Enterprise · Security

Security and trust,
by default.

Serve runs on SOC 2 Type II–audited infrastructure with encryption everywhere, tenant isolation, and enterprise SSO. The controls your security team expects — in place before the review starts.
Talk to our security team
Compliance

Audited, certified, continuously monitored.

Security isn't a checkbox we revisit once a year. Our controls are independently audited and monitored around the clock.

SOC 2 Type II

Active

Independently audited controls for security, availability, and confidentiality — report available under NDA.

GDPR

Compliant

Data processing agreements, EU data handling, and data subject request support.

CCPA

Compliant

California consumer privacy rights honored across data access, deletion, and opt-out.

ISO 27001

In progress

Information security management system certification underway, targeted for this year.

HIPAA

Ready

Safeguards and BAAs available for brands handling regulated health-adjacent data.

Controls

Security built into every layer.

From the network to the application to the people who operate it — the controls enterprise buyers expect, in place by default.

Encryption everywhere

Data encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys managed and rotated automatically.

SSO & SAML

Enterprise single sign-on via SAML 2.0 and OIDC, with SCIM provisioning for managed user lifecycles.

Role-based access

Granular RBAC with least-privilege defaults so people only see the accounts and data they need.

Audit logging

Every access and material action is logged and exportable, giving your team a complete audit trail.

Tenant isolation

Your data is logically isolated per customer — never commingled and never used to train shared models.

Penetration testing

Independent third-party penetration tests run regularly, with findings tracked to remediation.

Continuous monitoring

Vulnerability scanning, anomaly detection, and 24/7 alerting across our infrastructure.

Vendor risk review

Every subprocessor is security-reviewed before onboarding and reassessed on an ongoing basis.

Data & privacy

How we handle your data.

Clear answers to the data questions that come up in every enterprise review — before you have to ask them.

Your data stays yours

You own your data. We process it only to deliver the service you've configured — nothing more.

Never used to train shared models

Your data is never used to train models that benefit other customers. Tenant boundaries are enforced.

Data minimization

We collect and retain only what's needed to run your agents, and we make retention windows explicit.

Deletion on request

Request deletion at any time and we remove your data within the contractually agreed window.

Regional data handling

Data is processed in US regions by default, with data processing agreements available for EU requirements.

Infrastructure

Where your data lives.

Serve runs on hardened, US-based cloud infrastructure. We work with a short list of vetted subprocessors, each security-reviewed before onboarding.
CategoryPurposeRegion
Cloud hostingApplication infrastructure, compute, and encrypted storageUnited States
AI model providersLLM inference for agent reasoning, under zero-retention termsUnited States
ObservabilityLogging, monitoring, and error trackingUnited States
Transactional emailService notifications and account communicationsUnited States

The complete, current subprocessor list is available under NDA as part of our security package.

Trust

Questions security teams ask.

Can we review your SOC 2 report?+

Yes. Our SOC 2 Type II report is available under NDA as part of the security package — request it and we'll share it with your team.

Is our data used to train AI models?+

No. Your data is never used to train models shared with other customers. Model providers operate under zero-retention terms.

Do you support SSO and provisioning?+

Yes. We support SAML 2.0 and OIDC single sign-on, plus SCIM provisioning so user access follows your identity provider.

Where is our data stored?+

On hardened, US-based cloud infrastructure, encrypted in transit and at rest. Data processing agreements are available for EU requirements.

How do you handle vulnerabilities and incidents?+

We run continuous vulnerability scanning and regular third-party penetration tests, with a defined incident response process and customer notification commitments.

Can you complete our security questionnaire?+

Absolutely. Our security team regularly completes vendor questionnaires (CAIQ, SIG, and custom) and joins security review calls.

Bring Serve to your security review.

Talk to our security team or request the full security package — SOC 2 report, subprocessor list, and questionnaire responses.

Talk to our security team
Request SOC 2 report
AI agents for CPG brands built to recover margin, surface shopper insights, and automate the messy work behind retail growth.
Subscribe our newsletter
Home
Enterprise
Resources
Contact
Deductions
Retail Intelligence
Customer Support
Supply Chain

Serve builds AI agents for consumer and CPG brands — automating trade deduction recovery, retail intelligence, customer support, and supply-chain monitoring. Product capabilities, integrations, and metrics described across this site reflect typical deployments and will vary by brand, data quality, retailer mix, and configuration. Numbers, dashboards, and conversations shown in product visuals are illustrative and are not a guarantee of specific results.

Serve and the Serve logo are trademarks of Scraft AI, Inc. All other company, product, and service names are the property of their respective owners and are used for identification only; their use does not imply any affiliation or endorsement. All rights reserved.

© 2026 Scraft AI, Inc. All rights reserved.
Security
Terms of Service
Privacy Policy