v1.7 May 2025
Overview
Natterbox provides global AI-powered communications (product depending) and data services to route and connect inbound and outbound communications and to transfer recordings and information about those communications into the Customer’s Salesforce CRM system and other storage services. These systems facilitate call and digital communications handling, real-time routing and handling, call recording and analysis, integration with customers’ Salesforce CRMs, billing systems, call recording storage and call log archiving.
Location of processing
Customer’s “Home Region” Data Storage
Home Region is a designated geographical location utilising AWS infrastructure where Natterbox mainly stores and partially processes the data of customers using Natterbox products. Current Home Regions are:
Australia: Sydney & Melbourne AUS1
European Union: Germany & Sweden EUR1
United Kingdom & Ireland UKI1
United States: Ohio & Oregon USA1
The new Home Regions storage model will start to apply to new Natterbox products and various core components from June 2025, including call and interaction logs, billing and general data processing. Support for add-on services may vary.
Please see Appendix A for a table showing the default Home Region, which will be allocated based on the location of your Salesforce instance, unless otherwise agreed in advance.
Once set, Home Regions cannot be changed.
Platform Processing
To provide a secure and reliable service Appendixwhere calls can be routed with minimum latency between callers in any global locations, Natterbox data centres and services are distributed globally within both global AWS servers and a private cloud infrastructure. The minimum basic personal information required to connect and route communications (user details, name and business phone number) is stored within both regional AWS systems and Natterbox’s private cloud hosted within multiple global data centres. At the end of the communication, all communication data is transferred (via secure internal IPSEC VPNs) to Natterbox’s UK data centres or AWS instances in the customer's “home region” for processing.
Natterbox’s dedicated private cloud systems are housed geographically in dedicated secure racks inside commercially run data centres in the following locations:
Telehouse, London
Equinix, London
No other suppliers or sub-processors are utilised at these data centre locations, other than Carrier and Network interconnect providers.
Natterbox AWS environment for call routing is operating in 6 AWS regions:
eu-west-2 (London, UK)
eu-central-1 (Frankfurt, Germany)
us-east-2 (Ohio, United States)
us-west-2 (Oregon, United States)
ap-southeast-1 (Singapore)
ap-southeast-2 (Sydney, NSW, Australia)
Logs
Operational Call Logs are transferred from the regional AWS / data centres where the calls were facilitated to the customer’s Home Region or Natterbox’s own UK data centres in real time for processing.
Once processed, call information is pushed into the customer's own Salesforce instances for storage and retention to facilitate reporting and business intelligence. Natterbox retains basic call log information for billing and regulatory requirements within our own data centres in the UK or within AWS in the customer’s “home region”.
Call Recording and Transcription Data
If utilising Natterbox’s call recording solution, encrypted recordings are stored using Amazon Web Services. Unless specifically agreed, these will either be stored in the EU, the customer's Home Region, or (if requested) in the customer’s own AWS storage instance.
AI Services
If utilising Natterbox’s call transcription and analytics solutions or AI Services, call recording or real time call data is processed either within our AWS infrastructure, or by our US suppliers and then fed back to our systems.
Results of Conversational AI product data will be stored in the customer’s Home Region.
Access from outside UK/EEA
Natterbox staff or agreed third-party partners may access data from a third country (subject to the appropriate safeguards and agreements) for support purposes but data will not leave our systems.
Subprocessor processing locations
Natterbox maintains a list of Sub-processors and their processing locations at https://docs.natterbox.com/docs/natterbox-sub-processors
AI Data & Model Training
When using the Natterbox AI product (parts of which were formerly known as Insight, now Natterbox AI Advisor), transcriptions are processed by our US suppliers before being analysed by Natterbox AI Engines integrated with AWS Bedrock. No inputs or outputs from Bedrock or AI Engines are used for training purposes of any AI models. All responses are then stored by Natterbox alongside the transcription data in AWS and are available within the customer's Salesforce instance. Anonymised and random segmented data may be used by our transcription partners to continuously improve their accuracy. Marked personally-identifiable data is removed from any training. Customers can, on request and at a charge, completely opt out of this if desired.
Duration of processing
AI Services
For legacy AI services such the product formerly known as Insight, now Natterbox AI Advisor, data may be kept by the third-party provider for up to 3 years for backup and verification purposes, and to improve the product’s AI-based voice transcription functionality. Data is always encrypted in transit and at rest.
Call recordings and transcription
Call recordings and transcription data is kept for 12 months unless additional storage is purchased, or a shorter retention period is requested.
Logs
Operational Logs are retained for the minimum time required for processing and purged automatically and permanently on a 30 day rolling basis.
Client Logs (including Call Logs) are stored by Natterbox for billing and regulatory purposes according to national and international communications laws and Regulations dependent on operating territory.
GDPR/UK GDPR Transfer Safeguards
Between EU/EEA & UK
There is now an adequacy agreement that allows the continued free flow of personal data between the EU/EEA and the UK.
UK or EU/EEA to non-EEA Countries
Natterbox utilises the US-EU Data Bridge, International Data Transfer agreements and Standard Contractual Clauses to ensure the safe transfer of data outside of the EU/UK. Please see our suppliers list for details of safeguards by supplier: https://docs.natterbox.com/docs/natterbox-sub-processors
US-EU Data Bridge
The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).
The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, for organisations to be able to join the Data Privacy Framework. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the EU & UK.
Once a US organisation has been certified and is publicly placed onto the Data Privacy Framework List (DPF List) on the DPF website they can receive EU & UK personal data through a UK-US data bridge.
See here for more details https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer
The GDPR does not impose additional obligations on transactional call data (i.e calls passing through carriers), as per Article 95 of GDPR.
If you have any further queries please contact compliance@natterbox.com
Appendix A - Default Home Region
Update History
May 2025 - Expanded to include more details and introduce customer Home Region data storage locations, which are being rolled out from June 2025.