// Trust & Security Report
Otter.ai, Inc.
AI meeting notetaker and transcription platform (Otter Notetaker / OtterPilot) with live transcription, AI-generated summaries and action items, Otter AI Chat (conversational search over meeting knowledge), a bot-free desktop recorder, an MCP Server for connecting meeting knowledge to third-party AI chat tools, and vertical agents (Sales, Recruiting, SDR). Sold on Basic/Pro/Business consumer-team tiers plus an Enterprise tier with admin controls and BAA availability.
Certifications held
5
Maturity
Growth
Trains on your data
Yes
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on otter.ai“Otter.ai ... has successfully completed its SOC 2 Type II audit and received a SOC 2 Type II report.”
Verify on otter.ai“Otter.ai, the leading AI meeting agent, has today announced that it has become Health Insurance Portability and Accountability Act (HIPAA) compliant. ... To start the Business Associate Agreement (BAA) process, you should reach out to your account manager or contact the Sales team.”
Verify on otter.ai“We have incorporated GDPR standards into data practices to make sure our customers have confidence in our security.”
Verify on otter.ai“We have incorporated CCPA standards into our data practices.”
Verify on otter.ai“Otter has completed a Voluntary Product Accessibility Template (VPAT) to document compliance with accessibility requirements.”
> Show 6 unconfirmed / not-held certifications
source: otter.aiOur security policies are created based on the ISO 27001/2 framework. (Vendor's own Privacy & Security page describes policies as framework-aligned; it does not state Otter holds an ISO 27001 certificate, names no accredited certification body, and no certificate/registration number is published.) Note: several third-party review/SEO sites (not otter.ai) list Otter.ai as 'ISO 27001 certified' -- this is not corroborated on the vendor's own domain and should be treated as an over-claim by those third parties, not the vendor.
source: otter.aiNo public evidence on otter.ai of a PCI DSS attestation; Otter does not process cardholder payment data directly (billing is handled via a third-party processor) and no PCI claim appears on the vendor's own security page.
source: otter.aiNo public evidence on otter.ai of FedRAMP authorization; not listed on the vendor's Privacy & Security page or blog.
source: otter.aiNo public evidence on otter.ai of a CSA STAR registry entry or self-assessment.
source: otter.aiNo public evidence on otter.ai of ISO/IEC 42001 certification; the vendor's security page only references the ISO 27001/2 framework for general security policy, with no AI-governance-specific certification named.
source: otter.aiNo public evidence on otter.ai of ISO 27017, 27018, or 27701 certification.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United States (AWS, US-based hosting); cross-border transfers to/from the EU/UK are covered by Standard Contractual Clauses per the GDPR DPA embedded in the Terms of Service.
Otter trains its proprietary speech-recognition and summarization models on de-identified audio recordings and transcriptions. Vendor's own Terms of Service state Otter retains rights to use 'Machine Learning' derived from usage for 'testing, tuning, optimizing, validating, or otherwise enhancing' the Service, and that Otter 'shall have the right to collect and analyze data ... to maintain, improve, and enhance' its products. The Help Center confirms this is opt-out (default ON) via Account > Settings > Data Controls, and that only the meeting host who enabled Otter Notetaker can see/toggle this setting -- other call participants have no visibility or independent opt-out. A federal class-action lawsuit filed August 2025 (N.D. Cal., Brewer v. Otter.ai) alleges Otter records and uses conversations to train its AI without adequate consent/disclosure to non-host participants, and disputes the adequacy of Otter's de-identification method; this is an active, unresolved legal matter and should be disclosed as a caveat, not treated as settled fact either way.
// Security controls
Encryption at rest
AES-256 via AWS S3 server-side encryption (SSE), with periodic root-key rotation
otter.aiAuthentication (Enterprise)
SSO and admin-managed authentication policies available on Enterprise workspaces
help.otter.aiGovernment data access
States it does not voluntarily provide government/law enforcement access to user data for surveillance purposes
otter.ai// Products & data scope
data: Personal meeting audio, transcripts, and summaries
Default AI-training opt-out toggle is ON; no BAA/HIPAA available at this tier.
data: Team meeting audio, transcripts, channels, shared workspace data
Adds admin controls but still not covered by HIPAA BAA per public reporting; verify current tier boundary with vendor before enterprise/regulated use.
data: Org-wide meeting data with admin-configured retention, authentication, and sharing policies
Only tier where a signed Business Associate Agreement (HIPAA) is available; enterprise admin console covers authentication, data retention, AI feature and integration controls.
data: Exposes stored meeting knowledge to third-party AI chat clients (e.g., Claude, ChatGPT) that connect via MCP
New integration surface; treat as an additional data-egress path when scoping access reviews -- no separate security documentation found on otter.ai beyond the general Privacy & Security page.
// What to watch
- No dedicated interactive trust center (e.g. SafeBase/Vanta portal) was found; 'Privacy & Security' is a standard marketing/legal page, not a document-download trust portal -- listing should not imply a formal trust center exists.
- Identity-conflation risk avoided: tryotter.com (a restaurant point-of-sale company also branded 'Otter') is a DIFFERENT company from otter.ai (the meeting transcription vendor assessed here); its DPA was explicitly checked and excluded from this assessment.
- Third-party review sites (not otter.ai) claim Otter.ai is 'ISO 27001 certified,' 'PCI Compliant,' 'FedRAMP Compliant,' and 'CSA STAR Level 1 Compliant.' None of these are corroborated on the vendor's own domain -- the vendor's own page only says security policies are 'based on' the ISO 27001/2 framework. Treat these as unverified over-claims by third parties, not the vendor.
- HIPAA compliance and BAA availability are restricted to the Enterprise plan; Basic/Pro/Business customers cannot get a BAA and should not process PHI on Otter.
- AI training posture has an active, unresolved legal dispute: an August 2025 federal class-action (N.D. Cal.) alleges Otter secretly records conversations and uses them (via non-host participants who cannot opt out) to train its models without adequate consent, and disputes Otter's de-identification claims. This should be disclosed to prospective enterprise buyers as an open legal matter.
- Possible internal contradiction: Otter's Terms of Service reserve broad rights to use 'Machine Learning' derived from usage data to improve the Service, while marketing/support copy frames AI training as an opt-out toggle limited to de-identified data -- the practical scope of what is covered by each statement is not fully reconciled in public documents.
// At a glance
Pricing model
Freemium SaaS: free tier plus paid Pro/Business per-seat plans and custom-priced Enterprise
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Otter.ai, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
otter.ai