Security & Data Handling

How we handle
your data.

Name: Serveka
Author: Serveka

Meeting audio, video, and transcripts are sensitive. We take that seriously. This page explains exactly what we collect, how long we keep it, who processes it, and how you can control it.

Last updated: May 2026 · Questions? privacy@serveka.com

What we collect

We only collect what's necessary to provide the service.

Meeting audio & video

Captured by the bot while it is in the meeting. Used for transcription and recording. Deleted after 30 days.

Transcripts

Structured text output from Deepgram, with speaker labels and timestamps. Stored per meeting.

Bot event metadata

Join time, leave time, participant list, meeting duration. No audio or video content.

API keys & workspace config

Your API credentials and workspace settings. Keys are hashed at rest.

Usage metrics

Bot-hours, concurrent bot counts, API call volumes. Used for billing and capacity planning.

Webhook delivery logs

Delivery status, timestamps, response codes. No payload content stored beyond 90 days.

Data retention

Enterprise customers can configure custom retention periods.

Data type	Retention	Note
Meeting recordings (MP4/MP3/WEBM)	30 days	Configurable for Enterprise
Transcripts	30 days	Configurable for Enterprise
Webhook logs	90 days
API access logs	90 days
API keys	Until revoked
Billing records	As required by law

Encryption

Data is encrypted in transit and at rest.

In transit

TLS 1.3

All API traffic uses TLS 1.3. Webhook payloads are HMAC-SHA256 signed via Svix — you can verify every delivery independently.

At rest

AES-256

Stored recordings and transcripts are encrypted at rest with AES-256 on Google Cloud Storage. API keys are hashed, never stored in plaintext.

Bot isolation

Every bot runs in a dedicated, isolated virtual machine.

Each bot request spawns a fresh, isolated VM. Audio capture, browser state, and network traffic from one bot are completely separate from every other bot. There is no shared process, shared audio device, or shared filesystem between bots. VMs are permanently destroyed after the meeting ends — they do not persist or get reused.

Subprocessors

These third-party services process data on our behalf. We have data processing agreements with each one.

Processor	Purpose	Data processed
Google Cloud	Infrastructure, compute, and storage	All platform data
Deepgram	Real-time speech-to-text transcription	Meeting audio (streamed, not stored by Deepgram)
Svix	Webhook delivery and retry management	Webhook payloads (event metadata, no audio/video)
Anthropic Claude	AI meeting summaries (optional plugin)	Transcript text only — no audio
ElevenLabs / Cartesia	Text-to-speech / bot speak-back (optional plugin)	Text strings to synthesize

AI summary and TTS subprocessors are only engaged when you explicitly enable those plugins.

GDPR

Serveka acts as a Data Processor on behalf of our customers, who are the Data Controllers. We process meeting data only as directed by the customer and only for the purpose of providing the service.

Data Processing Agreement (DPA): A DPA is available to all customers on request. Email privacy@serveka.com to request one.

Data subject rights: If you need to exercise access, deletion, rectification, or portability rights over data we hold, contact privacy@serveka.com. We will respond within 30 days.

HIPAA

HIPAA-eligible deployments are available through our Enterprise plan. Enterprise customers deploy Serveka on their own VPC — meeting data never leaves their infrastructure.

Business Associate Agreement (BAA): Available with Enterprise contracts. Contact enterprise@serveka.com to start the conversation.

The shared infrastructure (Pay-as-you-go plan) is not covered under a BAA and should not be used for PHI.

Security questions?

If you have questions about our security practices, want to report a vulnerability, or need a DPA or BAA, reach out directly.

privacy@serveka.com Enterprise deployment →