Natterbox International Data Flows and Transfers

International Data Transfers 

Natterbox Data Exports/Transfers

Natterbox provides an advanced international telecommunications platform which requires a global infrastructure of carrier interconnects, number providers, servers, voice switches, data processing systems, databases and partner integrations.

These systems facilitate telephone call handling, real time call routing and call handling, call recording and analysis, integration with customer’s Salesforce CRMs, billing systems, call recording storage and call log archiving.

The minimum basic personal information required to connect and route calls (name and business phone number) is stored within both regional AWS systems and Natterbox’s private cloud hosted within multiple global data centres. At the end of each call, all call data (call details, call policies, recordings etc) is transferred (via secure internal IPSEC VPNs) to Natterbox’s UK data centres for processing. During this processing, call logs are transferred to customers’ Salesforce instances (via dedicated Salesforce interconnects) and call recordings are transferred (securely) to Natterbox’s EU AWS storage (or alternative location if selected by the customer during setup). All but the information required for billing and regulatory call log archival is then deleted after processing.

The GDPR does not impose additional obligations on transactional call data (i.e calls passing through carriers), as per Article 95 of GDPR.

Between EU/EEA & UK

There is now an adequacy agreement that allows the continued free flow of personal data between the EU/EEA and the UK.

UK or EU/EEA to USA

If a customer has selected the default EU AWS instance for data storage then outside of the transactional call data, data is not transferred to third parties outside of the EU.  If a USA-based Natterbox AWS instance is selected then the additional safeguards in place would be the EU-US Data Privacy Framework (DPF)*, which AWS has signed up to. 

UK or EU/EEA to other non-EEA Countries

If a customer has selected the default EU AWS instance for data storage then outside of the transactional call data, data is not transferred to third parties outside of the EU. If another Natterbox AWS instance is selected then the additional safeguards in place would be the Standard Contractual Clauses that are in place with Amazon Web Services.

*US-EU Data Bridge

The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).

The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, for organisations to be able to join the Data Privacy Framework. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the EU & UK.

Once a US organisation has been certified and is publicly placed onto the Data Privacy Framework List (DPF List) on the DPF website they can receive EU & UK personal data through a UK-US data bridge.

Data Storage Regulations & Responsibilities

Location of processing

To provide a secure and reliable telecoms service where calls can be routed with minimum latency between callers in any global locations, Natterbox data centres and services are distributed globally within both global AWS servers and a private cloud infrastructure.

Natterbox’s dedicated private cloud systems are housed geographically in dedicated secure racks inside commercially run tier 1 or 2 data centres in the following locations:

• Telehouse, London

• Equinix, London

All data centres are SOC 1 or ISO27001 compliant and provide solely co-location facilities for Natterbox network equipment. No other suppliers or sub-processors are utilised at these data centre locations, other than Carrier and Network interconnect providers.

Natterbox AWS environment is operating in 6 AWS regions:

• eu-west-2 (London, UK)

• eu-central-1 (Frankfurt, Germany)

• us-east-2 (Ohio, United States)

• us-west-2 (Oregon, United States)

• ap-southeast-1 (Singapore)

• ap-southeast-2 (Sydney, NSW, Australia)

Operational Call Logs are transferred from the regional AWS / data centres where the calls were facilitated to Natterbox’s own UK data centres in real time for processing. Once processed, call information is pushed into the customer's own Salesforce instances for storage and retention to facilitate reporting and business intelligence. Natterbox retains basic call log information for billing and regulatory requirements within our own datacentres the UK.

If utilising Natterbox’s call recording solution, encrypted recordings are stored using Amazon Web Services. By default, these are located in the EU (Dublin, Ireland), but optionally can be geographically located in other locations or in the customer’s own AWS storage instance.

If utilising Natterbox’s call transcription and analytics solution Insight, call recording data is processed by our US suppliers either in the US or EU, and then fed back to our systems. Data may be kept by the third party provider for up to 3 years for backup and verification purposes, and to improve the product’s AI-based voice transcription functionality. Data is always encrypted in transit and at rest.

Natterbox staff or agreed third party partners may access data from a third country (subject to the appropriate safeguards and agreements) for support purposes but data will not leave our systems.