Skip to content

Security and privacy

Where your data lives, how we secure it

This page is for IT security teams, DPOs and privacy officers who want to look under the hood. Got a question that is not answered here? Email info@servicechanger.com.

Hosting and data residency

All ticket and knowledge base data lives in a PostgreSQL database in a Supabase EU region. The application and API run on Vercel serverless functions in the EU (Frankfurt, fra1). That keeps both your data and the compute fully within the EU. The CDN for itsmautopilot.com runs through Cloudflare with edge routing close to the visitor: static assets are served at the edge, your ticket data is not.

AI calls go through OpenAI's API and may be routed between EU and US depending on load. For organisations with strict data residency requirements we can enable per-organisation ZDR (zero data retention) so OpenAI does not retain prompts and completions; contact info@servicechanger.com to arrange this.

Encryption

  • TLS 1.3 for all network traffic between customers, our API, and sub-processors
  • AES-256 at rest for the database (Supabase managed)
  • API keys (OpenAI, ITSM credentials) stored in Supabase Vault, not in plain text in the database
  • Webhook tokens and signing secrets per organisation, not shared

Sub-processors

These are the parties that, on our behalf (and therefore on yours), play a role in processing data. Each with their own DPA and GDPR-compliant.

PartyRoleLocationDPA
VercelHosting of the app and API (serverless compute)EU (Frankfurt, fra1)View
SupabasePostgreSQL database, auth, Vault for secrets, file storageEUView
CloudflareDNS, CDN, DDoS protection for itsmautopilot.comGlobal edge, EU-first routingView
OpenAIAI model for ticket classification, reply generation, and knowledge base curationEU (when zero-data-retention is enabled), otherwise USView
StripePayments, subscription management, invoicingStripe Payments Europe (Ireland)View
ResendTransactional email (account verification, password reset, notifications)EUView

Personal data in tickets

Before a ticket reaches the AI, contact details (email addresses, phone numbers, IP addresses, credit card numbers, SSN/BSN) are automatically masked. Anything stored in the knowledge base is always anonymised. Names in free text are not automatically recognised; additional arrangements are needed for those cases.

PII masking is configurable per organisation via Settings > Pre-AI masking.

Access and isolation

  • Row-level security per organisation: one tenant never sees another tenant's data
  • ServiceChanger staff do not have standing access to customer content
  • Production access only via short-lived service-role keys for incident response, logged
  • Two-factor authentication (2FA) available for all accounts via Settings, can be made mandatory for admin accounts in managed tenants on request

Retention

  • Tickets and activity logs: as long as your subscription is active, plus 30 days after cancellation
  • Knowledge base entries: same
  • Invoices and tax records: 7 years (legal requirement)
  • Audit logs (admin actions): 12 months

Incident response

On suspicion of a data breach we follow articles 33/34 of the GDPR: notification to the Dutch Data Protection Authority within 72 hours, affected customers are informed via direct email to the tenant owner with a description of the incident and the steps to take next.

Bug bounty and responsible disclosure via /.well-known/security.txt.

Compliance and certifications

ITSM Autopilot is currently in beta. The architecture and privacy design are in place (see the sections above), but formal certifications and third-party audits will follow after the beta phase. Be aware of this when evaluating us as a vendor.

  • GDPR: the product is designed around article 28 obligations. A countersigned DPA is not yet available; we are preparing one for the GA release.
  • ISO 27001 and SOC 2: not certified. No active program in 2026, on the roadmap once customer volume justifies it.
  • Pen test: no external pen test performed yet. Scheduled for once the product reaches GA.

Data Processing Agreement (DPA)

A standard Data Processing Agreement is being prepared for the GA release. If you need a signed DPA in place before working with us during beta, get in touch via info@servicechanger.com with your organisation, your requirements and the scope of processing. We will work out an arrangement that fits.

Question not answered here? Email info@servicechanger.com.