Legal
Subprocessor List
Overview
In accordance with our Data Processing Agreement and applicable data protection laws, ARX QM Holdings, Inc. (“ARX”) maintains this list of third-party sub-processors that may process personal data on behalf of our customers in connection with the Services.
We provide at least 30 days’ notice before engaging a new sub-processor. If you are a customer subject to our DPA and wish to receive notifications of sub-processor changes, please subscribe by emailing privacy@arxqm.com with the subject line “Sub-processor Notifications.”
Infrastructure Sub-processors
These sub-processors provide core hosting, compute, and storage infrastructure for our Services.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (GCP) | Cloud hosting, compute (Cloud Run), database (AlloyDB, Firestore), AI/ML (Vertex AI), secrets management | United States |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, WAF, bot management, edge security | Global (edge network) |
| Firebase (Google) | Authentication, user identity management | United States |
Application Sub-processors
These sub-processors support specific platform functionality and customer-facing features.
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Cloudflare Turnstile | Bot verification, CAPTCHA alternative | Global (edge network) |
Analytics Sub-processors
These sub-processors are used only when the user has consented to analytics cookies.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Analytics (Google LLC) | Website usage analytics (consent-gated) | United States |
Changes to This List
This page is updated whenever we add, remove, or change a sub-processor. The “Last Updated” date at the top of the page reflects the most recent change. Customers with active DPAs will receive email notifications at least 30 days before a new sub-processor begins processing personal data.
Objections
If you are a customer subject to our DPA and object to a new sub-processor on reasonable data protection grounds, please contact us within 30 days of the notification at privacy@arxqm.com. We will work with you to find an acceptable resolution, which may include offering an alternative sub-processor or, if no alternative is available, allowing you to terminate the affected Services.