Privacy & Security

At Otter.ai ("Otter"), we believe that voice collaboration is more effective and more efficient when you can retain it, recall it and share it. We recognize your conversations may contain some of your most sensitive and confidential information. That’s why we are committed to keeping your information private and secure. Additionally, we believe transparency is important to all meeting participants. As such users are required to comply with local laws and regulations and must always ask for consent and indicate when they are recording and transcribing conversations with others.

We follow best practices for privacy and security that align with global regulatory requirements

SOC 2 TYPE 2

Otter utilizes best practices to protect our customers’ data and works with independent experts to verify its security measures, and has achieved SOC 2 Type 2 report against stringent standards. We work with an independent auditor to maintain a SOC 2 report, which objectively certifies our controls to ensure the continuous security of our customers' data.

GDPR

General Data Protection Regulation (GDPR) is Europe’s regulation for data protection and privacy. We have incorporated GDPR standards into data practices to make sure our customers have confidence in our security.

CCPA

California Consumer Privacy Act (CCPA) is a statute intended to enhance privacy rights and consumer protection for residents of California, United States. We do not sell your data. We have incorporated CCPA standards into our data practices.

VPAT

Otter recognizes the importance of Section 508 of the Rehabilitation Act and for IT accessibility. Otter has completed a Voluntary Product Accessibility Template (VPAT) to document compliance with accessibility requirements as outlined in Section 508.

Privacy

You control your conversations (transcription and recordings).

Otter starts recording only when you or a meeting participant presses Record or invites OtterPilot to your meeting. When this happens, Otter’s AI technology enables it to record and transcribe automatically without any human interference.

Your conversations are always private, accessible to only you and the people you choose to share with. To change the permissions for any conversation, please reference these directions.

When you delete a conversation, it is moved to the Trash. Otter automatically deletes conversations from the trash after 30 days. If you manually clear conversation(s) from the trash bin, Otter deletes the conversation(s) at that time. Please see these directions for additional details.

Security

Otter doesn’t just talk about security. We’ve taken comprehensive actions to secure your conversations and data.

Two-factor authentication: Available for all Otter plans. For an added layer of security, turn on two-factor authentication for your account. If your password is compromised or stolen, you'll have peace of mind knowing that two-factor authentication keeps others out of your account, even if they have your password. Please see these directions for additional details.

Data Storage: Otter uses AWS S3 storage and enables AWS SSE (Server Side Encryption) on data (S3 buckets), as well as for machine data volumes. It encrypts the key itself with a root key that it regularly rotates. Server-side encryption uses a 256-bit Advanced Encryption Standard (AES-256).

Otter Employees: All employees go through a thorough background check, and sign a confidentiality agreement.

Otter Computers: We secure our employees' computers using mobile device management (MDM) (e.g. hard drive encryption enabled and anti-malware software installed).

Frequently Asked Questions

Will Otter disclose my personal data?

Under the Stored Communications Act, which means that under U.S. law, Otter's users are afforded certain privacy protections for government inquiries for their data stored on Otter’s systems.

Otter will not turn over any information about a customer without a legal process compelling Otter to do so.

In response to a subpoena, court order, or a search warrant issued by a court of competent jurisdiction, Otter will follow the process outlined in our Data Request Policy.

Otter is committed to the importance of trust and transparency for the benefit of our Customers and does not voluntarily provide government or law enforcement agencies with access to any data about users for surveillance purposes.

If you receive a request for my data, will you tell me?

Unless restricted by law or a court order, Otter intends to inform users promptly of any requests for their data by government officials or entities to permit the user to have time to object or intervene in the requests.

Will you turn over the contents of my recordings to law enforcement?

Otter will not turn over any information about a customer without a legal process compelling Otter to do so.

Will you turn over my data to a non-U.S. government?

Otter will not voluntarily comply with any non-U.S. government request for customer data. Otter will provide information to a foreign government official or entity only if compelled by a U.S. court to do so.

Do you use recordings and transcriptions to train your models?

Otter uses a proprietary method to de-identify user data before training our models so that an individual user cannot be identified. This training method is automatic and as such audio recordings and transcripts are not manually reviewed by a human. Additionally our training data is encrypted.

Who can access my transcripts or recordings?

You have control over who you share your transcripts or recordings with. Otter requires explicit consent from the customer prior to Otter employees and customer support team accessing your transcript and/or audio recording to troubleshoot a product issue. Before audio recordings are ever reviewed manually by a human (Otter personnel or its third parties), we require explicit consent from customers.

Will the AI Service Providers use Otter's customer data to train their models/algorithms?

No customer data will be used to train or improve our AI Service Provider(s)’ artificial intelligence models/algorithms. Our AI Service Provider(s) do not store customer data sent through the API on their platform. For more information on our AI Service Provider(s), refer to our list of subprocessors.

What information does Otter collect?

When users create an account, they will be asked to provide a name, email, and password. If users create an account using a third-party login (such as Google, Apple or Microsoft) or integrate Otter with another app (such as Google Calendar, iCal, MS Outlook, Dropbox or Zoom), Otter will receive the information you choose to upload to the third-party platform (such as username, email address, and calendar information).

Does Otter share personal information for ads?

No personal identifiable information is shared for advertising. Otter does not have third-party ads served in our products, and we do not sell personal information to third parties.

Are other Subprocessors used to provide Otter services?

To provide our customers with high service levels and a high-quality solution, we utilize the subprocessors shown here.

Does Otter align with a cybersecurity framework to minimize the risk of a data breach?

Otter is continuously reviewing various cybersecurity frameworks to assess which frameworks best align with Otter’s security program. Our security policies are created based on the ISO 27001/2 framework.