Service Managers shouldn't be the ones answering security questions. This page is for the people who will — your IT lead, your DPO, and your OEM compliance reviewer.
All Otto infrastructure runs in AWS Frankfurt (eu-central-1). Call recordings on Cloudflare R2 in EU jurisdiction. UK region available on Enterprise. No customer data leaves the region without an explicit Data Processing Agreement.
Email, SMS, WhatsApp and voice consent are tracked separately. STOP and UNSUBSCRIBE are honoured automatically and propagated to your DMS. Your franchise compliance team can pull a full consent history per customer, on demand.
Every call Otto makes, every booking it creates, every consent change it processes — all logged with actor, timestamp, before/after state. Recordings retained 13 months. Audit log retained 7 years on Group and Enterprise.
All customer data encrypted at rest with AWS KMS. TLS 1.3 in transit. DMS credentials envelope-encrypted with a separate key. Webhook traffic from telephony providers HMAC-verified on every call.
An honest list — we don't claim certifications we don't hold yet. Where things are in progress, we say when.
| Standard / control | Today | Next |
|---|---|---|
| GDPR — lawful basis | Documented per use case | — |
| GDPR — right to be forgotten | Self-service from dealer admin | — |
| Subject access requests | One-click export per customer | — |
| UK & EU data residency | EU (Frankfurt) standard, UK on Enterprise | — |
| RFC 8058 unsubscribe (email) | One-click, signed tokens | — |
| STOP / UNSUBSCRIBE handling | Automatic on SMS & WhatsApp | — |
| Recording consent | Spoken at call start, configurable per workshop | — |
| Encryption at rest | AWS KMS, KEK on credentials | Customer-managed keys (Enterprise) |
| Encryption in transit | TLS 1.3 throughout, HMAC on webhooks | — |
| SOC 2 Type 2 | Controls in place, audit window opening Q4 2026 | Type 2 report Q1 2027 |
| ISO 27001 | In progress via Tjekvik group certification | 2027 |
| Penetration testing | Annual, third-party | Quarterly under SOC 2 |
| Recording retention | 13 months default, configurable | — |
| Audit log retention | 7 years (Group / Enterprise) | — |
| DPA | Standard included on every plan | Custom on Enterprise |
| Sub-processor list | Public, updated on change | — |
If you operate under an OEM franchise standard (Audi, VW, BMW, Mercedes, Ford, JLR, Stellantis), we have an audit pack ready. Brand voice approval samples, recording examples, consent lifecycle documentation, data flow diagrams.
Most groups pass franchise compliance review on first pass. We handle the back-and-forth with the OEM compliance team directly if it helps.
Request the OEM pack →A standard Data Processing Agreement is included with every plan. A custom DPA is available on Enterprise. Sub-processors are listed publicly and dealers are notified on change.
We've already answered most of their questions. The rest we'll handle on a 30-minute call.
Talk to security