Legal / TRUST CENTER
TRUST CENTER

Everything a security team needs. In one place.

Arbyn's compliance posture, documentation, and security artifacts — for buyers, auditors, and operators evaluating whether to trust us with their store and their customers.

7 subprocessors
5 active certifications
SOC 2 in progress
Zero-retention LLMs
01 · COMPLIANCE STATUS

The current picture — nothing inflated.

Where Arbyn stands on every compliance and certification line buyers ask about. Honest framing: in-progress is in-progress, roadmap is roadmap. We update this page when status changes.

IN PROGRESS
SOC 2 Type II
Type II audit in progress. Independent assessor engaged. Report available to enterprise customers under NDA on completion.
Target: Q1 2027
ACTIVE
Shopify GDPR Webhooks
All three mandatory Shopify webhooks implemented — customers/data_request, customers/redact (30 days), and shop/redact (48 hours after uninstall). Everything purged.
Shopify App Store compliant
ACTIVE
Minimal Shopify API scopes
Arbyn requests only the Shopify API access scopes it actually needs — no over-permissioning. Full scope list shown in the install modal before you confirm.
Reviewed every release
ACTIVE
GDPR
Controller + processor model documented. SCCs in place for international transfers. DSAR support with 30-day SLA.
DPA available · See details →
ACTIVE
CCPA / CPRA
Right-to-know, right-to-delete, and opt-out flows implemented. California consumer rights honored across all Arbyn surfaces.
Privacy notice current
NOT APPLICABLE
HIPAA
Arbyn doesn't process PHI by default. Postmark (our transactional email subprocessor) is HIPAA-compliant if your use case requires it — contact us.
BAA on request
INHERITED
PCI-DSS
Arbyn never touches card data. All billing flows through Shopify (Level 1 PCI-DSS certified). We're out of scope by design.
Via Shopify Billing
ROADMAP
ISO 27001
Planned after SOC 2 Type II concludes. Our infrastructure provider (Render) holds ISO 27001 today — we inherit the technical controls.
Target: 2027+
ACTIVE
Zero-retention LLMs
Signed zero-retention agreements with every LLM provider. Inference inputs are never stored, never logged for training, never reused.
See subprocessors →
ACTIVE
DSAR / Data subject requests
Access, deletion, and portability requests handled within 30 days. Self-serve flow for operators; email flow for end customers.
privacy@arbyn.app
02 · WHERE TO FIND WHAT

The five pages a buyer's security team usually wants.

Each link below goes to a dedicated page with full detail. Together they answer about 90% of procurement questions before you ever need to email us.

Security overview
Architecture, data flow, encryption, access controls, incident response. What actually happens when a customer emails.
Open →
Privacy policy
What we collect, why, how long we keep it, who we share it with. Plain English first, lawyers second.
Open →
GDPR & DPA
Our customer DPA, standard contractual clauses, EU-resident processing options, DSAR handling.
Open →
Subprocessors
Every third party Arbyn uses, what they process, where they're based, link to their DPA. Subscribe to change notices.
Open →
Terms of service
The MSA between Arbyn and you. Acceptable use, liability, termination. The boring legal but readable.
Open →
Need more?
Email us for SOC reports, pen tests, subprocessor DPAs, security questionnaires — anything gated below.
hello@arbyn.app →
03 · DOCUMENTS & REPORTS

Policies, agreements, and reports. Public or on request.

Customer-facing policies are public. Audit artifacts and subprocessor agreements ship on request under NDA — one email to hello@arbyn.app with your name, company, and reason gets you the package within one business day.

Public documents
Customer DPA PUBLIC
Our standard Data Processing Agreement. Last updated: Mar 2026 · v1.2
View →
Privacy policy PUBLIC
What we collect and how we use it. Last updated: Mar 2026 · v2.0
View →
Subprocessor list PUBLIC
Every third party we use. 7 subprocessors · 30-day change notices
View →
Terms of service PUBLIC
MSA, acceptable use, liability. Last updated: Mar 2026 · v1.4
View →
Render SOC 3 report PUBLIC
Our infrastructure provider's publicly-available SOC 3 (covers Security, Confidentiality, Availability). Period: Oct 2024 – Sep 2025
View →
Arbyn audit artifacts · available on request
SOC 2 Type II report (Arbyn) IN PROGRESS
Independent audit in flight. Released to enterprise customers under NDA on completion. Target: Q1 2027
Available Q1 2027
Penetration test summary (Arbyn) IN PROGRESS
Annual third-party pen test. Executive summary shareable under NDA. Target: Q1 2027
Available Q1 2027
Security questionnaires (SIG / CAIQ) ON REQUEST
Completed SIG Lite / CAIQ · happy to fill in your custom security questionnaire too.
Request →
Business continuity & incident response plan ON REQUEST
Disaster recovery, RPO/RTO, runbook for security incidents and breach notification.
Request →
Subprocessor compliance package · available on request
Render compliance bundle ON REQUEST
Available now: SOC 3, GDPR DPA, Render NDA · Coming: SOC 2 Type 2, ISO 27001, pen test, security policy
Request →
LLM provider DPAs ON REQUEST
Zero-retention agreements with our inference providers (Deep Infra etc.) · details under NDA.
Request →
Postmark BAA (HIPAA) ON REQUEST
If your use case requires HIPAA, our transactional email subprocessor offers a BAA. We'll set it up.
Request →
All other subprocessor DPAs ON REQUEST
Cloudflare, Shopify, AWS, Sentry — we'll share each one as needed for your security review.
Request →
04 · SECURITY CONTACTS

How to reach the right person for the right thing.

Each inbox is monitored by a real human. Aim for the right one and you'll get a faster, more useful reply.

VULNERABILITY DISCLOSURE
Found something?
security@arbyn.app
Responsible disclosure. 48-hour acknowledgement, public credit if you want it.
DATA SUBJECT REQUESTS
Access, deletion, portability
privacy@arbyn.app
DSARs handled within 30 days per GDPR/CCPA. Identity verification required.
SUBPROCESSOR CHANGES
30-day notice subscription
subprocessors@arbyn.app
Email this address with "subscribe" in the subject. You'll get notified before any subprocessor changes.
INCIDENT REPORTING
Something looks wrong?
incidents@arbyn.app
Suspected breach, abuse, or operational issue. Critical incidents acknowledged within 1 hour.

Need anything that isn't here? Just ask.

We answer security review questions in plain English, fast. One email to hello@arbyn.app reaches the founders — not a ticketing system.

Email hello@arbyn.app → Or book a call