Natterbox International Data Flows and Transfers

Prev Next

v1.7 May 2025

Overview

Natterbox provides global AI-powered communications (product depending) and data services to route and connect inbound and outbound communications and to transfer recordings and information about those communications into the Customer’s Salesforce CRM system and other storage services. These systems facilitate call and digital communications handling, real-time routing and handling, call recording and analysis, integration with customers’ Salesforce CRMs, billing systems, call recording storage and call log archiving.

Location of processing

Customer’s “Home Region” Data Storage

Home Region is a designated geographical location utilising AWS infrastructure where Natterbox mainly stores and partially processes the data of customers using Natterbox products.  Current Home Regions are:

  • Australia: Sydney & Melbourne AUS1

  • European Union: Germany & Sweden EUR1

  • United Kingdom & Ireland UKI1

  • United States: Ohio & Oregon USA1

The new Home Regions storage model will start to apply to new Natterbox products and various core components from June 2025, including call and interaction logs, billing and general data processing. Support for add-on services may vary.

Please see Appendix A for a table showing the default Home Region, which will be allocated based on the location of your Salesforce instance, unless otherwise agreed in advance.

Once set, Home Regions cannot be changed. 

Platform Processing

To provide a secure and reliable service Appendixwhere calls can be routed with minimum latency between callers in any global locations, Natterbox data centres and services are distributed globally within both global AWS servers and a private cloud infrastructure. The minimum basic personal information required to connect and route communications (user details, name and business phone number) is stored within both regional AWS systems and Natterbox’s private cloud hosted within multiple global data centres. At the end of the communication, all communication data is transferred (via secure internal IPSEC VPNs) to Natterbox’s UK data centres or AWS instances in the customer's “home region” for processing. 

Natterbox’s dedicated private cloud  systems are housed geographically in dedicated secure racks inside commercially run data centres in the following locations:

  • Telehouse, London 

  • Equinix, London

No other suppliers or sub-processors are utilised at these data centre locations, other than Carrier and Network interconnect providers. 

Natterbox AWS environment for call routing is operating in 6 AWS regions:

  • eu-west-2 (London, UK)

  • eu-central-1 (Frankfurt, Germany)

  • us-east-2 (Ohio, United States)

  • us-west-2 (Oregon, United States)

  • ap-southeast-1 (Singapore)

  • ap-southeast-2 (Sydney, NSW, Australia)

Logs

Operational Call Logs are transferred from the regional AWS / data centres where the calls were facilitated to the customer’s Home Region or Natterbox’s own UK data centres in real time for processing.
Once processed, call information is pushed into the customer's own Salesforce instances for storage and retention to facilitate reporting and business intelligence. Natterbox retains basic call log information for billing and regulatory requirements within our own data centres in the UK or within AWS in the customer’s “home region”.

Call Recording and Transcription Data

If utilising Natterbox’s call recording solution, encrypted recordings are stored using Amazon Web Services.  Unless specifically agreed, these will either be stored in the EU, the customer's Home Region, or (if requested) in the customer’s own AWS storage instance. 

AI Services

If utilising Natterbox’s call transcription and analytics solutions or AI Services, call recording or real time call data is processed either within our AWS infrastructure, or by our US suppliers and then fed back to our systems. 

Results of Conversational AI product data will be stored in the customer’s Home Region.

Access from outside UK/EEA

Natterbox staff or agreed third-party partners may access data from a third country (subject to the appropriate safeguards and agreements) for support purposes but data will not leave our systems.

Subprocessor processing locations

Natterbox maintains a list of Sub-processors and their processing locations at https://docs.natterbox.com/docs/natterbox-sub-processors

AI Data & Model Training 

When using the Natterbox AI product (parts of which were formerly known as Insight, now Natterbox AI Advisor), transcriptions are processed by our US suppliers before being analysed by Natterbox AI Engines integrated with AWS Bedrock. No inputs or outputs from Bedrock or AI Engines are used for training purposes of any AI models. All responses are then stored by Natterbox alongside the transcription data in AWS and are available within the customer's Salesforce instance. Anonymised and random segmented data may be used by our transcription partners to continuously improve their accuracy. Marked personally-identifiable data is removed from any training. Customers can, on request and at a charge, completely opt out of this if desired.

Duration of processing
AI Services

For legacy AI services such the product formerly known as Insight, now Natterbox AI Advisor, data may be kept by the third-party provider for up to 3 years for backup and verification purposes, and to improve the product’s AI-based voice transcription functionality. Data is always encrypted in transit and at rest. 

Call recordings and transcription

Call recordings and transcription data is kept for 12 months unless additional storage is purchased, or a shorter retention period is requested. 

Logs

Operational Logs are retained for the minimum time required for processing and purged automatically and permanently on a 30 day rolling basis. 

Client Logs (including Call Logs) are stored by Natterbox for billing and regulatory purposes according to national and international communications laws and Regulations dependent on operating territory. 

GDPR/UK GDPR Transfer Safeguards

Between EU/EEA & UK 

There is now an adequacy agreement that allows the continued free flow of personal data between the EU/EEA and the UK.


UK or EU/EEA to non-EEA Countries

Natterbox utilises the US-EU Data Bridge, International Data Transfer agreements and Standard Contractual Clauses to ensure the safe transfer of data outside of the EU/UK. Please see our suppliers list for details of safeguards by supplier: https://docs.natterbox.com/docs/natterbox-sub-processors 

US-EU Data Bridge

  • The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).

  • The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, for organisations to be able to join the Data Privacy Framework. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the EU & UK.

  • Once a US organisation has been certified and is publicly placed onto the Data Privacy Framework List (DPF List) on the DPF website they can receive EU & UK personal data through a UK-US data bridge.

  • See here for more details https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer

The GDPR does not impose additional obligations on transactional call data (i.e calls passing through carriers), as per Article 95 of GDPR.


If you have any further queries please contact compliance@natterbox.com


Appendix A - Default Home Region

Salesforce Instance Location

Home Region

Sydney, NSW, Australia (AUS)

AUS1

Mumbai, Maharashtra, India* (IND)

AUS1

Osaka, Japan* (JPN, AP)

AUS1

Tokyo, Japan* (JPN, AP)

AUS1

Jakarta, Indonesia* (IDN)

AUS1

Seoul, South Korea* (KOR)

AUS1

Singapore* (SGP)

AUS1

Non MVR customers with no Salesforce instances, with Billing Country in APAC

AUS1

Frankfurt, Germany (DEU)

EUR1

Milan, Italy (ITA)

EUR1

Paris, France (FRA)

EUR1

Amsterdam, Netherlands (EU)

EUR1

Stockholm, Sweden (SWE)

EUR1

UAE (ARE)

EUR1

Zürich, Switzerland* (CHE)

EUR1

Tel Aviv, Israel* (ISR)

EUR1

Non MVR customers with no Salesforce instances, with Billing Country in EMEA (ex., UK).

EUR1

London, UK (GBR)

UKI1

Montreal, QC, Canada* (CAN)

UKI1

Non MVR customers with no Salesforce instances, with Billing Country in the UK or Canada

UKI1

All MVR customers

UKI1

Oregon, USA (USA, HMR, NA)

USA1

Ohio, USA (USA, NA)

USA1

Northern Virginia, VA, USA (USA, NA)

USA1

São Paulo, Brazil* (BRA)

USA1

Non MVR customers with no Salesforce instances, with Billing Country in North & South America (ex., Canada).

USA1

Any other Salesforce region

Please check with your Customer Success Mgr

Update History

May 2025 - Expanded to include more details and introduce customer Home Region data storage locations, which are being rolled out from June 2025.