Trust Center
Everything you need to trust us. In one place.
How Arbyn keeps your store and your customers’ data safe, plus every document you or a bigger buyer might ask for, gathered in one place so you never have to chase us for it.
The current picture, nothing inflated.
What Arbyn actually does with your data, split into two honest groups: the controls we run ourselves today, and the certifications we inherit from our infrastructure or still have on the roadmap. Nothing inflated.
Shopify GDPR webhooks
All three mandatory Shopify webhooks implemented, customers/data_request, customers/redact (30 days), and shop/redact (48 hours after uninstall). Everything purged.
Minimal Shopify API scopes
Arbyn requests only the Shopify API access scopes it actually needs, no over-permissioning. Full scope list shown in the install modal before you confirm.
GDPR
Controller and processor model documented. SCCs in place for international transfers. DSAR support with 30-day SLA.
CCPA / CPRA
Right-to-know, right-to-delete, and opt-out flows implemented. California consumer rights honored across all Arbyn surfaces.
HIPAA
Arbyn doesn't process PHI by default. Postmark (our transactional email subprocessor) is HIPAA-compliant if your use case requires it, contact us.
PCI-DSS
Arbyn never touches card data. All billing flows through Shopify (Level 1 PCI-DSS certified). We're out of scope by design.
Zero-retention LLMs
Signed zero-retention agreements with every LLM provider. Inference inputs are never stored, never logged for training, never reused.
DSAR / Data subject requests
Access, deletion, and portability requests handled within 30 days. Self-serve flow for store owners; email flow for end customers.
Arbyn is not certified on its own yet. The platform runs on Render, which holds a current SOC 2 Type 2 report and an ISO 27001 certificate. Those are Render’s, they are real, and you can request them in the documents below. Arbyn’s own SOC 2 and ISO 27001 are on the roadmap, not claimed as done.
SOC 2 Type II
Arbyn is not SOC 2 certified yet. The platform runs on Render, whose current SOC 2 Type 2 report is available below. Our own SOC 2 is on the roadmap.
ISO 27001
Render (our infrastructure provider) holds ISO 27001 today, so we inherit the technical controls. Arbyn's own certification is planned, no date committed.
The five pages worth reading first.
Each link goes to a page with the full detail. Together they answer almost everything you would want to know before you install, no email to us required.
Security overview
Architecture, data flow, encryption, access controls, incident response. What actually happens when a customer emails.
Privacy policy
What we collect, why, how long we keep it, who we share it with. Plain English first, lawyers second.
GDPR & DPA
Our customer DPA, standard contractual clauses, EU-resident processing options, DSAR handling.
Subprocessors
Every third party Arbyn uses, what they process, where they're based, link to their DPA. Subscribe to change notices.
Terms of service
The MSA between Arbyn and you. Acceptable use, liability, termination. The boring legal but readable.
Need more?
Email us for infrastructure SOC 2 and pen test reports, subprocessor DPAs, or a completed security questionnaire, anything gated below.
Policies, agreements, and reports. Public or on request.
Customer-facing policies are public. Infrastructure audit reports and subprocessor agreements ship on request under NDA, one email to hello@arbyn.app with your name, company, and reason gets you the package within one business day.
Our standard Data Processing Agreement, ready to countersign for your security review.
What we collect, why, how long we keep it, and who we share it with.
Every third party we use. 7 subprocessors · 30-day change notices
The MSA between Arbyn and you, acceptable use, liability, and termination.
Independent audit of Render’s Security, Confidentiality, and Availability controls. Oct 2024 to Sep 2025
Addendum covering the period since the SOC 2 Type 2 report closed. Nov 2025
Render’s certification to the ISO 27001 Information Security Management standard. Nov 2024 to Nov 2027
Render’s internal information security policies. Updated Jul 2025
Render’s annual third-party penetration test report. Updated Mar 2026
Data Processing Agreement for personal data processed on Render infrastructure. Updated Jan 2025
SOC 2 results prepared for a general audience. No NDA required. Oct 2024 to Sep 2025
Mutual NDA to accept before viewing the confidential documents above. Updated Dec 2024
Zero-retention agreements with our AI model providers, details available under NDA.
If your use case requires HIPAA, our transactional email subprocessor offers a BAA. We'll set it up.
Cloudflare, Shopify, AWS, Sentry, we'll share each one as needed for your security review.
How to reach the right person for the right thing.
Each inbox is monitored by a real human. Aim for the right one and you'll get a faster, more useful reply.
Need anything that isn't here? Just ask.
We answer security review questions in plain English, fast. One email to hello@arbyn.app reaches the founders, not a ticketing system.