Sikurd uses the third-party services listed below to deliver the platform. These vendors process customer personal data on our behalf as “sub-processors” under Article 28 of the GDPR. We have a Data Processing Agreement (DPA) in place with each vendor.
Customers receive at least 30 days’ written notice before any new sub-processor goes live, per our Data Processing Agreement. To subscribe to change notices, contact privacy@sikurd.com.
Current sub-processors
| Vendor | Purpose | Data handled | Location & transfer mechanism | DPA |
|---|---|---|---|---|
| Stripe, Inc. | Subscription billing, payment processing, invoicing. | Tenant owner name, billing email, billing address, payment method (tokenized — never seen by Sikurd), invoice history. | United States EU-US Data Privacy Framework participant + Standard Contractual Clauses. | View |
| Twilio SendGrid Inc. | Outbound transactional email (alerts, account, billing, password reset, weekly digests). | Recipient email address, recipient name, email subject + body content. | United States EU-US Data Privacy Framework + Standard Contractual Clauses (Twilio's DPA). | View |
| Anthropic, PBC | AI-generated incident summaries, version-release intelligence, fleet-analysis answers. | Anonymized instance metadata (FQDN, version, alert type, counts). No customer credentials, no caller phone numbers, no recordings. | United States Standard Contractual Clauses. Anthropic does not train models on Sikurd's API traffic. | View |
| ElevenLabs, Inc. | Text-to-speech rendering of IVR greetings and queue prompts when the operator uses the AI Voice Studio. | Text the operator submits for synthesis. We do not send PII unless the operator types it into the prompt. | United States Standard Contractual Clauses (ElevenLabs DPA). | View |
| Neon, Inc. | Managed Postgres database — primary data store for all tenant and customer data. | All tenant + user + instance data described in the privacy policy. Encrypted at rest (AES-256-GCM for credential fields; Neon-managed encryption for everything else). | United States (AWS us-east-1). Standard Contractual Clauses. EU-region availability on the Sikurd roadmap pending demand from EU-resident customers. | View |
| Vercel, Inc. | Hosting + edge delivery of the Sikurd web application. | HTTP request/response metadata, session cookies, transient request bodies. No persistent data store — Vercel functions read from Neon. | United States (primary region) with global edge. EU-US Data Privacy Framework participant + Standard Contractual Clauses. | View |
| Railway Corp. | Hosting for the background poll worker (the long-running Node process that polls each 3CX instance + sends alerts). | Same DB connection as Vercel — transient access to tenant + instance data during polling. No separate persistent store on Railway itself. | United States. Standard Contractual Clauses. | View |
| DigitalOcean, LLC | Hosting for the geo-distributed network probe agents that measure call quality (MOS) from multiple regions. | Customer 3CX FQDN (host name only) for TCP probing. No call content, no credentials, no end-user data. | Multiple regions: New York (US), San Francisco (US), Frankfurt (Germany), Singapore, Sydney (Australia). Standard Contractual Clauses. | View |
| Vultr Holdings Corp. | Hosting for the South America probe agent (São Paulo). | Same as DigitalOcean (FQDN only, no content). | Brazil (São Paulo). Standard Contractual Clauses. | View |
Changelog
- May 26, 2026: Added DigitalOcean and Vultr (geo-distributed probe agents — Network Quality feature). Customer 3CX FQDN names are sent to these regions for TCP connectivity probing only; no call content or credentials.
- May 19, 2026: Initial publication. Stripe, SendGrid, Anthropic, ElevenLabs, Neon, Vercel, Railway.
Contact
Questions about a specific sub-processor or to subscribe to change notices: privacy@sikurd.com.