Lobster AI Communications

Lobster is a platform for deploying natural language AI assistants to your customers and team. Using Natural Language Processing technology Lobster understands queries and provides resolutions by integrating with business systems including CRM and knowledge bases. Lobster AI assistants are deployed to web, mobile, apps, telephony and smart home devices.


  • Multichannel AI assistants: web, mobile, apps, telephony, smart home devices
  • Multilingual voice: can listen and reply to over 17 languages
  • Technology agnostic: built to use the best NLP technology available
  • Annually penetration tested and built using Enterprise grade security practices
  • Lobster Reef: agent user interface
  • Lobster Messenger: a customisable web UI
  • Pre-built reporting dashboard to monitor usage
  • Flexible integration framework: integrate with virtually any business system
  • Multilingual chat , read and write in over 100 languages
  • Live chat: hand over from AI assistant to agent


  • Answer user queries 24/7/365
  • Free up busy customer service agents
  • Faster responses for users
  • Never sick, late or on holiday
  • Can answer thousands of queries simultaneously
  • Gives users access to more information than previously possible
  • Provides insights into current needs and requirements of users
  • Can assist agents to answer resident queries more accurately


£1,000 a licence a month

Service documents


G-Cloud 12

Service ID

7 5 0 3 7 4 3 9 0 8 4 4 3 9 7


EBI.AI Abbie Heslop
Telephone: 01926 623303
Email: abbie@ebi.ai

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Standalone service but often integrated with the following:
Contact Centre as a Service (CCaaS) and Unified Communications as a Service (UCaaS) systems
Cloud deployment model
Public cloud
Service constraints
System requirements
  • An internet connection
  • Access to a supported modern browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Response times are as follows:
Severity 1 : 4 hours (Outage/ Service Unavailable)
Severity 2 : 6 hours (Service operational, significant business impact)
Severity 3 : Best endeavours (Service operational, minor business impact)
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 A
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support is provided Monday to Friday between the hours of 8am and 6pm. SLA times are business hours.

Platform availability: 99% uptime of the platform in a calendar month. Service credit for non-performance is 10% credit of usage fees in the month following non-performance.

Issues can be escalated to the account manager through governance monthly, quarterly and annual management meetings.
Support available to third parties

Onboarding and offboarding

Getting started
EBI.AI deliver a fully managed service. This means, we will create, train, deploy and maintain your AI assistant on the Lobster platform. Typically it is not usually necessary to provide onsite training in order to adopt an AI assistant on Lobster.
Service documentation
End-of-contract data extraction
Extracts of data will be available upon end of contract. 90 days of extracts will be maintained in S3 for the client to download and backup as they wish.
End-of-contract process
Once notice to terminate a contract has been received, EBI.AI will assist in the migration of data from Lobster to the client at contract end. There is no additional cost for this service.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
AI assistants on Lobster can be integrated into both mobile and desktop browsers, the client's own apps or portals and messenger applications like Facebook messenger.
Service interface
Description of service interface
A service portal is provided with access to service performance data and configuration for authorised users. Configuration options include the creation and maintenance of content used in Lobster AI Assistants.
Accessibility standards
None or don’t know
Description of accessibility
Our service portal aims to meet the WCAG 2.1 AA standard but has yet to be tested by an independent third party.
Accessibility testing
No testing of assistive technology has been carried out against our service portal.
Customisation available
Description of customisation
All of the following items can be customised:

1) The persona of the AI assistant
2) The look and feel of the AI assistant
3) The channels where users can speak and write to the AI assistant
4) The types of queries that the AI assistant can understand
5) The answers to user queries
6) Add custom integrations into business systems to enable the AI assistant to perform actions.

Most customisations are configured by the EBI.AI team in consultation with the client during set-up.


Independence of resources
Our platform design eliminates bottlenecks and single points of failure. The service responds to increases and decreases in demand through automatic scaling to ensure that users are not impacted during high volume periods.


Service usage metrics
Metrics types
Service usage metrics are provided via dashboards, which includes the total number of conversations handled by the AI assistant, broken down by topic area. In addition those customers who purchase AI supervision also receive monthly reports detailing the total number of conversations the AI assistant has with users, the total number of supported conversations and the total number which were successfully resolved.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Data exports are requested by clients through a support request and delivered securely to a location agreed with the client.
Data export formats
Other data export formats
Javascript Object Notation (JSON)
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Platform availability: 99% uptime of the platform in a calendar month. Service credit for non-performance is 10% credit of usage fees in the month following non-performance.
Approach to resilience
Our platform design eliminates single points of failure by ensuring that redundancy is built into each layer. All service and data layer components are deployed at at least two independent physical locations and a comprehensive backup strategy provides an RTO of 4 hours and RPO of 1 hour in the event of a complete loss of service.
Outage reporting
Clients are made aware of service disruption via email. Monthly service performance reports are provided to clients detailing our service uptime, outages and root cause analysis details.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
Users are required to authenticate using two factor authentication.

Role based authorisation is used to control the features and data that a user can access.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
A comprehensive set of policies applicable to all employees, contractors and third-party suppliers is in place including security, data protection and GDPR. All parties are required to confirm they have read and understood these policies on an annual basis and following changes.

Policies are reviewed on an annual basis, quarterly security audits are carried out to ensure compliance with policies and an annual audit is carried each year by an independent third party.

An Information Security Team consisting of senior staff members have responsibility for maintaining adequate records, maintaining and enforcing information security policies and responding to security incidents. The Information Security Team report directly to the Managing Director.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Components of the service are tracked through their lifetime via source control, auditable deployments and configuration changes.

All changes are raised as tickets with a clear definition of the purpose, acceptance criteria and proposed design. Changes are assessed for security impact against a predefined criteria and reviewed by a Change Advisory Board.

All changes to source code undergo a peer review process by a developer not involved in the changes and must relate to an approved change.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
- Patch management policy with timescales for the application of patches (Critical: As soon as possible, High & Medium: 14 Days, Others: 60 Days)
- Automated vulnerability scanning
- Annual penetration testing
- Endpoint protection and active monitoring of security threats
- Security impact assessments carried as part of change management

Information regarding security threats is obtained through the NIST Vulnerability Database and provider alerts and notices such Microsoft, IBM and Amazon AWS.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Protective monitoring measures include:

- Active endpoint protection with automatic blocking of malicious access attempts
- Access logging, monitoring and alerting of anomalous activity
- Audit logging, monitoring and alerting of security events
- System resource logging, monitoring and alerting of anomalous load

Security incidents are responded to immediately upon reporting and follow the process detailed in our security incident reporting and management procedure. High level process is:

- Evaluate scope and severity
- Identify and action emergency remediation
- Issue stakeholder communication
- Identify and action interim remediation
- Complete root cause analysis
- Communicate RCA and next steps
Incident management type
Supplier-defined controls
Incident management approach
Incident management is covered in our security incident policy and security incident reporting and management procedure. The policy states that all breaches and queries regarding potential security incidents should be reported to the information security team.

The reporting and management procedure details the process and responsibilities of staff members, information security team and company directors.

All security incidents are logged on the security incident log as part of the reporting and management process by the information security team first point of contact. Security incident reports are provided by email to our clients.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£1,000 a licence a month
Discount for educational organisations
Free trial available

Service documents