— Legal
Sub-processors
Last updated April 27, 2026
We host on Google Cloud Finland by default. Every other sub-processor that touches your data is opt-in: it’s engaged only when you enable a feature, integration or configuration choice that requires it. If you want a configuration that excludes any specific optional sub-processor, write to asiakaspalvelu(at)serviceform.com.
Last updated: 27 April 2026. We give Customers at least 30 days’ notice before adding a new sub-processor we control, and relay upstream-provider changes promptly. Subscribe to change notifications by writing to the address above.
Part A — What we provide to our Customers
Sub-processors that process Customer Data
These third parties may process personal data held on a Customer’s behalf as a processor under our Data Processing Agreement. They are split into core (always engaged) and optional (engaged only by configuration choices).
A.1 Core sub-processors (engaged for every Customer)
These are always engaged as the foundation of the Service. All are operated by Google Ireland Ltd / Google Cloud EMEA Ltd with EU contracting and EU data residency, governed by the Google Cloud Data Processing Addendum and EU Standard Contractual Clauses.
| Sub-processor | Activated when | Purpose | Data residency |
|---|---|---|---|
| Google Cloud Platform | Always — core sub-processor | Cloud infrastructure, container hosting (Cloud Run) and primary data storage for the Mira platform, including the managed Postgres database that powers the application. | Hamina, Finland (europe-north1) |
| Google Firestore | Always — core sub-processor | Tenant configuration, Pixel settings, leads and Shopify-app installation records. | European Economic Area |
| Google Firebase Realtime Database | Always — core sub-processor | Live-chat conversations and real-time messaging state. | European Economic Area |
| Google Firebase Authentication | Always — core sub-processor | Authentication for Customer staff accounts on the Serviceform Dashboard. | European Economic Area |
| Google Cloud Run | Always — core sub-processor | Logging and stateless application services. | Finland / European Economic Area |
A.2 Optional sub-processors (engaged only by your configuration)
Each row below is engaged only when the Customer enables the corresponding feature, integration or configuration choice. Customers may request a configuration that excludes any of these — for example, an “EU-only AI” configuration that uses Google Gemini in EEA regions and disables OpenAI, or a “no-Twilio” configuration that disables outbound SMS and voice.
| Sub-processor | Activated when | Purpose | Data residency |
|---|---|---|---|
| OpenAI Ireland Ltd (compute via OpenAI OpCo, LLC) | Customer subscribes to AI chat / answer features | Large language model inference (GPT family). OpenAI Ireland Ltd is our data processor under a signed DPA dated 11 November 2024 incorporating EU SCCs Module 2 and 3. API request and response data is retained for a maximum of 30 days for abuse-monitoring before deletion. OpenAI does not use Serviceform API data to train or improve its models. Personal data is automatically redacted from end-user input before forwarding. | Ireland (contracting); United States (compute) |
| Google AI / Gemini API | Customer subscribes to AI chat / answer features and selects Gemini | Large language model inference. Operates under enterprise API terms that bar use of Customer Data for model training. Personal data is automatically redacted from end-user input before forwarding. | European Economic Area / United States |
| Twilio (Voice and Programmable Messaging) | Customer enables voice, SMS or WhatsApp messaging features | Voice calling, SMS and WhatsApp Business messaging delivery. | European Economic Area / United States |
| Twilio SendGrid | Customer enables transactional / lead-notification email | Transactional email delivery (lead notifications, system emails). | European Economic Area (configurable EU sending region) |
| Meta Platform Integration (Facebook Messenger, Instagram Direct, WhatsApp Business) | Customer connects Meta business accounts to the Social Inbox | Routing of inbound customer-support messages from Meta-owned platforms. Message data is routed through Meta’s platform under Meta’s data-processing terms and the Customer’s Meta data-residency configuration. | Per Meta data-residency configuration |
| Zapier | Customer enables Zapier-based forwarding (native CRM integrations are also available without Zapier) | Optional forwarding of lead-related personal data to a Customer’s CRM, ERP or other system. Zapier deletes data from two months prior on the first Monday of each month. | United States |
| Microsoft Authentication (Microsoft Entra ID) | Customer’s staff sign in via Microsoft Outlook SSO | Single sign-on. Stored in Microsoft data centres according to the Customer’s regional configuration under Microsoft’s Data Protection Addendum. | Per Customer’s Microsoft tenant configuration |
| Google OAuth / Google Sign-in | Customer’s staff sign in via Google Workspace SSO | Single sign-on. Stored in Google data centres according to the Customer’s regional configuration under Google Cloud’s Data Processing Addendum. | Per Customer’s Google Workspace tenant configuration |
| Apple App Store | Customer’s staff install the Serviceform iOS application | Mobile app distribution. | United States |
| Google Play Store | Customer’s staff install the Serviceform Android application | Mobile app distribution. | United States |
| Cloudflare | Customer uses the Serviceform widget on a website | CDN, DDoS protection and bot mitigation for widget delivery. | Global (with EU localisation where supported) |
| Sentry | Default error-and-performance telemetry from Customer-facing endpoints (can be disabled on request) | Error tracking and performance traces with IP truncation enabled. | European Economic Area (EU-only project) |
| Elastic Cloud (Elasticsearch B.V.) | Statistics, search and live-chat indexing features | Search and analytics engine. Statistics (no PII): Finland; live-chat index: Finland; logs: Germany. | Finland and Germany (EEA) |
| Typesense | Search features inside the Serviceform Dashboard | Search index for tools, leads and configuration. | European Economic Area |
| WhatsApp Business API (via Meta or Twilio) | Customer enables WhatsApp messaging through their tools (the Customer must have its own WhatsApp Business contractual relationship) | Receiving and sending WhatsApp messages on behalf of the Customer. | Per Meta / Twilio configuration |
| HelloSign / Dropbox Sign | Electronic signature of agreements with the Customer’s signatories | Electronic signatures. | United States |
Part B — What we use for Serviceform itself
Service providers for Serviceform’s own operations
These third parties support Serviceform’s own business — billing, accounting, payroll, sales, marketing, internal productivity. They do not process Customer end-user data. Where they process personal data of Serviceform website visitors, prospects, employees or business contacts, Serviceform Oy is the controller and the processing is described in the Privacy Policy.
