Arx relies on a small, carefully chosen set of subprocessors to provide the Service. This page lists them, what they do, what categories of data they process, and where they process it. It is published as a public commitment and is updated whenever the list changes.
All subprocessors are bound by a written data-processing agreement and are selected for their security posture, contractual protections, and minimum-access footprint. Where a subprocessor is marked OPTIONAL, it is only engaged for a specific feature you choose to enable — for example, the Google integration is only engaged once you connect Gmail or Calendar in Settings → Integrations.
These subprocessors are engaged for every Arx customer; the Service cannot operate without them.
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
| Supabase | Managed PostgreSQL database, authentication, and object storage (data room and deck files). | All workspace data: account, company profile, cap table, SAFEs, investor records, updates, data-room and deck files, audit logs. | US (primary) · EU options available |
| Vercel | Hosting for the marketing site and authenticated web application. | Request metadata (IP, user agent, paths), session cookies, deployment logs. No customer content stored. | US (global edge) |
| Railway | Hosting for the API and background workers. | Application logs and runtime metrics. Transient processing of any data passed through API endpoints. | US |
| Stripe | Payment processing and customer-portal billing. | Billing identity, payment-method tokens, invoices, subscription state. Arx never sees full card numbers. | US |
| Resend | Transactional email delivery (sign-up, password reset, deck-view notifications, weekly digest, fallback investor-update sender). | Recipient email address, sender identity, message content. | US |
These subprocessors receive prompts and tool-call results when you use Arx's AI features. Each is governed by Arx's API agreement with the provider, which excludes customer content from being used to train foundation models. You can disable categories of context at Settings → Account → AI access.
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
| Anthropic OPTIONAL | Primary AI model inference for Ask Arx and MCP tool calls. | Your prompts, conversation history within the workspace, and the relevant tool-call results selected by your Settings → Account → AI access toggles. | US |
| OpenAI OPTIONAL | Fallback AI inference and embeddings for the Resources Field guide. | Prompts and tool-call results when used as fallback; embeddings of the public Resources CMS content. | US |
| Perplexity OPTIONAL | Weekly competitor and industry news search (Settings → News). Separate from Ask Arx and MCP. | Company name, public description, category keywords, and competitor names. Cap-table, SAFEs, investor PII, and data-room contents are not sent. | US |
These subprocessors are only engaged for individual customers who connect the relevant integration. Connecting and disconnecting them is controlled in Settings → Integrations; on disconnect we delete the OAuth tokens we hold and stop sending the provider any further requests.
| Provider | Purpose | Data categories | Region |
|---|---|---|---|
| Google (Workspace APIs) OPTIONAL | Send investor updates from your own Gmail address and (optionally) read reply threads; show Calendar availability for bookings. | Email addresses, OAuth tokens (encrypted at rest), message content of updates you send and of reply threads when enabled, calendar events you choose to expose. | US |
| Zoom OPTIONAL | Create Zoom meetings on your behalf when a booking is scheduled. | OAuth tokens (encrypted at rest), meeting metadata (topic, time, join URL). | US |
| Slack OPTIONAL | Workspace notifications and the Arx Slack app (App Home, scheduled summaries). | OAuth tokens (encrypted at rest), channel and user IDs, notification message content. | US |
| Cloudflare OPTIONAL | DNS, edge caching, and DDoS mitigation in front of public hosts. | Request metadata at the edge. No customer content stored. | US (global edge) |
Arx primarily processes data in the United States. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the transfer is covered by Standard Contractual Clauses or an equivalent transfer mechanism. The UK International Data Transfer Addendum is used for transfers from the UK. Supabase offers EU-region projects on request for customers with EU data-residency requirements.
We commit to giving customers advance notice of any new subprocessor that will process customer personal data. Notice is sent by email to the account owner and posted on this page at least 30 days before the new subprocessor becomes effective. If you object, you may terminate your subscription before the change takes effect and request export and deletion of your workspace data in accordance with the Terms of Service.
This page is provided for transparency. It is not legal advice. Specific contractual terms, including DPAs and sub-processor flow-down obligations, apply to enterprise customers.