Last reviewed: 2026-05-26. Review cadence: On every subprocessor add, remove, or scope change; otherwise annual.
A subprocessor is any third party that processes personal data on our behalf to deliver the ReplyArc service. This page is the public, complete list. If we add a new subprocessor, controllers are notified under the 30-day notice policy at the bottom of this page.
Active subprocessors
| Vendor | Service | Data shared | Region |
|---|---|---|---|
| Render | Application hosting and managed Postgres (the install database lives here). | All install data is stored in Render Postgres and processed by Render compute. | United States (us-east). |
| Vercel | Frontend hosting and CDN edge for the install web app. | Static assets and request metadata at the edge. No database queries. | Global edge (Vercel-managed). |
| Anthropic | Claude API — reply drafting, classification, and other AI inference invoked by the workspace. | The message text sent for the specific inference call. The operator's BYOK API key authenticates the request. | United States. |
| Resend | Transactional email delivery (account verification, password reset, security notices, system notifications). | Recipient email address and the full transactional message body for each send. | United States. |
| Email Bison | Outbound campaign email infrastructure when configured. | Prospect email address, sender identity, full message content, deliverability events. | Per the Email Bison deployment chosen by the operator. |
| Instantly | Outbound campaign email infrastructure when configured. | Prospect email address, sender identity, full message content, deliverability events. | Per Instantly's hosting regions. |
| HubSpot | CRM sync (only when the workspace connects HubSpot). | Prospect and engagement records the workspace chooses to sync. | Per HubSpot's hosting regions. |
| Salesforce | CRM sync (only when the workspace connects Salesforce). | Prospect and engagement records the workspace chooses to sync. | Per Salesforce's hosting regions. |
| Attio | CRM sync (only when the workspace connects Attio). | Prospect and engagement records the workspace chooses to sync. | Per Attio's hosting regions. |
| GoHighLevel | CRM sync (only when the workspace connects GoHighLevel). | Prospect and engagement records the workspace chooses to sync. | Per GoHighLevel's hosting regions. |
| Clay | Enrichment lookups (only when the workspace connects Clay and the operator brings their own Clay key). | Prospect identifier (typically email or company domain) sent for enrichment. | United States. |
| Apollo | Enrichment lookups (only when the workspace connects Apollo). | Prospect identifier sent for enrichment. | United States. |
| Prospeo | Enrichment lookups (only when the workspace connects Prospeo). | Prospect identifier sent for enrichment. | Per Prospeo's hosting regions. |
| Cal.com | Meeting booking embeds and webhooks (only when the workspace configures Cal.com). | Calendar availability and booking metadata. | Per Cal.com's hosting regions. |
| Calendly | Meeting booking embeds and webhooks (only when the workspace configures Calendly). | Calendar availability and booking metadata. | Per Calendly's hosting regions. |
| Sentry | Error tracking (when the install wires SENTRY_DSN). |
Stack traces, exception messages, request metadata. Configured to scrub PII; no request/response bodies are sent. | United States or EU per SENTRY_DSN. |
| Cloudflare | DNS and CDN in front of Render. | Request metadata (IP, path, response code) at the edge. No payload inspection. | Global edge. |
| Slack | Slack integration (only when the workspace connects a Slack workspace). | Message metadata routed between Slack and the install per the workspace's configuration. | United States or EU per Slack workspace settings. |
| PostHog | Product analytics on the marketing site (replyarc.com only). Loads only after explicit cookie consent. | Page views, referrer, UTM tags, anonymized event properties. No session recording, no autocapture, no person profiles for anonymous visitors. Proxied through /api/posthog for first-party cookies. |
European Union (eu.i.posthog.com). |
Conditional vs always-on
- Always-on for every install: Render, Vercel, Resend, Cloudflare.
- Always-on if Sentry is wired: Sentry.
- Always-on if AI features are used: Anthropic.
- One of two, install-configured: Email Bison or Instantly (only one is active per install).
- Conditional on the workspace connecting it: HubSpot, Salesforce, Attio, GoHighLevel, Clay, Apollo, Prospeo, Cal.com, Calendly, Slack.
- Marketing site only, consent-gated: PostHog. Loaded only after the visitor accepts the cookie banner on replyarc.com.
Controllers who do not enable a conditional integration do not have their data sent to that vendor.
Notification policy for subprocessor changes
We commit to:
- 30 days' notice before adding or replacing any subprocessor that processes personal data, via in-app notification and email to the workspace owner.
- Immediate notice — within 7 days — for emergency replacements (e.g., a current subprocessor suffers a critical incident and we cannot wait 30 days to migrate).
- A documented right to object. Controllers who object to a new subprocessor on reasonable data-protection grounds may terminate the affected service and receive a pro-rated refund. The objection process is described in the DPA.
- A current, versioned copy of this page. Each change ships with a Git commit and a "Last reviewed" date update.
Contact
Questions, objections, or DPA requests: privacy@replyarc.com.