What Should I Look for in an Annotation Vendor's Security and Compliance Certifications?
Certifications are badges on a vendor's website. But which badges matter? SOC 2 Type II, ISO 27001, HIPAA BAA, GDPR compliance—they're not all the same, and a vendor can have some but not others. The difference between good security and adequate security is often the difference between a successful deployment and a breach.
The Mandatory: SOC 2 Type II
If you're considering a vendor with sensitive data (healthcare, financial, government, proprietary models), SOC 2 Type II is non-negotiable. Here's why:
SOC 2 is an independent audit of the vendor's security, availability, processing integrity, confidentiality, and privacy. Type II means the audit covered 6+ months of operations—not a snapshot, but sustained practices. It includes data handling, access controls, change management, disaster recovery, and incident response.
This is more rigorous than most certifications. The auditor physically visits the vendor's facilities, interviews staff, reviews security logs, tests access controls. You're getting an external opinion that processes are real, not theoretical.
What it is NOT: SOC 2 is not "HIPAA certified" (that phrase doesn't exist). But SOC 2 Type II is equivalent to HIPAA security requirements for hospitals and healthcare systems.
Red flag: A vendor handling sensitive data without SOC 2 Type II should not be trusted. If they refuse to get audited, they're hiding something.
Why SOC 2 Type II Matters: An Operational Case Study
A pharmaceutical company contracted with an annotation vendor to label medical imaging datasets (CT scans, pathology slides) for training diagnostic AI. The contract required SOC 2 Type II compliance. During the audit review process, the vendor's SOC 2 Type II report revealed a critical gap: data logs were being retained for only 60 days, not the contractually required 7+ years. The audit report flagged this as a control deficiency. The vendor corrected it immediately—implementing long-term archive storage, establishing a retention schedule, and documenting the fix in their next audit. Had the vendor not been audited, this gap would have remained unknown until a regulatory inspection or breach investigation exposed it. By then, months of data would have been deleted against retention requirements, creating compliance risk and potential liability. The audit caught it in time. This is why SOC 2 Type II isn't bureaucracy—it's operational insurance.
Certification Comparison Table
Before diving into specific certifications, here's how the major ones compare:
| Certification | Scope | Audit Frequency | Typical Cost | Renewal | When to require |
|---|---|---|---|---|---|
| SOC 2 Type II | Security, availability, integrity, confidentiality, privacy. Covers processes & controls over 6+ months. | Every 2-3 years | Tens of thousands | Required every 2-3 years | Healthcare, finance, government, proprietary data |
| ISO 27001 | Information security management system. Broader coverage: people, processes, technology. | Every 3 years | Significant investment | Required every 3 years | Mission-critical data (autonomous systems, medical devices, critical infrastructure) |
| HIPAA BAA | US healthcare law. Legally mandated contract, not a certification. Covers PHI handling, encryption, breach notification. | Compliance-based (no audit, but subject to HHS inspection) | Signature only (free) | Ongoing compliance required | Any US healthcare data |
| GDPR DPA | EU data protection law. Legally mandated contract, not a certification. Covers data subject rights, processing lawfulness, breach notification. | Compliance-based (EU regulators audit on complaint) | Signature only (free) | Ongoing compliance required | Any EU resident data |
| ISO 27701 | Privacy management extension of ISO 27001. Covers GDPR/CCPA readiness. | Every 3 years | Varies by scope | Required every 3 years | GDPR-heavy workloads; stronger privacy proof than DPA alone |
| FedRAMP | US federal compliance. Covers security for US defence, intelligence, homeland security data. Highly specialised. | Every 3 years | £150K–500K (prohibitively expensive) | Required every 3 years | US federal contracts only |
| PCI-DSS | Payment Card Industry compliance. Covers payment data handling, encryption, access controls. | Every year | Varies by vendor size | Required annually | Payment data or credit-card processing |
Interpretation: SOC 2 Type II is the baseline for sensitive data. ISO 27001 adds rigour and is worth requesting for mission-critical work. HIPAA BAA and GDPR DPA are legal requirements, not optional. FedRAMP and PCI-DSS are specialised and rare outside their domains.
The Complementary: ISO 27001
ISO 27001 is an information security management system audit. It's broader than SOC 2 (covers people, processes, technology) and less common among software vendors. If a vendor has both SOC 2 and ISO 27001, they're serious about security.
ISO 27001 requires regular security training, incident response procedures, business continuity planning, and third-party vendor management. It's a comprehensive standard. Less common doesn't mean less valuable—it just means fewer vendors bother. Those that do are often large organisations or regulated industries.
