Vendor risk report
Otter
Enterprise Terms
otter.ai
- Report date
- Oct 11, 2025
- Author
- Admin
- Vendor domain
- otter.ai
Executive Summary
Otter processes sensitive data: (1) the content of your meetings and (2) your sales lead data.
There are three things that might make you uncomfortable:
- Using usage data to train AI. Note, this excludes content, so you could be fine with it.
- Security posture is relatively light. While Otter has SOC 2, it doesn't have all the detailed security pages and detailed security information you might be expecting.
- Logo use. Otter has the right to use customer logos and, oddly, asks for a quote (although you don't have to give it).
Otherwise, the SaaS terms are standard.
TIP
- The Enterprise Terms are more customer-favorable than the standard terms, so you could push for those.
Reference Documents
Product & Data Summary
- Otter AI Meeting Agent (core transcription & meeting notetaking): Meeting audio and video recordings, full transcripts, timestamps, speaker labels, meeting notes
- Otter Agents (role- and industry-specific Agents: Sales Agent, Recruiting Agent, Education Agent, Media Agent, SDR Agent): Lead and prospect data captured during sales interactions (contact details, meeting notes
- Otter for Teams & Enterprise (Business/Enterprise workspace, admin & compliance features): Enterprise user accounts and admin data: user identities, roles and permissions, SSO/identity
Security Overview
- SOC 2 Type II: present (attested).
- ISO 27001: not found on vendor pages (policies aligned to the ISO framework).
- HIPAA: vendor states HIPAA compliance (Enterprise + BAA required).
- Notable controls: AES-256 server-side encryption (AWS S3 SSE), 2FA and SSO/SAML, subprocessors list, and vendor-stated regular security audits.
- Enterprise controls (data residency, retention, admin controls) available via Enterprise plan/BAA.
Stability Overview
- Founded: 2016
- ARR: $100M (announced Mar 25, 2025)
- Funding: ≈ $70–73M total; Series B $50M (Feb 25, 2021)
- Employees: <200 (LinkedIn size 51–200)
- Profitability/runway: unknown — no public profit/runway disclosure
Playbook Findings
Master Services Agreement
(6)Data Protection
DPA Present
Compliant
Data Protection
DPA Present
Contract language
"1.2. Data Processing Addendum. The data processing addendum set forth as Appendix 1 through 6 of the Otter Terms of Service at https://otter.ai/terms-of-service is hereby incorporated by reference."
View playbook rule
For vendors processing personal data, a Data Processing Agreement (DPA) or Addendum is required. The DPA should address GDPR/CCPA compliance, subprocessors, data subject rights, and security measures. Complete absence of DPA or privacy terms is unacceptable for any vendor handling customer or employee data. Also check for references to SOC 2, ISO 27001, or other compliance certifications.
Limitation of Liability
Standard Liability Cap
Compliant
Limitation of Liability
Standard Liability Cap
Contract language
"7.2. Limitation on Amount of Liability. ... the total liability of either party ... shall not exceed, in the maximum aggregate, the fees paid and payable to Otter under the Customer’s applicable Order in the twelve-month period prior to the date on which the damage occurred."
View playbook rule
Vendor's total liability must not be capped below 12 months of fees paid. Caps based on shorter periods (e.g., "fees paid in the prior month") or nominal amounts (e.g., "$100") are unacceptable. Look for language like "shall not exceed," "limited to," or "liability capped at."
Data Protection
No Broad Customer Content Use Rights / No AI Training on Customer Content
Compliant
Data Protection
No Broad Customer Content Use Rights / No AI Training on Customer Content
Contract language
"2.3 Customer Content. Customer authorizes Otter and its service providers to use Customer Content for the sole purpose of providing the Otter Platform and performing the activities contemplated by this Agreement (such as maintaining, securing, debugging, and otherwise performing quality control for the Otter Platform)."
"2.5. Usage Data. Otter will have the right to collect and analyze data ... ("Usage Data") and Otter will be free (during and after the Order Term) to use Usage Data in de-identified and aggregated form to maintain, improve, and enhance Otter’s products or services. ... For clarity, Usage Data excludes Customer Content itself."
View playbook rule
Vendor must not have unrestricted rights to use Customer content for purposes beyond providing the service.
- That includes using aggregated and anonymized Customer content to improve the vendor's products and services.
