Transparency
The full list of who touches your data.
Arbyn uses a small number of third-party services to run. They are listed here, by name, with what they process and where. We update this page before adding anyone new.
A subprocessor is any third-party service Arbyn uses to operate, where that service might touch your data along the way. GDPR Article 28 requires us to disclose them. It’s also just the honest thing to do. This page is the full list. Nobody else.
Seven services. That’s it.
Each row shows what the vendor does, what they process, where they host it, and their security certifications. Every name links to their own privacy or data processing page so you can check them directly.
| Subprocessor | What we use them for | What they process | Region | Legal / trust |
|---|---|---|---|---|
| Infrastructure | ||||
Render Render Services, Inc. · US SOC 2 Type 2ISO 27001 | Application hosting, database, background jobs. The servers Arbyn runs on. | All Arbyn application data at rest and in transit. | US (default) EU available on request | |
| AI / LLM inference | ||||
Deep Infra Deep Infra, Inc. · US No-training policy | Hosts the open-source AI models Arbyn uses for all reasoning, sales suggestions, and reply drafting. | Your customers' message text and order details, sent so the AI can draft a reply. Not stored, not used for training. | US | |
| Commerce platform | ||||
Shopify Shopify Inc. · CA SOC 2 Type 2PCI-DSS | Source of order, customer, catalog, and policy data. Arbyn reads via Shopify API. | All commerce data already lives there. Arbyn pulls, doesn't store duplicates long-term. | Per store Set by store owner | |
| Billing & payments | ||||
Shopify Billing via Shopify App charges · CA PCI-DSS | All Arbyn subscriptions are charged through your Shopify admin. We never see your card. | Subscription metadata. No card details ever touch Arbyn. | Per Shopify | |
| Transactional email | ||||
Resend Resend, Inc. · US SOC 2 Type 2 | Sends emails to you (escalations, weekly digests, billing receipts). Not replies to your customers. | Email addresses and message bodies for transactional sends only. No marketing lists. | US | |
Postmark ActiveCampaign LLC · US SOC 2 Type 2HIPAA | Sends forwarding emails from Arbyn to your inbox. Used when a customer conversation needs to be relayed or escalated into your own email. | Email addresses, message bodies, and conversation context routed through their service. Delivery logs kept per Postmark's policy. Not used for training. | US | |
| CDN & DDoS | ||||
Cloudflare Cloudflare, Inc. · US SOC 2 Type 2ISO 27001 | DNS, CDN, and DDoS protection for the Arbyn dashboard and chat widget. | HTTPS traffic in transit. Cached static assets only. | Global edge | |
| Website analytics | ||||
Microsoft Clarity Microsoft Corporation · US Consent-gatedText masked | Anonymized session replay and heatmaps on the arbyn.app marketing site. Loads only after the visitor grants the Session recording category. | Masked page interactions (clicks, scrolls) on the marketing site. No form or message content, and never on the dashboard or chat. | US | |
| Website advertising | ||||
Meta Pixel Meta Platforms, Inc. · US Consent-gated | Measures Arbyn's own ad campaigns and conversions on the marketing site. Loads only after the visitor grants the Marketing category. | Hashed email and conversion events for ad measurement, from the browser and the server-side Conversions API. Marketing-site visitors only. | US | |
LinkedIn Insight Tag LinkedIn Corporation · US Consent-gated | Measures Arbyn's own LinkedIn ad campaigns on the marketing site. Loads only after the visitor grants the Marketing category. | Ad-measurement identifiers for marketing-site visitors. Never on the dashboard or chat. | US | |
If we add a new one, you find out first.
No surprise vendors. No “we updated our DPA, please re-read 38 pages.”
Subscribe to subprocessor change notices and we’ll email you whenever this list changes. Standard 30 days notice. Object in writing and we’ll work it out, or you can cancel and your data is deleted.
Subscribe to change notices- 0130 days before any new subprocessor is added, we email subscribers and update this page.
- 02Any store owner on the notice list can object. If we can't address your objection, you can cancel.
- 03If you cancel, your data is deleted within 30 days. We keep only the minimum logs the law requires.