Otter.ai
AISense, Inc. · EFROS US AI Vendor Governance Index entry
Composite governance score
F = inadequate posture for any regulated workload. Re-evaluate before procurement.
About this vendor
Real-time meeting transcription and summarization. Common deployment in sales/CS, sometimes leaking into clinical or legal meeting workflows where governance gaps matter.
- Enterprise tier
- Otter Business, Otter Enterprise
- Consumer tier
- Otter Basic, Otter Pro
- Vendor homepage
- https://otter.ai
- Trust center
- https://otter.ai/security
Twelve-axis governance scoring
Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).
| Axis | Status | EFROS note | Source |
|---|---|---|---|
| BAA / DPA available | No | Otter.ai does not currently offer a BAA. Otter has stated HIPAA compliance is not supported. | Otter.ai Security FAQ |
| Training-data opt-out | Partial | Enterprise tier: customer audio/transcripts not used for model training. Free/Pro: opt-out toggle available; defaults vary by feature. | Otter Privacy Policy |
| US data residency option | No | No documented US data residency configuration as of May 2026. | Public posture review |
| SOC 2 Type II report | Yes | SOC 2 Type II completed; report available via direct request. | Otter Security |
| ISO/IEC 42001 attestation | No | No ISO/IEC 42001 attestation. | Public posture review |
| NIST AI RMF self-attestation | No | No public NIST AI RMF self-attestation. | Public posture review |
| Colorado AI Act readiness | No | No Colorado AI Act compliance statement. | Public posture review |
| HHS-OCR Section 1557 readiness | N/A | Not BAA-eligible — disqualifies clinical use. | HHS-OCR Section 1557 — deployer scope |
| FRB SR 11-7 readiness | N/A | SR 11-7 is deployer responsibility. | FRB SR 11-7 — deployer scope |
| ABA Formal Op 512 readiness | N/A | Practitioner responsibility; lack of BAA significantly raises privilege risk for law firm use. | ABA Formal Op 512 — practitioner scope |
| Subprocessor list public | Partial | Subprocessor list available to enterprise customers on request. Not self-serve public. | Otter Security FAQ |
Trust-center maturity
Security page exists but is thin. AI-specific governance documentation absent. Lower-maturity trust posture.
Source: otter.ai/security
Deep dive
Overview
Otter.ai is widely deployed in sales/CS organizations and routinely creeps into clinical, financial, and legal meeting workflows without governance review. The product is competent. The governance posture is not aligned to regulated use. The most common audit finding involving Otter is patient or attorney-client conversations transcribed without a BAA or privilege protocol.
Strengths
- SOC 2 Type II
- Enterprise no-train default
- Mature transcription product
Weaknesses
- No BAA, no HIPAA support
- No US residency option
- Thin AI-specific governance documentation
- Subprocessor list not self-serve public
Best-fit use case
Non-regulated meeting transcription — sales call notes, internal team meetings, marketing planning sessions.
Avoid when
Patient encounters, attorney-client conversations, confidential financial advisory meetings. Use a BAA-covered alternative (Microsoft Teams transcription under M365 BAA, or sector-specific tools like DAX Copilot).
Operator's take
Deploy Otter.ai when non-regulated meeting transcription — sales call notes, internal team meetings, marketing planning sessions. The composite score of 25 (grade F) reflects a mixed posture for regulated US workloads. Skip the vendor when patient encounters, attorney-client conversations, confidential financial advisory meetings. Use a BAA-covered alternative (Microsoft Teams transcription under M365 BAA, or sector-specific tools like DAX Copilot). In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.
How this scoring is computed
The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.
Read the full methodology →Disagree with this scoring?
EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).
Disagree with a score?
Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for Otter.ai, submit a formal challenge — we re-verify against the source and respond within 14 days.
Similar vendors (same category or sector)
Vendors in the same category as Otter.ai, padded with vendors that share its primary sector. All scored on the same twelve axes — useful for head-to-head shortlisting.
Where Otter.ai shows up in the rest of the Index
Otter.ai is scored in every state and (where applicable) sector slice of the Index. Use these views to compare Otter.ai against its peers from a state or sector lens rather than category.
Take the scoring into production
The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.