Subprocessor List
Last Updated: March 22, 2026Contact: [email protected]
This document lists all third-party subprocessors authorized to process personal data on behalf of Arcova OS customers. This list is referenced by and forms part of the Data Processing Agreement ("DPA") between CT Software, LLC and the customer.
Current Subprocessors
Infrastructure and Hosting
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Netcup GmbH | VPS hosting (primary application servers and databases) | All platform data including employee PII, operational records, authentication data, and system logs | Germany (EU) | ISO 27001 |
| Amazon Web Services (AWS) S3 | File and document storage | Uploaded files including incident report photos, employee documents, credential scans, and exported reports | US (us-east-1) | SOC 1/2/3, ISO 27001, PCI DSS, FedRAMP |
Payments
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, and tenant payouts via Stripe Connect | Billing contact information, invoice amounts, payment method tokens (Arcova does not store raw card numbers) | United States | PCI DSS Level 1, SOC 1/2, ISO 27001 |
Communications
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Resend, Inc. | Transactional email delivery (notifications, password resets, reports, alerts) | Recipient email addresses, email subject lines, email body content | United States | SOC 2 Type II |
AI and Machine Learning
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| OpenAI, Inc. | AI assistant (IRIS) operations including natural language query processing and response generation | PII-masked contextual data, user queries, and AI-generated responses. PII is stripped before transmission. OpenAI retains API data for up to 30 days for abuse monitoring only. API data is not used for model training. | United States | SOC 2 Type II |
| OpenRouter, Inc. | Embedding generation for semantic search and contextual features | PII-masked text content for vector embedding generation. Data is not used for model training. | United States | -- |
Push Notifications
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Apple Inc. (APNs) | Push notification delivery to iOS/macOS devices | Device tokens, notification payload content (titles, messages) | United States | ISO 27001, SOC 2 |
| Google LLC (FCM) | Push notification delivery to Android and web (Chrome) devices | Device tokens, notification payload content (titles, messages) | United States | SOC 1/2/3, ISO 27001, FedRAMP |
| Mozilla Corporation | Push notification delivery to Firefox browser | Push endpoint URLs, notification payload content | United States | -- |
| Microsoft Corporation (WNS) | Push notification delivery to Edge browser and Windows devices | Channel URIs, notification payload content | United States | SOC 1/2, ISO 27001 |
| Samsung Electronics Co., Ltd. | Push notification delivery to Samsung Internet browser | Device tokens, notification payload content | South Korea | ISO 27001 |
Mapping and Geolocation
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Google LLC (Google Maps Platform) | Map rendering and geolocation services (where configured by customer) | Latitude/longitude coordinates, address queries, map viewport data | United States | SOC 1/2/3, ISO 27001, FedRAMP |
| OpenStreetMap Foundation / Nominatim | Geocoding and reverse geocoding (address-to-coordinate resolution) | Address strings, latitude/longitude coordinates | International (open infrastructure) | Open-source; no commercial certification |
Content Delivery and Fonts
| Subprocessor | Purpose | Data Processed | Location | Security Certifications |
|---|---|---|---|---|
| Cloudflare, Inc. (cdnjs) | CDN delivery of front-end JavaScript libraries | End-user IP addresses, browser metadata (via standard HTTP requests) | Global (Anycast) | SOC 2 Type II, ISO 27001, PCI DSS |
| BunnyWay d.o.o. (Bunny Fonts) | Privacy-respecting web font delivery | End-user IP addresses (not logged per Bunny Fonts privacy policy), browser metadata | Global (EU-based) | GDPR compliant; no IP logging |
Notification of Changes
Arcova will notify customers of any changes to this Subprocessor List as follows:
- Email Notification. Arcova will send written notice to the email address of the customer's designated account administrator at least thirty (30) days before a new subprocessor begins processing personal data or an existing subprocessor is replaced.
- Updated List. This document will be updated to reflect the change, including the new subprocessor's name, purpose, data processed, location, and known certifications.
- Advance Notice Period. The thirty (30) day notice period begins on the date the notification email is sent. Customers may review and object during this period.
Objection Process
If a customer objects to a new or replacement subprocessor, the following process applies:
- 1. Written Objection. The customer must submit a written objection to [email protected] within fifteen (15) days of receiving the change notification. The objection must include specific, reasonable grounds relating to data protection.
- 2. Good Faith Resolution. Arcova will work with the customer in good faith to address the concerns. This may include providing additional information about the subprocessor's data protection practices, implementing additional safeguards, or exploring alternative subprocessors.
- 3. Resolution Period. The parties will attempt to resolve the objection within thirty (30) days. During this period, Arcova will not engage the objected-to subprocessor for that customer's data.
- 4. Termination Right. If the parties cannot reach a resolution within thirty (30) days, either party may terminate the affected portion of the service (or the agreement in its entirety if the subprocessor is integral to the service) without penalty, in accordance with the DPA.
Questions
For questions about this Subprocessor List or Arcova's data processing practices, contact:
CT Software, LLC (dba Arcova / Arcova OS)
Privacy inquiries: [email protected]
Legal inquiries: [email protected]