Install on Shopify SECURITY
Built on certified infra. Locked down on top.
Arbyn runs on Render, which carries SOC 2 Type 2 and ISO 27001 at the infrastructure layer. On top of that, we make a small number of opinionated choices about how your customer data moves through Arbyn. Here is the full picture.
Infra: SOC 2 Type 2 (Render)
Infra: ISO 27001 (Render)
LLM: zero retention
EU residency available
ARCHITECTURE
Two layers. Two different jobs.
Security at a SaaS company is two things stacked. The infrastructure underneath, which we outsource to a vendor whose entire business is being audited. And the application on top, which is ours to get right.
Application layer · Arbyn
How customer messages, Shopify actions, and AI inference flow through Arbyn. Voice fingerprints, kill switch, audit log, refund ceilings, role‑based access. This is ours.
Owned by ONDUTYOPS
Infrastructure layer · Render
Servers, databases, networking, OS patching, physical security. Render carries SOC 2 Type 2, ISO 27001, runs annual third‑party penetration tests, and publishes a GDPR DPA. We borrow their work, on purpose.
Audited by BARR Advisory
01 · Application layer
What Arbyn does on top.
The choices we make about your data are the ones that earn the install. Six concrete controls, no enterprise theater, every one of them shipping today.
Zero‑retention LLM
Customer messages and order context sent to Deep Infra for inference are not retained, not logged for training, not shared with anyone. Open‑source models (Llama, Mixtral, Qwen) running on dedicated inference, under a no‑training policy.
Encryption everywhere
TLS 1.3 in transit across every request. AES‑256 at rest on the database, managed by Render. API tokens stored encrypted with rotating keys.
Audit log to Shopify timeline
Every action Arbyn takes (refund, cancel, address edit, discount, reply) writes to the Shopify order timeline. Audit history lives where you already look. No invisible actions, ever.
One‑click kill switch
One toggle in the dashboard pauses every channel instantly. Drafts pause mid‑write. Auto‑send disables. Customers don't get partial replies. Resume the same way you stopped.
Refund ceilings
Hard limits on any money‑moving action. Per‑action, per‑day, per‑channel. Set them once, Arbyn won't exceed them. If a customer ask is above ceiling, it escalates to you.
Role‑based access
Internal access is least‑privilege by default. Only the necessary team has prod access. When we hire, every new engineer signs the same access policy: justification required, action logged.
02 · Infrastructure layer
What Render brings to the table.
Render is the cloud platform Arbyn runs on. They publish their own compliance posture and we inherit it for the layer we don't control. Their public compliance docs are the source of truth for everything infra-level. of truth.
SOC 2 Type 2
Renewed annually
ISO 27001
3‑year cert
SOC 3
Publicly available
Annual Penetration Test
Yearly cadence
GDPR DPA
Publicly available
CCPA
Covered
EU + US regions
Region‑pinned
Render's audit library
View Render docs →
DATA FLOW
What actually happens when a customer emails.
01 / INBOUND
Customer sends email
Inbound mail hits your support address. Arbyn forwards the message body, customer email, and order ID into the application (TLS 1.3 in transit).
Encrypted · logged
02 / CONTEXT
Arbyn pulls Shopify context
Order, customer history, fulfillment status, and your store policies pulled fresh from Shopify via OAuth. No copy is kept past the conversation lifecycle.
Live API call
03 / INFERENCE
Reasoning runs on LLMS
Message + context sent to Arbyn 3rd party models for inference. Not retained, not used for training, returned and forgotten. Reply drafted in your voice fingerprint.nt.
Zero retention
04 / ACTION
Reply sent, action logged
Final reply sent from your domain. Any Shopify action (refund, cancel, edit) writes to your store's order timeline. Conversation stored encrypted in your region.
Audit trail
THE PROMISES
Six things we won't do.
If we ever change one of these, we email every customer, publish it on the Changelog, and you can cancel and take your data with you. No surprises.
We will not sell your data.
No third‑party data brokers, no marketing partner lists, no anonymized‑but‑monetized data products. Your customer data is yours.
We will not train models on your data.
Customer messages and your support history are not training data. Deep Infra's terms confirm this at the inference layer. Voice fingerprint is a derived feature vector, not the raw text.
We will not take silent actions.
Every refund, cancel, address change, and discount Arbyn applies writes to the Shopify order timeline. If we did it, you'll see it. Same place you already look.
We will not add subprocessors without notice.
30‑day public notice before any new subprocessor is added. Object in writing and we'll work it out, or cancel and your data is deleted.
We will not lock you in.
Cancel anytime from your Shopify admin. Your data is exported on cancellation, and deleted from Arbyn within 30 days, retaining only audit logs required by law.
We will not hide incidents.
Any security incident affecting your data, disclosed within 72 hours of detection, by email, with full scope and remediation. This is the GDPR floor. We treat it as the ceiling too.
CONTACT
Talk to a human about security.
DPA requests, audit questionnaires, vulnerability disclosures, GDPR Article 15 access requests. Real reply within 1 business day.
SECURITY QUESTIONS & AUDITS
security@onduty‑ops.com
For DPA requests, security questionnaires, custom MSAs, or anything else that goes in front of your legal team.
Send an email →
VULNERABILITY DISCLOSURE
security@onduty‑ops.com
Found something? Email us with details. We acknowledge within 24h and patch fast. No bug bounty program yet, but we publicly credit responsible disclosure.
Report a vulnerability →
READY TO TRY ARBYN?
Certified infra. Honest application layer.
$149/mo. 21-day calibration. No card up front. Install from Shopify and your data stays in the lane you'd expect.