TRANSPARENCY

The full list of who touches your data.

Arbyn uses a small number of third‑party services to run. They are listed here, by name, with what they process and where. We update this page before adding anyone new.

Total subprocessors

Last updated

May 20, 2026

Change notice

30 days before

What is a subprocessor?

A subprocessor is any third‑party service Arbyn uses to operate, where that service might touch your data along the way. GDPR Article 28 requires us to disclose them. It's also just the honest thing to do. This page is the full list. Nobody else.

THE LIST

Six services. That's it.

Each row shows what the vendor does, what they process, where they host it, and their compliance posture. Every name links to their own DPA or privacy page so you can audit them directly.

Subprocessor

What we use them for

What they process

Region

DPA / Trust

Infrastructure

Render

Render Services, Inc. · US

SOC 2 Type 2

ISO 27001

Application hosting, database, background workers. The compute Arbyn runs on.

All Arbyn application data at rest and in transit.

US (default)

EU available on request

render.com/legal →

AI / LLM inference

Deep Infra

Deep Infra, Inc. · US

No-training policy

Hosts open‑source LLMs. Arbyn runs heavy frontier-grade AI/LLM models (Qwen, Llama, Mixtral, DeepSeek, GLM, Seedance, Flux and more) for all AI reasoning, sales optimization and reply drafting.

Customer message text and order context, sent as inference inputs. Not retained, not used for training.

deepinfra.com/privacy → deepinfra.com/models →

Commerce platform

Shopify

Shopify Inc. · CA

SOC 2 Type 2

PCI‑DSS

Source of order, customer, catalog, and policy data. Arbyn reads via Shopify API.

All commerce data already lives there. Arbyn pulls, doesn't store duplicates long‑term.

Per store

Set by merchant

shopify.com/legal/dpa →

Billing & payments

Shopify Billing

via Shopify App charges · CA

PCI‑DSS

All Arbyn subscriptions are charged through your Shopify admin. We never see your card.

Subscription metadata. No card details ever touch Arbyn.

Per Shopify

shopify.com/legal/dpa →

Transactional email

Resend

Resend, Inc. · US

SOC 2 Type 2

Sends operator‑facing emails (escalations, weekly digests, billing receipts). Not customer‑facing replies.

Email addresses and message bodies for transactional sends only. No marketing lists.

resend.com/legal/dpa →

Postmark

ActiveCampaign LLC · US

SOC 2 Type 2

HIPAA

Sends forwarding emails from Arbyn to merchant inboxes. Used when a customer conversation needs to be relayed or escalated into the merchant's own email.

Email addresses, message bodies, and conversation context routed via their SMTP/API. Delivery logs retained per Postmark policy. Not used for training.

postmarkapp.com/eu-privacy →

CDN & DDoS

Cloudflare

Cloudflare, Inc. · US

SOC 2 Type 2

ISO 27001

DNS, CDN, and DDoS protection for the Arbyn dashboard and chat widget.

HTTPS traffic in transit. Cached static assets only.

Global edge

cloudflare.com/dpa →

If we add a new one, you find out first.

No surprise vendors. No "we updated our DPA, please re‑read 38 pages."

Subscribe to subprocessor change notices and we'll email you whenever this list changes. Standard 30‑day notice. Object in writing and we'll work it out, or you can cancel and your data is deleted.

Subscribe to change notices →

01

30 days before any new subprocessor is added, we email subscribers and update this page.
02

Any merchant on the notice list can object. If we can't address the objection, you may terminate.
03

On termination, your data is deleted within 30 days, with logs retained only for audit minimums.

DOCUMENT VERSION

v1.0 · May 20, 2026

This page is the source of truth. Earlier versions available on request.

QUESTIONS

privacy@onduty‑ops.com

For DPA requests, audit questions, or GDPR Article 28 documentation.