workflow, but the services available today may introduce risk.

Take a few steps to use transcription services safely:

  • Most popular transcription services do not offer two-factor authentication, meaning someone could log into the account with just a password and download your transcripts. If you or anyone in your team reuses passwords, someone only needs to breach one of those passwords to reuse the password across multiple websites. That’s why we always recommend using long, unique passwords, ideally randomized with a password manager. These tools are easy to use and some are free, like through the 1Password for Journalism program.
  • If you have access to a service that does use two-factor authentication, like Rev or Otter.ai, it’s time to turn it on. If your team has a shared organizational subscription to a transcription service, everyone on the team can still access the two-factor authentication codes. Read more about how to use Authy or a password manager such as 1Password to share these codes across all of your team’s devices.
  • After downloading transcription files safely to your device, consider deleting them from the transcription service so that they cannot be accessed if your account is ever breached. For those working within a news organization, consider reaching out to your general counsel to learn if you have any policies in place for retention of sensitive transcription data. Freelancers should consider a personal, consistent, retention policy for recordings and transcripts. You may also want to check with your editor and look for any retention language in your contract. There may be situations where you are obligated to retain your data, for example, if your organization receives a legal hold order in the event of a lawsuit.

Can I automate transcriptions privately on my device?

There are some alternative transcription tools that avoid sharing a transcript with a third party, but there may be trade-offs in the quality of the transcription, ease of use, and compatibility with your device.

For example, if you are comfortable with the terminal or command line, you can also use OpenAI’s Whisper to automate transcription on your device. Google Recorder only works on Google Pixel phones.

As of iOS 18, iPhone users can use the built-in Voice Memos app to transcribe recordings, or even view a live transcription while a voice memo is being recorded, with the audio processing happening on-device. You can also transcribe calls, including on FaceTime. If you’re syncing voice memos or call transcripts with iCloud, however, you may want to opt into Apple’s Advanced Data Protection to end-to-end encrypt voice memos stored on iCloud servers.

These are just a few examples; there are thousands of these tools out there, each with its own trade-offs.

Whatever service you choose, glance through its security documentation to make sure there aren’t any unwanted surprises. In particular, look for policies surrounding the circumstances under which employees may access data and how the organization stores its data. If possible, opt for services that enable two-factor authentication. You can also reach out to our digital security team if you need help.