// Trust & Security Report

    Otter.ai, Inc. logo

    Otter.ai, Inc.

    AI meeting notetaker and transcription platform (Otter Notetaker / OtterPilot) with live transcription, AI-generated summaries and action items, Otter AI Chat (conversational search over meeting knowledge), a bot-free desktop recorder, an MCP Server for connecting meeting knowledge to third-party AI chat tools, and vertical agents (Sales, Recruiting, SDR). Sold on Basic/Pro/Business consumer-team tiers plus an Enterprise tier with admin controls and BAA availability.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Otter.ai ... has successfully completed its SOC 2 Type II audit and received a SOC 2 Type II report.

    Verify on otter.ai
    HIPAA compliance / BAA (Enterprise only)
    HELD

    Otter.ai, the leading AI meeting agent, has today announced that it has become Health Insurance Portability and Accountability Act (HIPAA) compliant. ... To start the Business Associate Agreement (BAA) process, you should reach out to your account manager or contact the Sales team.

    Verify on otter.ai
    GDPR compliance posture (not a certification)
    HELD

    We have incorporated GDPR standards into data practices to make sure our customers have confidence in our security.

    Verify on otter.ai
    CCPA compliance posture
    HELD

    We have incorporated CCPA standards into our data practices.

    Verify on otter.ai
    VPAT / Section 508 accessibility
    HELD

    Otter has completed a Voluntary Product Accessibility Template (VPAT) to document compliance with accessibility requirements.

    Verify on otter.ai
    > Show 6 unconfirmed / not-held certifications
    ISO 27001 (certification)
    NOT CONFIRMED

    Our security policies are created based on the ISO 27001/2 framework. (Vendor's own Privacy & Security page describes policies as framework-aligned; it does not state Otter holds an ISO 27001 certificate, names no accredited certification body, and no certificate/registration number is published.) Note: several third-party review/SEO sites (not otter.ai) list Otter.ai as 'ISO 27001 certified' -- this is not corroborated on the vendor's own domain and should be treated as an over-claim by those third parties, not the vendor.

    source: otter.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence on otter.ai of a PCI DSS attestation; Otter does not process cardholder payment data directly (billing is handled via a third-party processor) and no PCI claim appears on the vendor's own security page.

    source: otter.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence on otter.ai of FedRAMP authorization; not listed on the vendor's Privacy & Security page or blog.

    source: otter.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence on otter.ai of a CSA STAR registry entry or self-assessment.

    source: otter.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence on otter.ai of ISO/IEC 42001 certification; the vendor's security page only references the ISO 27001/2 framework for general security policy, with no AI-governance-specific certification named.

    source: otter.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on otter.ai of ISO 27017, 27018, or 27701 certification.

    source: otter.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United States (AWS, US-based hosting); cross-border transfers to/from the EU/UK are covered by Standard Contractual Clauses per the GDPR DPA embedded in the Terms of Service.

    Otter trains its proprietary speech-recognition and summarization models on de-identified audio recordings and transcriptions. Vendor's own Terms of Service state Otter retains rights to use 'Machine Learning' derived from usage for 'testing, tuning, optimizing, validating, or otherwise enhancing' the Service, and that Otter 'shall have the right to collect and analyze data ... to maintain, improve, and enhance' its products. The Help Center confirms this is opt-out (default ON) via Account > Settings > Data Controls, and that only the meeting host who enabled Otter Notetaker can see/toggle this setting -- other call participants have no visibility or independent opt-out. A federal class-action lawsuit filed August 2025 (N.D. Cal., Brewer v. Otter.ai) alleges Otter records and uses conversations to train its AI without adequate consent/disclosure to non-host participants, and disputes the adequacy of Otter's de-identification method; this is an active, unresolved legal matter and should be disclosed as a caveat, not treated as settled fact either way.

    // Security controls

    Encryption in transit

    TLS

    otter.ai

    Encryption at rest

    AES-256 via AWS S3 server-side encryption (SSE), with periodic root-key rotation

    otter.ai

    Hosting

    Amazon Web Services (AWS), US-based

    otter.ai

    Authentication (Enterprise)

    SSO and admin-managed authentication policies available on Enterprise workspaces

    help.otter.ai

    Government data access

    States it does not voluntarily provide government/law enforcement access to user data for surveillance purposes

    otter.ai

    // Products & data scope

    Otter Basic / Pro (individual)Consumer AI notetaker

    data: Personal meeting audio, transcripts, and summaries

    Default AI-training opt-out toggle is ON; no BAA/HIPAA available at this tier.

    Otter BusinessTeam AI notetaker

    data: Team meeting audio, transcripts, channels, shared workspace data

    Adds admin controls but still not covered by HIPAA BAA per public reporting; verify current tier boundary with vendor before enterprise/regulated use.

    Otter EnterpriseEnterprise AI notetaker / governance

    data: Org-wide meeting data with admin-configured retention, authentication, and sharing policies

    Only tier where a signed Business Associate Agreement (HIPAA) is available; enterprise admin console covers authentication, data retention, AI feature and integration controls.

    Otter MCP ServerAI integration / API surface

    data: Exposes stored meeting knowledge to third-party AI chat clients (e.g., Claude, ChatGPT) that connect via MCP

    New integration surface; treat as an additional data-egress path when scoping access reviews -- no separate security documentation found on otter.ai beyond the general Privacy & Security page.

    // What to watch

    • No dedicated interactive trust center (e.g. SafeBase/Vanta portal) was found; 'Privacy & Security' is a standard marketing/legal page, not a document-download trust portal -- listing should not imply a formal trust center exists.
    • Identity-conflation risk avoided: tryotter.com (a restaurant point-of-sale company also branded 'Otter') is a DIFFERENT company from otter.ai (the meeting transcription vendor assessed here); its DPA was explicitly checked and excluded from this assessment.
    • Third-party review sites (not otter.ai) claim Otter.ai is 'ISO 27001 certified,' 'PCI Compliant,' 'FedRAMP Compliant,' and 'CSA STAR Level 1 Compliant.' None of these are corroborated on the vendor's own domain -- the vendor's own page only says security policies are 'based on' the ISO 27001/2 framework. Treat these as unverified over-claims by third parties, not the vendor.
    • HIPAA compliance and BAA availability are restricted to the Enterprise plan; Basic/Pro/Business customers cannot get a BAA and should not process PHI on Otter.
    • AI training posture has an active, unresolved legal dispute: an August 2025 federal class-action (N.D. Cal.) alleges Otter secretly records conversations and uses them (via non-host participants who cannot opt out) to train its models without adequate consent, and disputes Otter's de-identification claims. This should be disclosed to prospective enterprise buyers as an open legal matter.
    • Possible internal contradiction: Otter's Terms of Service reserve broad rights to use 'Machine Learning' derived from usage data to improve the Service, while marketing/support copy frames AI training as an opt-out toggle limited to de-identified data -- the practical scope of what is covered by each statement is not fully reconciled in public documents.

    // At a glance

    Pricing model

    Freemium SaaS: free tier plus paid Pro/Business per-seat plans and custom-priced Enterprise

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Otter.ai, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    otter.ai

    > Browse all vendor trust reports