- Using "usage data" or "system data" is OK and fine for product improvement and development purposes.
- We are only worried about the vendor using customer content directly or aggregating and anonymizing customer content to improve the product or train AI models.
Scope of Services
No Exclusivity or Sole Source Restrictions
Compliant
Scope of Services
No Exclusivity or Sole Source Restrictions
View playbook rule
Customer should not be required to use Vendor as its exclusive or sole source provider for any category of services or products. Exclusivity clauses prevent Customer from using competing or complementary solutions, eliminate negotiating leverage, and create vendor lock-in. Look for language like "exclusive provider," "sole source," "shall not use competing products," or "primary vendor for all [category] needs." These may appear in Scope of Services, Restrictions, or commercial terms sections.
Term and Termination
No Non-Solicit or Non-Compete Restrictions
Compliant
Term and Termination
No Non-Solicit or Non-Compete Restrictions
View playbook rule
Customer should not be restricted from hiring Vendor's employees or contractors, or from using competing products or building competitive solutions. One-sided non-solicit (Customer cannot hire from Vendor, but Vendor can hire from Customer) or non-compete clauses (Customer cannot use competitive products) are unacceptable. These clauses are often buried in "Restrictions" or "Miscellaneous" sections. Mutual non-solicit for executive-level hires during the term may be acceptable.
Intellectual Property
No Logo Use or Logo Use With Opt-Out
Needs Attention
Intellectual Property
No Logo Use or Logo Use With Opt-Out
Contract language
"9.14. Promotion. Otter may use Customer’s name and logo to publicly identify Customer as a customer of the Otter services. Customer will consider in good faith any request by Otter to (1) provide a quote from a Customer executive ... and (2) participate in a public co-marketing activity."
View playbook rule
Vendor may use Customer's name, logo, and trademarks for marketing purposes (e.g., customer lists, case studies, website) only if Customer can opt out upon written notice. Automatic permission without opt-out rights is unacceptable. Look for language like "Customer grants Vendor a license to use Customer's marks" or "Vendor may list Customer as a reference." Acceptable: opt-in (requires consent) or opt-out (Customer can revoke via email). Unacceptable: no opt-out mechanism or requiring "reasonable" grounds to object.
Order form override in effect
Notwithstanding Section 9.14, Otter shall not use Customer's name, logo, trademarks, or any other identifying materials in any public marketing, press release, case study, website, or customer list without Customer's prior written consent. If Customer provides consent, Customer may revoke that consent at any time by written notice to Otter, and Otter will promptly cease further use of Customer's marks after receipt of such notice.
Data Processing Addendum
(2)Security
No Security Standards Commitment
Compliant
Security
No Security Standards Commitment
Contract language
"5.1 Taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures designed to provide a level of security appropriate to the risk, including the measures listed in Appendix 3."
Appendix 3 (summary): "The Service is provisioned using a cloud-based platform... AWS, which is certified SOC 2 Type 2... Physical Access Controls... System Access Controls... Transmission Controls... Data Backups... Data Segregation..."
View playbook rule
Vendor must commit to specific implementing, at least, commercially reasonably technical and organizational security measures for protecting personal data. Detailed security obligations and references to certifications are great, but not required.
Data Protection
No Data Deletion
Needs Attention
Data Protection
No Data Deletion
Contract language
"12.2 Upon termination of the Terms of Service, the Company will, upon Customer’s request, return Customer Personal Data in Company’s possession to the Customer or securely destroy such Customer Personal Data unless applicable laws prevent the Company from returning or destroying all or part of Customer Personal Data."
View playbook rule
Vendor must commit to deleting all personal data upon the customer's request after the agreement terminates or expires.
- "Commercially reasonable efforts" or indefinite retention for "legal purposes" without clear limitations is unacceptable.
Order form override in effect
Upon termination or expiration of the Terms, Company shall, within ninety (90) days, permanently delete or securely destroy all Customer Personal Data in Company’s possession and in the possession of its Subprocessors, except to the extent that applicable law requires retention. If Company is required by law to retain any Customer Personal Data, Company shall (i) notify Customer of the legal requirement and the specific data to be retained, (ii) isolate and protect the confidentiality of such retained data and not process it for any purpose other than to comply with the legal requirement, and (iii) upon Customer’s written request, certify in writing within thirty (30) days that the required deletions and secure destruction have been completed.