When to require it: If your data is truly mission-critical (autonomous systems, medical devices, critical infrastructure), ISO 27001 is worth asking for.
Healthcare Specific: HIPAA BAA
HIPAA (Health Insurance Portability and Accountability Act) is US law. If your annotation involves healthcare data, you need a Business Associate Agreement with your vendor. This is not a certification—it's a contract that legally requires the vendor to handle protected health information (PHI) correctly.
HIPAA BAA requires: encryption in transit and at rest, access logs, incident notification (breach = 24-72 hour notification), audit controls, and data integrity safeguards. It's enforceable by the US Department of Health and Human Services (penalties: up to $1.5M per violation).
What to ask: "Can you sign a HIPAA BAA?" If yes, they've probably done it before. If they hesitate or ask for added fees, they may not have the infrastructure in place.
EU Data: GDPR Compliance
GDPR (General Data Protection Regulation) is EU law. If your annotation involves EU residents' data, compliance is mandatory—not optional. Vendors must have a Data Processing Agreement (DPA) in place. GDPR fines are real: up to €20M or 4% of global revenue, whichever is larger.
GDPR requires: lawful basis for processing, data subject rights (access, deletion, portability), consent documentation, breach notification (72 hours), and data protection impact assessments. A vendor cannot claim GDPR compliance without these controls.
Vendors sometimes claim "GDPR compliant" but have no DPA in place. That's a lie. Ask for the executed DPA before signing.
Related certification: ISO 27701 is an extension of ISO 27001 focused on privacy. Some vendors pursue it to prove GDPR readiness. It's valuable but not mandatory if they have a solid DPA.
Domain-Specific: FedRAMP, PCI-DSS, and Others
If your data is US federal (defence, intelligence, homeland security), FedRAMP is required. If it's payment data, PCI-DSS is required. These are highly specialised certifications. Most annotation vendors don't have them. If you need them, the vendor pool shrinks dramatically.
Ask upfront: "What regulatory requirements apply to my data?" Then ask the vendor if they meet them. Don't assume they do.
Documentation and Transparency
The gold standard is a vendor who publishes their security posture openly. Request:
Security questionnaire: A vendor should complete your RFP security questionnaire without hesitation. If they push back, they're hiding gaps. A worked example: a fintech company preparing a major data annotation contract sent a 50-question security questionnaire covering access controls, encryption, incident response, business continuity, and audit rights. One vendor responded fully within two days. Another responded vaguely, claiming "methodology is proprietary" and resisting detailed answers on data retention, encryption protocols, and access-log retention periods. The fintech company immediately removed the evasive vendor from consideration. The responsive vendor moved to contract negotiation. Transparency saves due diligence time.
Compliance documentation: SOC 2 report, DPA, audit trails. These should be accessible (not hidden behind 12-month NDAs that prevent you from reviewing them). If a vendor insists on extreme confidentiality restrictions around their own audit report, they're not confident in it.
Audit trail samples: Ask the vendor to show how logging works. Can they prove who accessed your data on a specific date? Real audit logs prove real security. A healthcare startup validating a vendor's HIPAA readiness requested samples of audit logs covering a two-week period: user login times, data access timestamps, API calls, administrative changes. The vendor produced logs within 24 hours showing exactly who accessed which records and when. The startup signed the contract. A competitor vendor claimed HIPAA readiness but said "audit logs are stored internally and can't be shared for security reasons." Red flag. That vendor lost the deal.
IndiVillage's Security Profile
SOC 2 Type II completed (security controls audited). DPA available (GDPR ready). HIPAA compliance demonstrated via Audere case study (631K healthcare interpretations processed safely). B Corp certified (labour + governance + environmental audit). Security documentation published and downloadable.
This isn't badge collecting. It's verifiable proof of rigorous practice.
Red Flags in Security Claims
Claiming GDPR compliance without a DPA. A vendor says "we're GDPR compliant" but cannot produce an executed Data Processing Agreement. This is a lie. GDPR compliance without a DPA is like a restaurant claiming health certification without an inspection—it's not compliance, it's marketing. A DPA is a legal requirement, not optional. Walk away.
Confusing SOC 2 Type I with Type II. A vendor claims "SOC 2 certified" but the report is Type I (snapshot audit, one point in time). Type I proves they were audited once. Type II proves sustained controls over 6+ months. For sensitive data, Type I is insufficient. Always ask: "Is your SOC 2 report Type I or Type II?" If they hesitate or claim "we're in transition," they don't have Type II. Move on.
