Natter Product Security & Privacy
Natter’s web-based platform provides impartial, anonymous, inclusive, instant insights and ensures security and privacy by design.
Insights derived from transcription data are not attributed to individuals, and our technology automatically redacts personal data before analysis takes place.
No downloads, installations or integrations are required, traffic is all inbound to Natter. No outbound traffic is sent to client environments.
Anonymized
Automatic data minimization and anonymization ensures minimal personal identifiers are collected, and all identifiers are redacted before processing. No data is processed outside of the UK or EU regions, ensuring full compliance with GDPR.
Secure
We protect customer data as if it were our own through Company SSO, 256-bit encryption, TLS v1.2 (or higher) and MFA.
In Your Control
Customers have full control over their data, and can request deletion at any time. End users must consent to being transcribed and personal data is automatically redacted prior to analysis.
Data Retention & Deletion
Once data is processed, the system does not retain or reuse it for training purposes. Natter excludes account names, IP addresses, and authentication data from processing and storage. This also applies to our suppliers.
End User Opt-in Consent for Transcription
Consent is requested and provided as part of the end user account registration process, as well as prior to each conversation and transcription that takes place on Natter. If no such consent is given, transcription does not take place. Personal data is redacted automatically.
Strong Encryption at Rest and in Transit
At a minimum of AES-256 or equivalent at rest, and using TLS v1.2 or higher in transit.
Secure Application Development
Secure application development (SDLC), a peer review process, least-privilege access and security testing is built into our critical path.
Continuous Monitoring
Continuous monitoring ensures real-time detection and response to potential security threats.
Enterprise-grade Security
Natter holds ISO 27001, and is audited annually. Our hosting provider AWS also maintains multiple security certifications to safeguard the infrastructure underlying the Natter service. Information about AWS compliance programs is available here.
UK and EU GDPR
Natter is UK-headquartered and compliant with both the UK and EU GDPR data protection regulations (and their rules on data protection, privacy and transfer). The service is securely hosted in AWS eu-west-2 (London, UK) ensuring high availability and regular backups, and regular Business Continuity & Disaster Recovery and Incident Response tests are performed.
FAQs
Natter is certified to ISO 27001 and is GDPR, UK GDPR and EU AI Act compliant. Refer to our Responsible AI Statement for more information.
Anonymity is hardwired into Natter. We exclude account names, IP addresses, and authentication data from processing and storage. Our AI Engine only receives de-identified text, stripped of personal identifiers at the point of input. Learn more in Our Approach to Data Privacy & Anonymity.
Users are informed via multiple touchpoints, including our Privacy & Cookies Policy, which defines “Transcription data” and explains its use. We also display a link to Our Approach to Data Privacy & Anonymity during account setup and platform usage.
Natter maintains a full suite of internal policies, including:
- Acceptable Use Policy
- Asset Management Policy
- Backup Policy
- Business Continuity Plan
- Change Management Policy
- Code of Conduct
- Data Classification Policy
- Data Protection Policy
- Data Retention Policy
- Disaster Recovery Plan
- Encryption Policy
- Incident Response Plan
- Password Policy
- Physical Security Policy
- Risk Assessment Policy
- Vendor Management Policy
Natter uses a limited number of pre-approved third-party service providers, vetted under our Vendor Management Policy. You can view our full list in our Service Providers & Data Transfer Policy.
Neither recordings nor conversation data are stored by our providers. Our AI Engine does not retain information post-processing, and customer data is never used for training or modelling. Refer to our Responsible AI Statement for more information.
Natter complies with GDPR both as a data processor and a controller. We’re also aligned with other international privacy regulations such as the CCPA. For more information, refer to our End User Licence Agreement (EULA), Service Providers & Data Transfer Policy, and Privacy & Cookies Policy.
We collect only limited and customizable data. Personal data includes first name, surname, email address, job title, and optional demographic data for anonymized benchmarking. Demographics can be fully customized by end users. Only anonymous qualitative responses are sent to our AI Engine - never user identifiers, PII, or authentication data. Refer to our Responsible AI Statement for more information.
Consent is obtained during account creation and again before the user joins a conversation. If consent isn’t given, transcription does not occur. Personal data is redacted automatically, prior to analysis.
We use Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for platform access. Granular access controls are also enforced at the platform and AWS backend levels via IAM.
Customers have full control and can request deletion of their data at any time. See section 6 of our Privacy & Cookies Policy: “Retaining and deleting personal data".
Contact the Natter Security
& Privacy Team
You can contact Natter’s Security & Privacy team by sending an email to security@natter.co to report a vulnerability, security event, or request a copy of the Natter DPA.
