Raised Beef AI, LLC engages the third parties listed below to help operate the Arbor Service. Each subprocessor is bound by written contract to protect Personal Data on terms no less protective than those in our Data Processing Addendum. We will inform customers of any additions or replacements at least 30 days in advance.
To receive notifications of subprocessor changes, email privacy@arbor.app with the subject line "Subscribe — subprocessor updates".
Active subprocessors
| Name | Purpose | Data accessed | Location | Compliance |
|---|---|---|---|---|
| Supabase, Inc. | Hosted Postgres database, authentication, file storage | All Customer Data; auth records (email, hashed password, MFA factors); audit log; storage objects | United States (us-east-1 by default) | SOC 2 Type II; HIPAA-eligible add-on; GDPR-aligned |
| Vercel, Inc. | Application hosting, edge network, custom-domain TLS | Request metadata (URL, IP, user-agent), runtime logs (no Customer Data persisted); domain DNS configuration | United States (global edge) | SOC 2 Type II; HIPAA-eligible add-on |
| Resend, Inc. | Transactional email delivery (invitations, notifications) | Recipient email address; email subject + HTML/text body | United States | SOC 2 Type II |
| Drata, Inc. | SOC 2 compliance automation and evidence collection | Read-only metadata from Vercel, Supabase, GitHub for evidence collection only — no Customer Data | United States | SOC 2 Type II |
| GitHub, Inc. | Source code hosting and CI/CD | Source code (no Customer Data) | United States | SOC 2 Type II |
Notification of changes
At least 30 days before adding or replacing a subprocessor that processes Customer Data, we will (a) update this page, (b) email the change to billing/admin contacts on every active organization, and (c) email subscribers per above. Customers may object on reasonable data-protection grounds within 14 days of notice; if the objection cannot be resolved, the customer may terminate the affected portion of the Service for convenience.
Last updated
2026-05-10