Skip to main content
All CollectionsPrivacy, Legal & Data Policies
Our Service Providers & Data Transfer Policy
Our Service Providers & Data Transfer Policy

How we safeguard personal data transfer to third party service providers

James Stevens avatar
Written by James Stevens
Updated over a month ago

We use a limited number of third party services providers to enable and facilitate the provision of our own services, all of whom have been pre-approved in line with our Vendor Management Policy. In many cases, we need to pass personal data to those services providers so that they can provide their services. On this page, we have set out details of those services providers, along with information about:

  • their services;

  • the personal data that they may handle;

  • the jurisdiction(s) of their data processing activities; and

  • the measures used to safeguard our personal data with respect to any transfers of personal data outside the UK/EEA.

These services providers act as "processors" or "sub-processors" with respect to the personal data that we pass to them. In other words, they only process personal data on our instructions and for our or our customers' purposes.

All data transfer with third parties is governed by our internal policies and procedures, which are compliant with the Company's ISO 27001:2013 certification (click here).

In accordance with the International Data Transfer Addendum (IDTA), as issued by the UK Information Commissioner's Office, we may transfer UK personal data outside the UK in reliance on EU SCCs mechanism coupled with the UK Addendum. As a result, we ensure that the IDTA is in place with commercial contracts or associated agreements with suppliers to facilitate such transfers.

We have set out details of the processors and sub-processors (or in some cases, the general categories into which they fall) below:

Name

Services

Data

Jurisdiction(s)

Safeguards

Agora Inc.

(NASDAQ: API)

HQ: USA

Video live streaming

Video recording services* (on customer request)

Live, encrypted video images of end users

Recorded video image (only where requested by customer)

European Economic Area

Standard contractual clauses (here), quarterly in-house compliance monitoring, bespoke DPA (here)

Amazon Web Services, Inc.

(NASDAQ: AMZN)

HQ: USA

Infrastructure hosting and related services

End user account data, data provided by end users that are stored in our application database

United Kingdom and European Economic Area

Hosted in eu-west-2 (Europe, London, UK)

Standard contractual clauses, DPA review (here)

Cloudflare, Inc.

(NYSE: NET)

HQ: USA

Content Delivery Network (CDN), cyber threat mitigation

End user IP addresses

United States

European Economic Area

Standard contractual clauses, DPA review (here)

Cronofy Limited

HQ: UK

Calendar scheduling system* (only for customers requesting and utilising Recurring Natters functionality)

End user IP addresses, email addresses

European Economic Area

Standard contractual clauses, DPA review (here)

Datadog Inc.

(NASDAQ: DDOG)

HQ: USA

Application monitoring and debugging services

End user IP addresses

European Economic Area

Standard contractual clauses, DPA review (here)

Deepgram Inc.

HQ: USA

Transcription of pre-recorded audio files* (on customer and end user request)

End user IP addresses

Audio file transcriptions (Redaction utilised, read here for PII)

European Economic Area

Standard contractual clauses, DPA review (here)

Drata Inc.

HQ: USA

Information security compliance and infrastructure monitoring

End user IP addresses

Customer contact information

European Economic Area

Standard contractual clauses, DPA review (here)

Detectify AB

HQ: Sweden

Application security vulnerability scanning

End user IP addresses

European Economic Area

Standard contractual clauses, DPA review (here)

Google, Inc.

(NASDAQ: GOOG)

HQ: USA

Google Workspace: productivity and collaboration tools

Customer and end user contact information, support query data, end user personal data

European Economic Area

Standard contractual clauses, DPA review (here)

HubSpot, Inc.

(NYSE: HUBS)

HQ: USA

Customer Relationship Management (CRM) system

Customer contact information

European Economic Area

Standard contractual clauses, DPA (here)

Intercom, Inc; Intercom R&D Unlimited Company

HQ: USA
โ€‹

Customer relationship management; support infrastructure; chatbot services

Customer contact information, support query data, chatbot chat data

European Economic Area

Standard contractual clauses, DPA review (here)

Sentry (Functional Software, Inc.)

Application monitoring and debugging services

End user IP addresses

European Economic Area

Standard contractual clauses, DPA review (here)

Slack Technologies, LLC

(NASDAQ: CRM)

Team collaboration and instant messaging services

Customer contact information, end user first name, surname and email address

European Economic Area

Standard contractual clauses, DPA review (here)

Twilio Inc.

(NASDAQ: TWLO)

HQ: USA

Peer to peer E2EE video communication services

Email delivery services: SendGrid

Live, encrypted video images of end users

Email delivery: End user first name, surname and email address

United States

European Economic Area

Standard contractual clauses (here)

In addition, we use Microsoft and Google as single sign-on services (SSO). When you are using SSO, the login credentials that you input will be passed directly to the relevant services provider. Each of these services providers will act as a controller (and not a processor) of any of your personal data that they might handle.

All data transfer with third parties is governed by our internal policies and procedures, which are compliant with the Company's ISO 27001:2013 certification (click here).

For more information about our handling of personal data, see our privacy and cookies policy or contact us by email (team@natter.co).

Last updated: 10 October 2024.

Did this answer your question?