Sub-Processor List

Organization: Arveo
Production URL: https://arveo.ai
Document Version: 1.0
Last Reviewed: 2026-05-19
Classification: Public — linked from Privacy Policy

Overview

Arveo Inc. uses the following sub-processors to operate its B2B AI bookkeeping platform. A sub-processor is any third party that processes personal data on behalf of Arveo and its customers. This list is maintained in accordance with GDPR Article 28(2) and CCPA disclosure obligations.

Sub-Processor Table

#	Vendor	Trust / Security Page	Purpose	Data Shared	Data Location	Last Reviewed
1	Supabase	supabase.com/security	Managed Postgres database, authentication, and object storage. Primary data store for all customer records.	Customer PII (names, email addresses), financial transaction records, encrypted QuickBooks OAuth tokens, encrypted bank tokens, client-uploaded documents, user authentication credentials	United States (AWS us-east-1)	2026-05-09
2	Vercel	vercel.com/security	Application hosting, serverless function execution, and global edge network (CDN).	Server-side request logs containing IP addresses, user-agent strings, and request paths; no persistent customer financial records stored	United States (primary); edge caches in customer-proximate regions globally	2026-05-09
3	Anthropic	trust.anthropic.com	AI inference engine for transaction categorization, financial summaries, daily briefing generation, and hierarchical knowledge learning via the Claude API. Data is processed at inference time only and is not retained for model training per Anthropic's standard API terms.	Transaction memos (text descriptions), dollar amounts, merchant names, and category labels. Account numbers, SSNs, and OAuth tokens are never included in prompts. Anonymized vendor-to-account mappings may be promoted to shared knowledge tiers (industry/global) with PII safety checks; no personal data crosses tenant boundaries.	United States	2026-05-19
4	Resend	resend.com/security	Transactional email delivery for daily financial briefings, alerts, and account notifications.	Recipient email addresses; email message body (contains financial summary data, not raw account credentials).	United States	2026-05-09
5	Twilio	twilio.com/en-us/security	SMS and WhatsApp delivery for alerts, one-time passcodes, and financial briefing notifications.	Recipient phone numbers; message body content (financial summaries and OTP codes, not full account numbers).	United States	2026-05-09
6	Slack (Salesforce)	slack.com/trust/compliance	Internal team messaging and operational workflow alerts (e.g., Sentry alert routing, backup status notifications). Slack does not receive direct customer financial data unless a team member pastes it manually, which is prohibited by policy.	Operational notification payloads (error metadata, status alerts, system identifiers).	United States	2026-05-09
7	Sentry	sentry.io/security	Application error monitoring and performance tracking across server, client, and edge runtimes. Configured with data scrubbing rules to prevent PII from appearing in error payloads.	Application stack traces, error metadata, performance metrics. PII scrubbing is enforced; financial credentials are excluded.	United States	2026-05-09
8	Intuit / QuickBooks Online	intuit.com/compliance	Source-of-truth financial data platform. Arveo connects via read-only OAuth to retrieve transaction records and account balances.	Arveo holds encrypted OAuth refresh tokens only. Intuit holds the underlying financial transaction records; Arveo retrieves and processes them via the QuickBooks API.	United States	2026-05-09
9	GitHub	github.com/security	Source code repository and CI/CD pipeline. No customer data is stored in the repository. Secret scanning is enforced to prevent accidental credential commits.	Application source code, configuration files, infrastructure-as-code. No customer PII or financial records.	United States	2026-05-09
10	Cloudflare	cloudflare.com/trust-hub	CDN, DDoS mitigation, and DNS services, either directly or via Vercel's infrastructure.	Anonymized request metadata, IP addresses, DNS query logs. No persistent customer financial records.	Global (anycast; primarily United States)	2026-05-09
11	ServiceTitan	security.servicetitan.com	Vertical-specific integration for tenants in the home-services sector. Job records, technician data, and work order details are accessed only for tenants that have explicitly activated the ServiceTitan integration.	Customer names, contact information, job records, and work order details — scoped to tenants with active ServiceTitan integration only.	United States	2026-05-09
12	fal.ai	trust.fal.ai	AI media inference for any tenant-facing generative AI feature. API payloads may include user-provided content. No persistent storage per fal.ai enterprise terms.	User-provided content in API request payloads, scoped to active generative AI feature usage.	United States	2026-05-09

Sub-Processor Change Notification

Arveo Inc. will notify customers by email at least 30 days before adding a new sub-processor that will process their personal data or financial records. Notification is sent to the primary account email address on file for each affected customer.

Customers who have objections to a newly added sub-processor may contact privacy@arveo.ai within the 30-day notice window. We will work with objecting customers to find a resolution, which may include data isolation measures or, where technically feasible, processing without the proposed sub-processor.

Removed Sub-Processors

Vendor	Removal Date	Reason
(none to date)	—	—

Contact

For questions regarding this sub-processor list or Arveo's data processing practices:

Privacy inquiries: privacy@arveo.ai
Security inquiries: security@arveo.ai
Arveo Inc. — Boca Raton, FL