Last updated: April 19, 2026
Arctik uses the following third-party services ("sub-processors") to deliver our platform. Each sub-processor is bound by contractual data protection commitments. We notify customers at least 30 days before engaging any new sub-processor that processes personal data, in accordance with our Privacy Policy.
| Sub-Processor | Purpose | Data Processed | Region |
|---|---|---|---|
| Vercel Inc. | Application hosting and content delivery | All application traffic, including authentication tokens and request metadata | United States |
| Supabase Inc. | Authentication, database, and file storage | User account information, profile data, audit results, chat sessions, encrypted OAuth tokens | United States |
| Anthropic, PBC | AI Copilot and AI-powered audit recommendations | Audit results and conversational messages sent to the Claude API for AI responses. Anthropic does not train models on this data. | United States |
| HubSpot Inc. | Source CRM platform via OAuth integration | Read-only access to your portal data via your OAuth grants. We retrieve data; HubSpot stores it. | United States |
| Stripe, Inc. | Payment processing and subscription billing | Customer name, email, billing address, payment method details (handled directly by Stripe — we never store card numbers) | United States |
| Resend Inc. | Transactional email delivery (signup confirmations, password resets, billing notifications) | Recipient email address, email content, delivery metadata | United States |
| Google LLC (Workspace) | Receiving inbound email at @arctikhq.com addresses (support, legal, privacy, security) | Email content sent to Arctik staff | United States |
| Cloudflare, Inc. | DNS and domain registration | DNS query metadata. Cloudflare is not a proxy/CDN for application traffic — Vercel handles all application requests directly. | United States |
| Upstash, Inc. | Rate limiting and ephemeral key-value storage | Anonymized rate-limit counters keyed by IP address or user ID. No personal content stored. | United States |
We will update this page and notify users by email at least 30 days before engaging any new sub-processor that processes personal data. Customers who object to a new sub-processor may terminate their account before the change takes effect.
Enterprise customers and organizations subject to GDPR or other data protection regulations may request a Data Processing Agreement (DPA) at privacy@arctikhq.com.
For questions about our sub-processors or data handling, contact privacy@arctikhq.com.