Subprocessors
The third parties Servd engages to operate the platform. We notify customers at least 30 days before adding a new subprocessor — subscribe to our changelog or email legal@servdlegal.ai to be added to the notification list.
- Last reviewed
- 2026-05-20
- Editorial owner
- Legal & Engineering
| Provider | Purpose | Data touched | Region | Policy |
|---|---|---|---|---|
| Vercel, Inc. | Application hosting and edge network. | All request data passes through; persistent storage is delegated to other subprocessors below. | US | Privacy → |
| Neon, Inc. | Managed Postgres database. | All structured application data: cases, parties, attempts, affidavits, payments, audit logs, AI tool-call records. | US (AWS us-west-2) | Privacy → |
| Cloudflare, Inc. | R2 object storage for uploaded documents, signature images, PDFs, photos, and audio recordings. | All customer-uploaded files; affidavits; attempt photos; voice recordings. | US (with global edge caching) | Privacy → |
| Clerk, Inc. | Authentication, session management, MFA, user identity. | Email, name, phone, hashed credentials, MFA factors, login + device metadata. | US | Privacy → |
| Square (Block, Inc.) | Payment processing. | Payment card tokens (no card numbers ever stored by Servd), billing addresses, payment metadata, payout ACH routing. | US | Privacy → |
| Anthropic PBC | Claude AI inference for chat, drafting, document parsing, and operational reasoning. | Prompts (after redaction of direct identifiers) and outputs. Anthropic processes under commercial terms that prohibit use of Customer data for model training. | US | Privacy → |
| Portkey Technologies, Inc. | AI gateway: routing, caching, rate-limit, and observability layer in front of Anthropic. | Same as Anthropic; an additional copy of (redacted) prompts is logged for Servd debugging. | US | Privacy → |
| Inngest, Inc. | Durable background jobs: Checkr fan-out, retention cleanup, weekly cross-tenant audit, AI evals. | Event payloads (typically redacted IDs + structured metadata; never raw documents). | US | Privacy → |
| Sentry (Functional Software, Inc.) | Error monitoring + session replay (replay has all text + media masked by default). | Error stacks, breadcrumbs, browser metadata; masked session replays. | US | Privacy → |
| PostHog Inc. | Product analytics with autocapture PII redacted. | Page-view events, feature usage, anonymized user identifiers. | US | Privacy → |
| Resend Inc. | Transactional email (case status, payouts, application status, message notifications). | Recipient email + name + the email body itself. | US | Privacy → |
| Twilio Inc. | SMS notifications (server PWA assignment + message events). | Recipient phone number + message body. | US | Privacy → |
| Ably Realtime Ltd. | Realtime push for live case status + chat + map updates. | Ephemeral message payloads (typically structured IDs + status, never raw documents). | US + EU PoPs (used for routing only) | Privacy → |
| Mapbox, Inc. | Geocoding, static maps, address autocomplete. | Addresses submitted for geocoding; aggregated tile-load metrics. | US | Privacy → |
| Checkr, Inc. | Background checks for process server applicants (their consent obtained at apply). | Applicant's name, DOB, SSN last 4, driver license, employment history. | US | Privacy → |
| Persona Identities, Inc. | ID verification (selfie + government ID) for process server applicants. | Applicant selfie + ID photo + extracted name/DOB/address; decision result. | US | Privacy → |
| DocuSign, Inc. | Embedded affidavit signing (when configured for a customer). | Affidavit PDF + signer name + email; the signed PDF + Certificate of Completion are returned to Servd. | US | Privacy → |
| OpenAI, L.L.C. | Whisper API for voice-attempt transcription (alternative to Portkey-Whisper). | Audio bytes of the attempt voice recording; OpenAI processes under commercial terms that prohibit training on API content per their default policy. | US | Privacy → |
| Upstash, Inc. | Managed Redis for rate-limiting + ephemeral counters. | Hashed identifiers (IP / user ID) and counters; no PII or document content. | US | Privacy → |
| Axiom, Inc. | Application logs. | Structured log events with PII redacted. | US | Privacy → |
Notification process
We post material subprocessor changes here at least 30 days in advance. Customers subscribed to the legal-changes mailing list receive an email at the same time. Email legal@servdlegal.ai with subject “Subprocessor notifications” to subscribe. Customers on a paid MSA may object within 14 days on reasonable data-protection grounds; the parties will work in good faith to address the concern or terminate the affected service.
What we do NOT use
- We do not use Stripe, Braintree, or any other payment processor besides Square. We are not in PCI scope beyond Square's tokenization boundary.
- We do not use foundation-model providers other than Anthropic for chat and reasoning. The Whisper transcription path can route through Portkey or OpenAI depending on env configuration; both refuse model training on API content under our terms.
- We do not use third-party analytics SDKs in the iframe / embed surfaces that touch firm case data — only the marketing surface uses PostHog with PII redaction.