Trust
Sub-processors
Serge relies on a small set of vetted third parties to deliver the product. This page lists every sub-processor that touches customer data, where it sits, the legal mechanism for any cross-border transfer, and a link to that provider's Data Processing Agreement. Customers under our DPA receive 30 days' notice before any sub-processor is added or replaced.
Last updated
| Provider | Purpose | Region | Transfer mechanism | Certifications | DPA |
|---|---|---|---|---|---|
| Vercel | Application hosting, edge runtime, CDN, and Blob storage for replay screenshots. | EU (Frankfurt) + US control plane | EU residency | SOC 2 Type II · ISO 27001 | View DPA → |
| Neon | Primary Postgres database — workspace data, scans, snippet events, replay metadata. | EU-Central (Frankfurt) | EU residency | SOC 2 Type II | View DPA → |
| Auth0 (Okta) | Authentication, session management, and identity provisioning. | EU (Frankfurt) | EU residency | SOC 2 Type II · ISO 27001 · ISO 27018 | View DPA → |
| Anthropic | Claude API for the active replay (Investigate Mode) — runs the agent against the customer's site. | US (EU residency requires Enterprise / Bedrock) | SCCs | SOC 2 Type II | View DPA → |
| Browserbase | Managed headless Chrome instance for replay sessions. | EU (eu-central-1 Frankfurt) | EU residency | SOC 2 Type II | View DPA → |
| Fly.io | Replay worker compute — runs the agent loop and streams steps to the dashboard. | EU (Frankfurt) | EU residency | SOC 2 Type II | View DPA → |
| Stripe | Payments, subscriptions, and tax / billing record-keeping. | US (control plane) + EU (data) | DPF | PCI-DSS Level 1 · SOC 1 · SOC 2 Type II · ISO 27001 | View DPA → |
| Upstash | Redis for rate limiting, ephemeral state, and short-lived attribution storage. | EU (eu-west / Ireland) | EU residency | SOC 2 Type II | View DPA → |
| Sentry | Error tracking and performance monitoring (PII scrubbed in beforeSend). | EU (Frankfurt) | EU residency | SOC 2 Type II · ISO 27001 | View DPA → |
| PostHog | Product analytics and session replay on serge.ai (input fields masked). | US (EU migration planned) | SCCs | SOC 2 Type II · ISO 27001 | View DPA → |
| Resend | Transactional email delivery — verification, billing receipts, replay-ready notifications. | EU | EU residency | SOC 2 Type II | View DPA → |
Change notice
Customers receive at least 30 days' notice before any sub-processor is added or replaced, with the right to object on reasonable data-protection grounds. Subscribe via privacy@serge.ai to receive change notices by email.
Questions
Reach the privacy team at privacy@serge.ai. We respond within five business days.