How we handle your data.

Our principles

Website and pre-engagement data

Infrastructure

The www.serviceagent.dev website is hosted on Vercel in U.S. data centers. Voice memos uploaded through the site are stored in Vercel Blob storage. Lead and engagement metadata is stored in Airtable.

Encryption

All traffic between your browser and our infrastructure uses TLS 1.2+ (HTTPS). Stored files and database records are encrypted at rest by our infrastructure providers using industry-standard encryption (AES-256 or equivalent).

Voice memo handling

When you record a voice memo through our site:

• The recording is uploaded directly to our infrastructure over HTTPS.
• The audio is transcribed by OpenAI's API, operating under terms that do not permit use of submitted content for model training.
• The recording and transcript are stored privately, accessed only by ServiceAgent staff working on your inquiry.
• You can request deletion at any time by emailing p@serviceagent.dev.

Access controls

Access to lead data, voice memos, and pre-engagement records is restricted to the ServiceAgent team. All accounts use unique credentials with strong passwords and multi-factor authentication where available.

Subprocessors

We use the following third-party services to operate the website and our pre-engagement workflow:

Each provider operates its own information-security program with industry-standard controls. We review provider security posture before use.

Engagement security

When we build a system for you, our standard practice is:

• Infrastructure in your accounts. The system runs on cloud accounts you own and control (your AWS, your Supabase, your Vercel, etc.), not ours.
• Your API keys. Calls to AI providers (OpenAI, Anthropic, others) use API keys provisioned by you, with the data, retention, and training settings you choose.
• Your repository. Code lives in a Git repository you own (typically your GitHub or GitLab).
• Documentation in plain English. The architecture, design decisions, and operational runbooks are documented so your team can take over without us.
• Handover. At the end of the build, full ownership transfers to you. We retain no copy of your production data.
• DPAs and BAAs. We sign Data Processing Agreements and, where applicable, Business Associate Agreements as part of the engagement contract.

Data we do not collect

• We do not require accounts to use the website.
• We do not store payment card information on the site (paid engagements are invoiced separately).
• We do not knowingly collect data from anyone under 16.
• We do not sell personal information.
• We do not use voice memos or business information to train shared AI models.

Incident response

If we become aware of a security incident affecting your data, we will:

• Contain the incident and investigate root cause.
• Notify affected clients without undue delay.
• Notify regulatory authorities where required by law.
• Provide a post-incident report describing what happened and what we changed.

Compliance posture

We design and build systems with privacy, security, and regulatory requirements in mind, including GDPR, CCPA/CPRA, and HIPAA when applicable. We are not currently SOC 2 certified; clients with that requirement should discuss with us at the start of an engagement so we can scope appropriately.

Procurement and legal documents

For enterprise procurement reviews, we can provide:

• A signed Data Processing Agreement (DPA).
• A signed Business Associate Agreement (BAA) for healthcare engagements.
• A Master Service Agreement (MSA) tailored to your engagement.
• Security questionnaire responses (we are happy to complete standard formats).

To request any of the above, email p@serviceagent.dev.