Subprocessors
Version: 1.0
Last updated: 29 Jan 2026
Applies to: the Arrowdot platform and services
Privacy: [email protected]
Security: [email protected]
1. Introduction
This page lists the third-party subprocessors we use to provide the Arrowdot platform and services. These subprocessors may process customer data on our behalf as part of providing infrastructure, hosting, analytics, and support services.
We carefully select and monitor our subprocessors to ensure they maintain appropriate security and privacy standards consistent with our obligations under applicable data protection laws.
2. Current subprocessors
The following subprocessors are currently engaged to process customer data:
| Subprocessor | Purpose | Location | Notes |
|---|---|---|---|
| Cloudflare, Inc. | CDN, DNS, WAF, edge caching | Global edge network; USA (headquarters) | Delivers assets, protects against abuse, and provides edge caching. Logs retained per Cloudflare policy. |
| Cloudflare R2 | Object storage for build artifacts and public assets | Global (Cloudflare network); USA (headquarters) | Stores compiled React components and build outputs. Public bucket for asset serving. |
| Fly.io, Inc. | Application hosting, containers, network | Customer-selected regions (EU/UK/US); USA (headquarters) | Primary runtime for Arrowdot-managed hosting infrastructure. |
| Stripe, Inc. | Payment processing, subscriptions, Stripe Connect marketplace | US (primary); EU data residency available; USA (headquarters) | Handles subscription billing and one-time payments. Stripe Connect used for marketplace enablement. Webhook integration for billing status sync. |
| Amazon Web Services, Inc. | S3 object storage for user uploads and exports | us-west-2 (Oregon); USA (headquarters) | Primary blob storage for user file uploads and generated exports. Region-specific bucket configuration. |
| Functional Software, Inc. (Sentry) | Error tracking and application monitoring | US (Sentry cloud); USA (headquarters) | Captures application errors for debugging. Configured to minimize PII in error context. |
| Grafana Labs | Application metrics, logs, traces | US or EU (customer-selected); USA/Sweden (headquarters) | Grafana Cloud for system performance monitoring. Configured not to include confidential information in production. |
| Langfuse GmbH | LLM observability, tracing, and analytics | EU (Langfuse Cloud); Germany (headquarters) | Tracks LLM usage, latency, and costs. May contain prompt/completion content for debugging. |
| GitHub, Inc. (Microsoft) | OAuth authentication provider | US; USA (headquarters) | Used for social login. Only basic profile info retrieved for account creation. |
| Google LLC | OAuth authentication provider | US/EU; USA (headquarters) | Used for social login. Only basic profile info retrieved for account creation. |
3. AI model providers
When you use AI features with Arrowdot-provided API keys, data may be processed by third-party AI model providers. The specific providers depend on your configuration and may include:
| Subprocessor | Purpose | Location | Notes |
|---|---|---|---|
| Anthropic PBC | LLM inference (Claude models) | US/EU (per Anthropic regions); USA (headquarters) | Used only when Arrowdot supplies the API key. If customers bring their own keys (BYOK), Anthropic is the customer’s processor, not Arrowdot’s subprocessor. |
| OpenAI, L.L.C. | LLM inference (GPT models) | US/EU regional endpoints; USA (headquarters) | Only applicable if Arrowdot provides the key. BYOK means the customer has a direct relationship with OpenAI. |
| Google LLC (Gemini) | LLM inference (Gemini models) | US/EU (per Google Cloud regions); USA (headquarters) | Only applicable if Arrowdot provides the key. BYOK means the customer has a direct relationship with Google. |
| Perplexity AI, Inc. | LLM inference with web search capability | US; USA (headquarters) | Used for queries requiring real-time web information. Only applicable if Arrowdot provides the key. |
| Groq, Inc. | LLM inference (fast inference hardware) | US; USA (headquarters) | Only applicable if Arrowdot provides the key. |
When using bring-your-own-key (BYOK), you are directly responsible for compliance with those providers’ terms and data processing agreements. We act as a data processor only for data we handle on our infrastructure.
4. Updates to this list
We may update this list as we add, remove, or change subprocessors. Material changes that affect the processing of customer data will be communicated to customers in accordance with our Data Processing Addendum.
For customers with enterprise agreements, we will provide advance notice of new subprocessors with objection rights as specified in your contract.
5. Data transfer mechanisms
Where subprocessors are located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.
For questions about data transfers or to request copies of relevant agreements, contact [email protected].
6. Security and compliance
All subprocessors are required to maintain security measures consistent with industry standards and our contractual requirements. We conduct due diligence on subprocessors before engagement and monitor their security posture on an ongoing basis.
Our subprocessors are contractually bound to process data only as instructed and to implement appropriate technical and organizational measures to protect customer data.