Arbol Artificial Intelligence, Inc. ("Arbol AI," "we," "us," or "our") uses certain third-party service providers ("Sub-Processors") to assist in providing our AI-powered voice communication platform (the "Services"). This page provides information about the Sub-Processors we use to process Customer Data.
For purposes of this document:
"Customer Data" means any data that our customers upload, transmit, or otherwise provide through our Services, including contact information, call recordings, transcripts, and related data.
"Sub-Processor" means any third party engaged by Arbol AI to process Customer Data on behalf of our customers.
Our Commitment
All Sub-Processors are:
Contractually bound to protect Customer Data through Data Processing Agreements
Required to maintain appropriate security certifications (SOC 2 Type II, ISO 27001, or equivalent)
Prohibited from using Customer Data for any purpose other than providing services to Arbol AI
Located in the United States with data processing occurring within U.S. borders
Subject to regular security reviews by Arbol AI
Current Sub-Processors
Infrastructure & Hosting
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Vercel, Inc. | Application hosting, serverless functions, edge network | Application code, request logs, IP addresses | United States | SOC 2 Type II |
Amazon Web Services, Inc. | Cloud infrastructure, data storage, computing, backups | All Customer Data, system logs, backups | United States | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI DSS |
Authentication & Identity
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Clerk, Inc. | User authentication, identity management, session handling | User email addresses, names, passwords (hashed), session tokens, MFA data | United States | SOC 2 Type II |
Database & Data Management
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Prisma Data, Inc. | Database ORM, connection management | All stored application data | United States | SOC 2 Type II |
Voice & Telephony
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Twilio, Inc. | Voice calls, SMS messaging, phone number provisioning | Call recordings, call metadata (duration, timestamps, phone numbers), SMS content, phone numbers | United States | SOC 2 Type II, ISO 27001, PCI DSS, HIPAA (with BAA) |
AI & Machine Learning
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
OpenAI, Inc. | Large language model processing for AI Employees | Conversation transcripts, prompts, AI-generated responses | United States | SOC 2 Type II |
Note on AI Data Processing: OpenAI processes conversation data solely to generate AI responses. Per our agreement with OpenAI, Customer Data is not used to train OpenAI's models. Data is processed in real-time and is not retained by OpenAI beyond the immediate request.
Payment Processing
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Stripe, Inc. | Payment processing, subscription management, invoicing | Billing contact information, payment method details (tokenized), transaction history, invoices | United States | PCI DSS Level 1, SOC 2 Type II, ISO 27001 |
Note on Payment Data: Arbol AI does not store complete credit card numbers. All payment card data is tokenized and processed directly by Stripe in their PCI-compliant environment.
Email & Communications
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Resend, Inc. | Transactional email delivery | Email addresses, email subject lines, email content, delivery status | United States | SOC 2 Type II |
Security & Performance
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Cloudflare, Inc. | CDN, DDoS protection, WAF, DNS | IP addresses, request headers, traffic data, security events | United States | SOC 2 Type II, ISO 27001, PCI DSS |
Analytics & Monitoring
Sub-Processor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
Google LLC | Website and application analytics (Google Analytics) | Anonymized usage data, page views, session duration, device/browser info, IP addresses (anonymized) | United States | SOC 2 Type II, ISO 27001 |
Functional Software, Inc. (Sentry) | Error tracking, performance monitoring, debugging | Error logs, stack traces, device information, user actions leading to errors | United States | SOC 2 Type II |
Sub-Processor Categories Summary
Category | Sub-Processors | Primary Use |
|---|---|---|
Infrastructure | Vercel, AWS | Hosting, storage, computing |
Authentication | Clerk | User identity and access |
Database | Prisma | Data management |
Telephony | Twilio | Voice and SMS |
AI Processing | OpenAI | Language model services |
Payments | Stripe | Billing and subscriptions |
Resend | Transactional communications | |
Security | Cloudflare | Protection and performance |
Analytics | Google, Sentry | Usage analytics, error tracking |
Sub-Processor Requirements
All Sub-Processors engaged by Arbol AI must meet the following requirements:
Security Standards
Maintain SOC 2 Type II certification or equivalent
Implement encryption for data at rest (AES-256 or equivalent)
Implement encryption for data in transit (TLS 1.2+)
Maintain documented security policies and procedures
Conduct regular security assessments and penetration testing
Contractual Obligations
Execute a Data Processing Agreement (DPA) with Arbol AI
Process Customer Data only as instructed by Arbol AI
Implement appropriate technical and organizational measures
Assist with data subject requests and regulatory compliance
Notify Arbol AI of security incidents within 24-72 hours
Delete or return Customer Data upon termination
Data Location
All data processing must occur within the United States
No transfer of Customer Data outside the United States without explicit authorization
Audit Rights
Provide audit reports (SOC 2, penetration tests) upon request
Allow security assessments by Arbol AI or authorized third parties
Changes to Sub-Processors
Notification Process
Arbol AI may update this list of Sub-Processors from time to time. When we add a new Sub-Processor that processes Customer Data, we will:
Update this page with the new Sub-Processor information
Notify customers via email at least 30 days before the new Sub-Processor begins processing Customer Data
Provide opportunity to object if the change materially impacts data processing
Customer Objection Rights
If you have a legitimate objection to a new Sub-Processor, you may:
Contact us at privacy@getarbol.com within 30 days of notification
Provide specific, documented reasons for your objection
Work with us to address your concerns
If we cannot address your concerns, you may terminate your subscription in accordance with our Terms of Service.
Subscribing to Updates
To receive notifications about Sub-Processor changes:
Email: Contact privacy@getarbol.com to subscribe to Sub-Processor updates
Dashboard: Sub-Processor change notifications are posted in your account dashboard
Data Processing Locations
All Sub-Processors process Customer Data exclusively within the United States:
Region | Sub-Processors | Data Centers |
|---|---|---|
United States (Primary) | All Sub-Processors | AWS US-East, US-West; Vercel Edge US; Cloudflare US |
Frequently Asked Questions
Does Arbol AI use any Sub-Processors outside the United States?
No. All of our Sub-Processors are U.S.-based companies that process data within the United States. We do not transfer Customer Data outside the U.S.
How does Arbol AI ensure Sub-Processor security?
We require all Sub-Processors to maintain SOC 2 Type II certification or equivalent, sign Data Processing Agreements, and undergo regular security reviews. We also monitor their security posture and require incident notification.
Can I opt out of specific Sub-Processors?
Our Services require the use of certain Sub-Processors to function. However, you can object to new Sub-Processors within 30 days of notification. Contact privacy@getarbol.com to discuss your specific requirements.
Is my data used to train AI models?
No. We have agreements with our AI Sub-Processors (OpenAI) that prohibit the use of Customer Data for model training. Your data is processed solely to provide AI responses and is not retained for training purposes.
How long do Sub-Processors retain my data?
Sub-Processors retain Customer Data only as long as necessary to provide services to Arbol AI. Upon termination of our relationship with a Sub-Processor, they are required to delete or return all Customer Data.
Where can I find Sub-Processor security certifications?
Security certifications for each Sub-Processor are listed in the tables above. For detailed audit reports, please contact privacy@getarbol.com.
Contact Information
For questions about our Sub-Processors or data processing practices:
Email: privacy@getarbol.com
Address: Arbol Artificial Intelligence, Inc. Attn: Privacy & Security 131 Continental Dr, Suite 305 Newark, DE 19713 United States