We use a range of third party services providers to enable and facilitate the provision of our own services. In many cases, we need to pass personal data to those services providers so that they can provide their services. On this page, we have set out details of those services providers, along with information about:
their services;
the personal data that they may handle;
the jurisdiction(s) of their data processing activities; and
the measures used to safeguard our personal data with respect to any transfers of personal data outside the UK/EEA.
These services providers act as "processors" or "sub-processors" with respect to the personal data that we pass to them. In other words, they only process personal data on our instructions and for our or our customers' purposes.
All data transfer with third parties is governed by our internal policies and procedures, which are compliant with the Company's ISO 27001:2013 certification (click here).
In accordance with the International Data Transfer Addendum (IDTA), as issued by the UK Information Commissioner's Office, we may transfer UK personal data outside the UK in reliance on EU SCCs mechanism coupled with the UK Addendum. As a result, we ensure that the IDTA is in place with commercial contracts or associated agreements with suppliers to facilitate such transfers.
We have set out details of the processors and sub-processors (or in some cases, the general categories into which they fall) below:
Name | Services | Data | Jurisdiction(s) | Safeguards |
Agora Inc. (NASDAQ: API) HQ: USA
| Video live streaming
Video recording services* (on customer request) | Live, encrypted video images of end users
Recorded video image (only where requested by customer) | United States
European Economic Area | |
Amazon Web Services, Inc. (NASDAQ: AMZN) HQ: USA
 | Infrastructure hosting and related services | End user account data, data provided by end users that are stored in our application database | United Kingdom and European Economic Area
Hosted in eu-west-2 (Europe, London, UK) | Standard contractual clauses, DPA review (here) |
Cloudflare, Inc. (NYSE: NET) HQ: USA
 | Content Delivery Network (CDN), cyber threat mitigation | End user IP addresses | United States
European Economic Area | Standard contractual clauses, DPA review (here) |
Cronofy Limited HQ: UK
| Calendar scheduling system* (only for customers requesting and utilising Recurring Natters functionality) | End user IP addresses, email addresses | European Economic Area | Standard contractual clauses, DPA review (here) |
Datadog Inc. (NASDAQ: DDOG) HQ: USA
| Application monitoring and debugging services | End user IP addresses | European Economic Area | Standard contractual clauses, DPA review (here) |
Deepgram Inc. HQ: USA
| Transcription of pre-recorded audio files* (on customer and end user request) | End user IP addresses
Audio file transcriptions (Redaction utilised, read here for PII) | European Economic Area | Standard contractual clauses, DPA review (here) |
Drata Inc. HQ: USA
| Information security compliance and infrastructure monitoring | End user IP addresses
Customer contact information | European Economic Area | Standard contractual clauses, DPA review (here) |
Detectify AB HQ: Sweden  | Application security vulnerability scanning | End user IP addresses | European Economic Area | Standard contractual clauses, DPA review (here) |
Google, Inc. (NASDAQ: GOOG) HQ: USA
 | Google Workspace: productivity and collaboration tools | Customer and end user contact information, support query data, end user personal data | European Economic Area | Standard contractual clauses, DPA review (here) |
HubSpot, Inc. (NYSE: HUBS) HQ: USA
 | Customer Relationship Management (CRM) system | Customer contact information | European Economic Area | Standard contractual clauses, DPA (here) |
Intercom, Inc; Intercom R&D Unlimited Company HQ: USA  | Customer relationship management; support infrastructure; chatbot services | Customer contact information, support query data, chatbot chat data | European Economic Area | Standard contractual clauses, DPA review (here) |
Sentry (Functional Software, Inc.)  | Application monitoring and debugging services | End user IP addresses | European Economic Area | Standard contractual clauses, DPA review (here) |
Slack Technologies, LLC (NASDAQ: CRM)
| Team collaboration and instant messaging services | Customer contact information, end user first name, surname and email address | European Economic Area | Standard contractual clauses, DPA review (here) |
Twilio Inc. (NASDAQ: TWLO) HQ: USA
| Peer to peer E2EE video communication services
Email delivery services: SendGrid | Live, encrypted video images of end users
Email delivery: End user first name, surname and email address | United States
European Economic Area | Standard contractual clauses (here) |
In addition, we use Microsoft and Google as single sign-on services (SSO). When you are using SSO, the login credentials that you input will be passed directly to the relevant services provider. Each of these services providers will act as a controller (and not a processor) of any of your personal data that they might handle.
All data transfer with third parties is governed by our internal policies and procedures, which are compliant with the Company's ISO 27001:2013 certification (click here).
For more information about our handling of personal data, see our privacy and cookies policy or contact us by email (team@natter.co).
Last updated: 10 June 2024.