Subprocessors

Version: 1.0

Last updated: 29 Jan 2026

Applies to: the Arrowdot platform and services

Privacy: [email protected]

Security: [email protected]

1. Introduction

This page lists the third-party subprocessors we use to provide the Arrowdot platform and services. These subprocessors may process customer data on our behalf as part of providing infrastructure, hosting, analytics, and support services.

We carefully select and monitor our subprocessors to ensure they maintain appropriate security and privacy standards consistent with our obligations under applicable data protection laws.

2. Current subprocessors

The following subprocessors are currently engaged to process customer data:

SubprocessorPurposeLocationNotes
Cloudflare, Inc.CDN, DNS, WAF, edge cachingGlobal edge network; USA (headquarters)Delivers assets, protects against abuse, and provides edge caching. Logs retained per Cloudflare policy.
Cloudflare R2Object storage for build artifacts and public assetsGlobal (Cloudflare network); USA (headquarters)Stores compiled React components and build outputs. Public bucket for asset serving.
Fly.io, Inc.Application hosting, containers, networkCustomer-selected regions (EU/UK/US); USA (headquarters)Primary runtime for Arrowdot-managed hosting infrastructure.
Stripe, Inc.Payment processing, subscriptions, Stripe Connect marketplaceUS (primary); EU data residency available; USA (headquarters)Handles subscription billing and one-time payments. Stripe Connect used for marketplace enablement. Webhook integration for billing status sync.
Amazon Web Services, Inc.S3 object storage for user uploads and exportsus-west-2 (Oregon); USA (headquarters)Primary blob storage for user file uploads and generated exports. Region-specific bucket configuration.
Functional Software, Inc. (Sentry)Error tracking and application monitoringUS (Sentry cloud); USA (headquarters)Captures application errors for debugging. Configured to minimize PII in error context.
Grafana LabsApplication metrics, logs, tracesUS or EU (customer-selected); USA/Sweden (headquarters)Grafana Cloud for system performance monitoring. Configured not to include confidential information in production.
Langfuse GmbHLLM observability, tracing, and analyticsEU (Langfuse Cloud); Germany (headquarters)Tracks LLM usage, latency, and costs. May contain prompt/completion content for debugging.
GitHub, Inc. (Microsoft)OAuth authentication providerUS; USA (headquarters)Used for social login. Only basic profile info retrieved for account creation.
Google LLCOAuth authentication providerUS/EU; USA (headquarters)Used for social login. Only basic profile info retrieved for account creation.

3. AI model providers

When you use AI features with Arrowdot-provided API keys, data may be processed by third-party AI model providers. The specific providers depend on your configuration and may include:

SubprocessorPurposeLocationNotes
Anthropic PBCLLM inference (Claude models)US/EU (per Anthropic regions); USA (headquarters)Used only when Arrowdot supplies the API key. If customers bring their own keys (BYOK), Anthropic is the customer’s processor, not Arrowdot’s subprocessor.
OpenAI, L.L.C.LLM inference (GPT models)US/EU regional endpoints; USA (headquarters)Only applicable if Arrowdot provides the key. BYOK means the customer has a direct relationship with OpenAI.
Google LLC (Gemini)LLM inference (Gemini models)US/EU (per Google Cloud regions); USA (headquarters)Only applicable if Arrowdot provides the key. BYOK means the customer has a direct relationship with Google.
Perplexity AI, Inc.LLM inference with web search capabilityUS; USA (headquarters)Used for queries requiring real-time web information. Only applicable if Arrowdot provides the key.
Groq, Inc.LLM inference (fast inference hardware)US; USA (headquarters)Only applicable if Arrowdot provides the key.

When using bring-your-own-key (BYOK), you are directly responsible for compliance with those providers’ terms and data processing agreements. We act as a data processor only for data we handle on our infrastructure.

4. Updates to this list

We may update this list as we add, remove, or change subprocessors. Material changes that affect the processing of customer data will be communicated to customers in accordance with our Data Processing Addendum.

For customers with enterprise agreements, we will provide advance notice of new subprocessors with objection rights as specified in your contract.

5. Data transfer mechanisms

Where subprocessors are located outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.

For questions about data transfers or to request copies of relevant agreements, contact [email protected].

6. Security and compliance

All subprocessors are required to maintain security measures consistent with industry standards and our contractual requirements. We conduct due diligence on subprocessors before engagement and monitor their security posture on an ongoing basis.

Our subprocessors are contractually bound to process data only as instructed and to implement appropriate technical and organizational measures to protect customer data.