Skip to content
Install on Shopify
Legal/TRUST CENTER

Trust Center

Everything you need to trust us. In one place.

How Arbyn keeps your store and your customers’ data safe, plus every document you or a bigger buyer might ask for, gathered in one place so you never have to chase us for it.

7 subprocessors
SOC 2 + ISO 27001 infrastructure
GDPR + CCPA ready
Zero-retention LLMs
01 · COMPLIANCE STATUS

The current picture, nothing inflated.

What Arbyn actually does with your data, split into two honest groups: the controls we run ourselves today, and the certifications we inherit from our infrastructure or still have on the roadmap. Nothing inflated.

What Arbyn does today
ACTIVE

Shopify GDPR webhooks

All three mandatory Shopify webhooks implemented, customers/data_request, customers/redact (30 days), and shop/redact (48 hours after uninstall). Everything purged.

Shopify App Store compliant
ACTIVE

Minimal Shopify API scopes

Arbyn requests only the Shopify API access scopes it actually needs, no over-permissioning. Full scope list shown in the install modal before you confirm.

Reviewed every release
ACTIVE

GDPR

Controller and processor model documented. SCCs in place for international transfers. DSAR support with 30-day SLA.

DPA available · See details →
ACTIVE

CCPA / CPRA

Right-to-know, right-to-delete, and opt-out flows implemented. California consumer rights honored across all Arbyn surfaces.

Privacy notice current
NOT APPLICABLE

HIPAA

Arbyn doesn't process PHI by default. Postmark (our transactional email subprocessor) is HIPAA-compliant if your use case requires it, contact us.

BAA on request
INHERITED

PCI-DSS

Arbyn never touches card data. All billing flows through Shopify (Level 1 PCI-DSS certified). We're out of scope by design.

Via Shopify Billing
ACTIVE

Zero-retention LLMs

Signed zero-retention agreements with every LLM provider. Inference inputs are never stored, never logged for training, never reused.

ACTIVE

DSAR / Data subject requests

Access, deletion, and portability requests handled within 30 days. Self-serve flow for store owners; email flow for end customers.

privacy@arbyn.app
Certifications: our roadmap, and the infrastructure we run on

Arbyn is not certified on its own yet. The platform runs on Render, which holds a current SOC 2 Type 2 report and an ISO 27001 certificate. Those are Render’s, they are real, and you can request them in the documents below. Arbyn’s own SOC 2 and ISO 27001 are on the roadmap, not claimed as done.

ROADMAP

SOC 2 Type II

Arbyn is not SOC 2 certified yet. The platform runs on Render, whose current SOC 2 Type 2 report is available below. Our own SOC 2 is on the roadmap.

Runs on SOC 2 infrastructure today
ROADMAP

ISO 27001

Render (our infrastructure provider) holds ISO 27001 today, so we inherit the technical controls. Arbyn's own certification is planned, no date committed.

Inherited via Render
03 · DOCUMENTS & REPORTS

Policies, agreements, and reports. Public or on request.

Customer-facing policies are public. Infrastructure audit reports and subprocessor agreements ship on request under NDA, one email to hello@arbyn.app with your name, company, and reason gets you the package within one business day.

Public documents
Customer DPAPUBLIC

Our standard Data Processing Agreement, ready to countersign for your security review.

View →
Privacy policyPUBLIC

What we collect, why, how long we keep it, and who we share it with.

View →
Subprocessor listPUBLIC

Every third party we use. 7 subprocessors · 30-day change notices

View →
Terms of servicePUBLIC

The MSA between Arbyn and you, acceptable use, liability, and termination.

View →
Infrastructure compliance · Render (our hosting provider) · available
SOC 2 Type 2NDA

Independent audit of Render’s Security, Confidentiality, and Availability controls. Oct 2024 to Sep 2025

View document →
SOC 2 Bridge LetterNDA

Addendum covering the period since the SOC 2 Type 2 report closed. Nov 2025

View document →
ISO 27001NDA

Render’s certification to the ISO 27001 Information Security Management standard. Nov 2024 to Nov 2027

View document →
Security PolicyNDA

Render’s internal information security policies. Updated Jul 2025

View document →
Penetration Test ReportNDA

Render’s annual third-party penetration test report. Updated Mar 2026

View document →
GDPR DPAPUBLIC

Data Processing Agreement for personal data processed on Render infrastructure. Updated Jan 2025

View document →
SOC 3PUBLIC

SOC 2 results prepared for a general audience. No NDA required. Oct 2024 to Sep 2025

View document →
Render NDAPUBLIC

Mutual NDA to accept before viewing the confidential documents above. Updated Dec 2024

View document →
Subprocessor DPAs · available on request
LLM provider DPAsON REQUEST

Zero-retention agreements with our AI model providers, details available under NDA.

Request →
Postmark BAA (HIPAA)ON REQUEST

If your use case requires HIPAA, our transactional email subprocessor offers a BAA. We'll set it up.

Request →
All other subprocessor DPAsON REQUEST

Cloudflare, Shopify, AWS, Sentry, we'll share each one as needed for your security review.

Request →
04 · SECURITY CONTACTS

How to reach the right person for the right thing.

Each inbox is monitored by a real human. Aim for the right one and you'll get a faster, more useful reply.

VULNERABILITY DISCLOSURE
Found something?
security@arbyn.app
Responsible disclosure. 48-hour acknowledgement, public credit if you want it.
DATA SUBJECT REQUESTS
Access, deletion, portability
privacy@arbyn.app
DSARs handled within 30 days per GDPR/CCPA. Identity verification required.
SUBPROCESSOR CHANGES
30-day notice subscription
subprocessors@arbyn.app
Email this address with "subscribe" in the subject. You'll get notified before any subprocessor changes.
INCIDENT REPORTING
Something looks wrong?
incidents@arbyn.app
Suspected breach, abuse, or operational issue. Critical incidents acknowledged within 1 hour.

Need anything that isn't here? Just ask.

We answer security review questions in plain English, fast. One email to hello@arbyn.app reaches the founders, not a ticketing system.