Cervito Sub-processor List

Last updated: 2026-05-17
Effective date: 2026-05-17
Notice period for changes: 30 days (Cervito will email all active merchants
before adding a new sub-processor)

Cervito (the "Service") engages the third parties listed below to deliver the
AI Shop Assistant product. Each is contractually bound under their own Data
Processing Addendum (DPA) or equivalent agreement, and each provides Standard
Contractual Clauses (SCCs) for international data transfers where the
processing involves personal data of EU/UK data subjects.

This list is canonical. If you have questions or want a copy of any specific
DPA, email privacy@cervito.app.

1. Sub-processors processing Visitor / End-Customer personal data

These vendors process personal data that originates from your storefront
visitors (chat messages they type, email addresses they submit, product
interactions, etc.) on Cervito's behalf as a Processor.

#	Sub-processor	Role / Purpose	Data processed	Hosting region(s)	Vendor DPA / Security
1	Anthropic, PBC (USA)	LLM provider for chat responses (Claude API)	Visitor chat messages + recent assistant turns + your store catalog snippets + visitor's name and last-purchase titles if identified. Zero-retention on Anthropic's side per their commercial API terms.	USA (primary). EU/UK routing via Bedrock is on Cervito's roadmap.	Anthropic DPA · Trust Center
2	OpenAI, L.L.C. (USA)	Vector embeddings for product semantic search (`text-embedding-3-small`)	Product titles, descriptions, tags from your Shopify catalog only. NO visitor chat or PII is sent to OpenAI.	USA	OpenAI DPA · Trust Portal
3	Shopify Inc. (Canada / USA / EU)	E-commerce platform integration (Admin API + Storefront API)	Your store catalog, order data, customer email/name/order history (only for shops that grant the `read_customers` scope). Cervito is a Processor of this data; Shopify remains the Controller.	Multi-region (your shop's primary region)	Shopify DPA · Shopify Trust Center
4	Railway Corp (USA)	Application + database hosting (Cervito's server + SQLite DB)	All Cervito data stored on Railway's managed volumes (encrypted at rest by Railway).	USA (us-west, us-east)	Railway DPA · Security

2. Sub-processors processing Merchant personal data only

These vendors only handle data about you (the merchant) — your name, email,
billing address, dashboard activity. They do not see your visitors' data.

#	Sub-processor	Role / Purpose	Data processed	Hosting region(s)	Vendor DPA / Security
5	Resend, Inc. (USA)	Transactional email delivery (signup verification, daily debrief, cost-budget alerts)	Merchant email address, merchant name, email subject + body content.	USA (with EU edge delivery)	Resend DPA · Security
6	Google LLC (USA)	OAuth sign-in (`Sign in with Google`) — only invoked if you choose this sign-in method	Email address + Google profile name	Multi-region	Google Cloud DPA · Trust Center

3. Sub-processors that may be added later (NOT currently active)

These are listed in advance because they're on Cervito's near-term roadmap.
Merchants will be re-notified 30 days before any of these become active
sub-processors.

Sub-processor	Planned role	Status
Stripe, Inc.	Billing (currently OFF — Cervito uses bank-transfer invoicing). When re-enabled, Stripe will process merchant payment instruments only.	Not currently engaged (Phase 1: 2026-Q3 planned)
AWS Bedrock (EU regions)	Alternate Claude API routing for EU data residency.	Roadmap (no active processing)

International data transfers

Personal data of EU/UK data subjects that flows to a sub-processor located
outside the EEA/UK is transferred under:

Standard Contractual Clauses (Module 3: Processor-to-Processor) —

signed between Cervito and each non-EU sub-processor listed above.

Adequacy decisions where applicable (e.g. UK adequacy, Swiss-US Data

Privacy Framework for participating sub-processors).

Supplementary measures including encryption in transit (TLS 1.2+),

encryption at rest (AES-256-GCM for Shopify tokens + database file-level), access controls (Cervito staff only; no third-party access), and the Shopify-mandated GDPR webhooks (customers/redact, shop/redact, customers/data_request).

A copy of the SCCs is available on request.

How to object to a new sub-processor

If Cervito adds a new sub-processor, you'll receive at least 30 days notice
via the email associated with your Cervito account. You may object by
emailing privacy@cervito.app within that 30 days. If we can't accommodate
your objection (e.g. by routing your shop's data away from the new
sub-processor), you have the right to terminate your contract for cause
with a pro-rata refund of any prepaid fees.

Changelog

Date	Change
2026-05-17	Initial publication. Anthropic, OpenAI, Shopify, Railway, Resend, Google listed. Stripe + AWS Bedrock listed as not-currently-engaged.