Built to be safe to connect

The audit uses your Freshservice or Zendesk API with read-only access to count and measure your configuration — categories, knowledge base, SLAs, routing, canned responses, and ticket metadata. It does not modify anything during an audit.

The only write actionis the optional "push tasks as tickets" feature, and only when you explicitly enable it and confirm each push. It creates remediation tickets you asked for — it never updates, closes, or reads other tickets.

Your API key is held in server memory only for the duration of the audit or ticket-creation request. It is not written to any database, log file, cache, or persistent storage at any point. Raw API keys are not stored.

We do not read or store raw ticket bodies, requester names, requester emails, or end-user contact details. Ticket description length is measured in memory and the text is immediately discarded.

We store only computed scores, metrics, audit history, your connected platform and subdomain, limited category diagnostics, report state, client labels, MSP white-label assets, generated report outputs, and the ticket IDs/URLs returned when you ask us to create tickets.

We use a small set of established providers to run the Service:

• Vercel — hosting and serverless infrastructure
• Vercel KV (or equivalent managed storage) — audit records and product state
• Clerk — authentication and account management
• Stripe — payments, billing, tax, and subscription status
• Resend — transactional email
• Anthropic — optional AI-generated remediation content where enabled
• Freshservice and Zendesk APIs — read during the audit you initiate

Where data is processed outside your region, transfers rely on appropriate safeguards such as adequacy regulations, Standard Contractual Clauses, or the UK International Data Transfer Agreement. A current subprocessor list is available on request.

Data is encrypted in transit (TLS) and stored on encrypted, provider-managed infrastructure. We apply least-data collection — we keep computed metrics, not your ticket content.

Account and audit history are retained while your account is active, unless you delete audits or request deletion. You can request deletion at any time by emailing us; some records may be retained where required by law or fraud prevention.

Payments are handled by Stripe. Card details are entered on Stripe's infrastructure and never touch our servers — we store billing and payment status only, not full card numbers.

Found a security issue? Email security@servicedeskbuilder.com. We respond within 2 business days and will work with you on a fix. Please give us reasonable time to remediate before public disclosure.

SOC 2: we are not currently certified. We are an early-stage company; our controls are documented on this page and in our Privacy Policy and DPA.