| Service provider | Purpose for Serviceform | Data residency |
|---|---|---|
| Stripe | Payment processing for Serviceform subscriptions. Customer billing contact details only — alternative invoice billing is available. | United States (with regional EU collection) |
| Netvisor | Finnish accounting and Finnish payroll for Serviceform employees. | Finland |
| Fortnox | Swedish accounting and Swedish payroll for Serviceform employees. | Sweden |
| QuickBooks | Bookkeeping for Serviceform group entities. | United States |
| IBAN | Bank account validation for invoicing. | Germany |
| HubSpot | Serviceform’s own CRM and marketing automation (one of three CRM tools used by Serviceform). | United States |
| Pipedrive | Serviceform’s own CRM and sales pipeline (one of three CRM tools used by Serviceform). | European Economic Area |
| GetAccept | Digital Sales Room for Serviceform’s B2B sales process. | European Economic Area |
| Mixmax | Email sequencing and sales engagement used by Serviceform sales staff. | United States |
| Mailchimp | Serviceform’s own newsletter and marketing email. | United States |
| Reply.io | Serviceform’s own outbound sales engagement. | United States |
| LinkedIn Sales Navigator | Serviceform’s own sales prospecting. | United States |
| Leadfeeder / Dealfront | Serviceform’s own visiting-company identification (consent-based, marketing site only). | European Economic Area |
| Google Analytics 4 | Analytics on Serviceform’s own marketing websites (consent-based). | United States with EU regional collection |
| Google Tag Manager | Tag management on Serviceform’s own marketing websites. | United States |
| Google Ads | Serviceform’s own advertising and conversion measurement (consent-based). | European Economic Area |
| LinkedIn Ads / LinkedIn Insight Tag | Serviceform’s own advertising and conversion tracking (consent-based). | European Economic Area / United States |
| Facebook Pixel / Facebook Connect | Serviceform’s own advertising effectiveness measurement and authentication (consent-based). | European Economic Area / United States |
| Twitter / X Ads | Serviceform’s own advertising (consent-based). | United States |
| Hotjar | Aggregated behavioural analytics on Serviceform’s own marketing websites (consent-based). | Ireland |
| Mixpanel | Product analytics on the Serviceform Dashboard (consent-based). | United States |
| Usercentrics | Cookie-consent management on Serviceform’s own websites. | European Economic Area |
| Slack | Serviceform’s own internal communication. | United States |
| Google Workspace (Gmail, Drive, Meet) | Serviceform’s own business email, file storage, video conferencing. | Per Serviceform’s tenant configuration (EEA primary) |
| Microsoft 365 | Serviceform’s own productivity tooling for staff who use it. | Per Serviceform’s tenant configuration (EEA primary) |
| Canva | Design and creative-asset production by Serviceform staff. | Global |
| New Relic | Application-performance monitoring of Serviceform’s own infrastructure. | Global |
| Drupal (managed CMS instances) | Legacy content-management for Serviceform’s own marketing sites. | United States |
| Webflow | Legacy hosting of Serviceform’s own marketing sites. | United States |
Customer-authorised integration destinations (e.g. your own Klaviyo, Brevo, HubSpot, Salesforce, Pipedrive, ActiveCampaign, LianaMailer, Mailchimp, Microsoft Dynamics 365, Linear, Shopify, WooCommerce, Shipit, DHL or Matkahuolto account) are not Serviceform sub-processors. When you connect such an integration, Serviceform forwards data to your own account on your explicit instruction; the receiving system is then governed by its own privacy notice and your contract with that provider.
Our supervisory authority is the Office of the Data Protection Ombudsman of Finland (tietosuoja.fi).