Privacy & Security

At Otter.ai, we believe that voice collaboration is more effective and more efficient when you can retain it, recall it and share it. We recognize your conversations may contain some of your most sensitive and confidential information. That’s why we are committed to keeping your information private and secure. Additionally, we believe transparency is important to all meeting participants. As such users are required to comply with local laws and regulations and must always ask for consent and indicate when they are recording and transcribing conversations with others.

We follow best practices for privacy and security that align with global regulatory requirements

SOC 2 TYPE 2

Otter utilizes best practices to protect our customers’ data and works with independent experts to verify its security measures, and has achieved SOC 2 Type 2 report against stringent standards. We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers' data.

GDPR

General Data Protection Regulation (GDPR) is Europe’s regulation for data protection and privacy.
‍
We have incorporated GDPR standards into data practices to make sure our customers have confidence in our security.

CCPA

California Consumer Privacy Act (CCPA) is a statute intended to enhance privacy rights and consumer protection for residents of California, United States. We do not sell your data and are compliant with CCPA.

VPAT

Otter recognizes the importance of Section 508 of the Rehabilitation Act and meets revised 508 Standards for IT accessibility. Otter is VPAT (Voluntary Product Accessibility Template) certified.

Privacy

You control your conversations (transcription and recordings).

Otter starts recording only when you or a meeting participant presses Record or invites Otter Assistant to your meeting. When this happens, Otter’s AI technology enables it to record and transcribe automatically without any human interference.

Your conversations are always private, accessible to only you and the people you choose to share with. To change the permissions for any conversation, please reference these directions.

When you delete a conversation, it is moved to the Trash. If you manually clear a conversation from the trash, Otter permanently purges the conversation at that time. Otter automatically clears conversations from the trash after 30 days, and permanently purges these conversations 7 days after they are cleared from the trash. Please see these directions for additional details.

Security

Otter.ai doesn’t just talk about security. We’ve taken comprehensive actions to secure your conversations and data.

Two-factor authentication: Available for all Otter plans. For an added layer of security, turn on two-factor authentication for your account. If your password is compromised or stolen, you'll have peace of mind knowing that two-factor authentication keeps others out of your account, even if they have your password. Please see these directions for additional details.

Data Storage: Otter uses AWS S3 storage and enables AWS SSE (Server Side Encryption) on data (S3 buckets), as well as for EC2 EBS data volumes. It encrypts the key itself with a root key that it regularly rotates. Amazon S3 and EBS server-side encryption uses a 256-bit Advanced Encryption Standard (AES-256).

Otter Employees: All employees go through a thorough background check, and sign a confidentiality agreement.

Otter Computers: We secure our employees' computers using mobile device management (MDM) (e.g. hard drive encryption enabled and anti-malware software installed).

Frequently Asked Questions

Will Otter.ai disclose my personal data?

Otter.ai is a remote computing service under the Stored Communications Act, which means that under U.S. law, its users are afforded certain privacy protections for government inquiries for their data stored on Otter’s systems.
‍
Otter will not turn over any information about a customer without legal process compelling Otter to do so.
‍
Otter will turn over a user’s content (i.e., recordings or transcriptions of recordings) only if it receives a valid search warrant.

In response to a subpoena, Otter will provide only the following information:
‍
• Name
• Address (or e-mail address)
• Records of session times and durations (or analogous information)
• Length of service (including start date) and types of service utilized
• Telephone or other subscriber number or identity
• Means and source of payment for such service (including any credit card or bank account number)
‍
In response to a court order, Otter will provide additional customer information requested by the order but not the content of any data stored on Otter’s systems.
‍
Finally, Otter will not voluntarily provide data to any foreign (non-U.S.) government official or entity. Otter will provide information to a foreign government official or entity only if compelled by a U.S. court to do so.

If you receive a request for my data, will you tell me?

Unless restricted by law or a court order, Otter intends to inform users promptly of any requests for their data by government officials or entities to permit the user to have time to object or intervene in the requests.

Will you turn over the contents of my recordings to law enforcement?

Otter will turn over the contents of recordings only if it received a search warrant from a judge. To date, Otter has never received such a request.

Will you turn over my data to a non-U.S. government?

Otter has never received a request from a foreign government for customer data. Otter will not voluntarily comply with any non-U.S. government request for customer data.

Does Otter.ai access my transcripts or recordings?

Otter.ai does not access your transcripts or audio recordings, unless given explicit customer consent for troubleshooting specific product support issues and/or the user opts-in to contribute data for system improvement.

What information does Otter collect?

When users create an account, they will be asked to provide a name, email, and password. If users create an account using a third-party login (such as Google, Apple or Microsoft) or integrate Otter with another app (such as Google Calendar, iCal, MS Outlook, Dropbox or Zoom), Otter.ai will receive the information you choose to upload to the third-party platform (such as username, email address, and calendar information). The audio recordings and transcript uploaded to your account are not accessible to Otter.ai unless you give explicit consent for troubleshooting a product support issue.

Does Otter share personal information for ads?

No personal identifiable information, including your transcripts and recordings, is shared for advertising. Otter does not have third-party ads served in our products, and we do not sell user information to third parties.

Are other Subprocessors used to provide Otter services?

To provide our customers with high service levels and a high-quality solution, we utilize a select group of subprocessors shown here.

Does Otter align with a cybersecurity framework to minimize the risk of a data breach?

Otter.ai is continuously reviewing various cybersecurity frameworks to assess which frameworks best align with Otter.ai’s security program. Our security policies are created based on the ISO 27001/2 framework.