Refusing to share the actual audit report. A vendor says "we have SOC 2 Type II" but won't share the report itself—only a summary or executive letter. The report contains details: what controls were tested, which passed, which had exceptions, what the auditor found. Without it, you cannot assess the quality of their practices. Insist on the full report. If they refuse, that's your answer.
Certifications older than renewal cycle. A vendor's SOC 2 report is from 2022 (4+ years old). They claim "it's still valid," but SOC 2 requires renewal every 2-3 years. An old report means either they let it expire, or they obtained it years ago and haven't maintained compliance. Either way, it's not current proof. Ask: "When was your last audit completed? When is the next renewal due?" If the dates don't line up, the vendor is coasting.
Claiming compliance costs aren't passed to customers. A vendor says "our security is comprehensive and doesn't cost extra." Audit costs money. Secure infrastructure costs money. Talented security staff cost money. If a vendor claims enterprise-grade security at commodity pricing, they're either fabricating the security or absorbing losses they'll recover elsewhere. Be suspicious.
Offering to waive audit rights. A vendor says "you can audit if you want, but we offer a discount if you don't." Audit rights are how you verify their claims are true. Offering to remove that check in exchange for price is like a restaurant offering a discount if you skip the health inspection. If they're confident in their practices, audit rights cost them nothing—they should welcome them. If they're discouraging audits, they're hiding something.
The FAQ
Q: Is SOC 2 Type I acceptable?
Only for non-sensitive data. Type I is a snapshot audit (one point in time). Type II covers 6+ months. Type I is faster to obtain but doesn't prove sustained practices.
Q: What if a vendor doesn't have SOC 2?
For commodity work (public data, non-sensitive), it's acceptable. For sensitive data, it's disqualifying. Period.
Q: Can a vendor claim GDPR compliance without ISO 27701?
Yes. ISO 27701 is optional. GDPR compliance requires a DPA and documented controls, but not necessarily the certification. What matters is the DPA + proof of controls (audit, SOC 2, etc.).
Q: Should I audit the vendor myself?
If the contract permits, yes. But rely on SOC 2 first—external auditors are credible. On-site audits are expensive and rare for smaller partnerships.
Q: What if certifications are outdated?
Certifications expire. SOC 2 expires every 2-3 years (requires renewal). ISO 27001 expires every 3 years. Ask when the last audit was and when renewal is due. A vendor coasting on 5-year-old certs is not maintained.
Q: How much does compliance cost?
Audit costs vary by vendor size and scope. SOC 2 Type II and ISO 27001 require significant investment. HIPAA compliance: built into security; BAA signature is free. GDPR (DPA + controls): built in. Vendors pass these costs to customers, so large vendors often have them. Small vendors may not.
Q: Should I rely on SOC 2 Type II for offshore vendors?
Yes. SOC 2 Type II is an independent audit regardless of geography. An offshore vendor with current SOC 2 Type II has had their processes scrutinised just as thoroughly as an onshore vendor. Geography doesn't change the audit rigour. What matters is the audit date (current?), scope (covers the services you'll use?), and any reported exceptions. An offshore vendor with valid SOC 2 Type II is more trustworthy than an onshore vendor with no audit.
Q: What if my vendor has ISO 27001 but no SOC 2?
ISO 27001 is actually more comprehensive than SOC 2—it covers broader scope (people, processes, technology) and requires renewal every 3 years. If a vendor has current ISO 27001, they've passed a rigorous audit. SOC 2 Type II is more common in the US; ISO 27001 is more common globally. Either one is acceptable for sensitive data, though SOC 2 is more widely recognised in US contracts. Ask: "If you have ISO 27001, can you provide the most recent certificate?" If it's current, move forward.
Q: What should I do if a vendor breaks their security promise?
Include contractual language requiring the vendor to maintain certifications and undergo audits during the contract term. If a vendor's SOC 2 lapses (not renewed), or they breach audit requirements, that's a material breach. Your contract should allow immediate termination without penalty if they lose certification. Example language: "Vendor shall maintain SOC 2 Type II certification throughout the contract term. Lapse or non-renewal of certification is material breach, and Customer may terminate at any time without penalty." This gives you accountability to ensure they stay compliant.
Your Next Best Action
Before contract: request the vendor's SOC 2 Type II report (not a summary, the full report). Verify it's current (within last 2 years). Check audit scope (covers the services you'll use). For healthcare or EU data, request DPA and verify it's executed. If the vendor hesitates on any of these, find another vendor.