Ars Lex Associate — Subprocessor List
Document version: 2026-05-15. This page is the canonical published Subprocessor List for Ars Lex Associate. It is referenced by Terms of Service §14 ("Subprocessors") and by our Privacy Policy. Operating entity: ARSLEX LC (Wyoming LLC).
Overview
A "Subprocessor" is a third-party service provider engaged by ARSLEX LC to process customer data on our behalf in order to deliver the Service. The list below identifies every Subprocessor that may process Your Content or account data, the category of data involved, the processing purpose, and the data-residency region.
This list is a living document. Material additions or substitutions will be communicated under Section 14 of the Terms of Service with the notice period specified there. The current version is always available at arslex.ai/subprocessors.
A. Subprocessors that process Customer Content or personal data
These Subprocessors are governed by a Data Processing Addendum (DPA) or equivalent contractual data-protection commitments.
| # | Subprocessor | Service / role | Data categories | Processing purpose | Region |
|---|---|---|---|---|---|
| 1 | Amazon Web Services, Inc. | Hosting (EC2), managed PostgreSQL (RDS), block storage (EBS), backup/snapshot storage, DNS health monitoring (Route 53), operational logs (CloudWatch) | Customer Content (documents, depositions, complaints, generated work product), account data (names, emails, role memberships, project/matter/client records), subscription metadata, ephemeral processing artifacts | Primary hosting and storage for the entire Service. All Customer Content and all personal data at rest live within AWS infrastructure. | us-east-2 (Ohio) — primary; us-east-1 (N. Virginia) for SES/Route 53 control plane |
| 2 | OpenAI, L.L.C. | Large-language-model inference; embeddings | Text chunks from uploaded documents (for embeddings and retrieval-augmented generation); user prompts; system prompts derived from Customer Content | LLM-based citation extraction, deposition digestion, brief generation, complaint allegation classification, embedding generation. Training opt-out is the default for API customers under OpenAI's enterprise-API data-usage policy (effective March 2023 onward); ARSLEX LC does not opt in to model training. API inputs and outputs are retained by OpenAI for up to 30 days for abuse monitoring and then deleted, unless ARSLEX LC has Zero-Data-Retention (ZDR) status with OpenAI. | United States |
| 3 | Resend, Inc. | Transactional email delivery | Email recipient address, sender display name, email subject, email body (containing TOS-related notices, password resets, verification links, billing receipts) | Outbound transactional email (verification, password reset, MFA codes, billing receipts, security notices). No bulk/marketing email. | United States |
| 4 | Stripe, Inc. | Payment processing; subscription billing | Cardholder data (collected directly by Stripe's PCI-DSS Level 1 environment — ARSLEX LC does not see or store card data), billing address, customer email, subscription metadata, invoice records | Subscription billing, payment authorization, dunning. Stripe is a PCI-DSS Level 1 service provider. | United States; data residency follows Stripe's standard placement |
| 5 | Microsoft Corporation (Microsoft 365 Business Basic) | Inbound and outbound email for legal@arslex.ai, admin@arslex.ai, and similar role aliases |
Email content of inbound customer-support, legal, and DMCA correspondence; outbound replies from ARSLEX LC personnel | Operational and legal correspondence with Customers, copyright holders, and counsel. Mail routed via Microsoft Exchange Online. | United States (primary tenant region) |
B. Third-party services that do NOT process Customer Content or personal data
These services are part of our operational stack but do not process Customer Content or personal data in the GDPR Article 28 sense. They are listed here for full transparency.
| # | Service | Role | Why not a Subprocessor |
|---|---|---|---|
| 6 | Microsoft Corporation (AppSource / Partner Center) | Distribution channel for the Word Add-in | Microsoft handles installation telemetry between end-users and Microsoft; ARSLEX LC does not transmit Customer Content to AppSource. |
| 7 | Vercel Inc. | Static frontend hosting (HTML/CSS/JS for word.arslex.ai and the marketing site at arslex.ai) |
Vercel serves static assets only. No Customer Content, account credentials, or personal data is stored on or processed by Vercel infrastructure. All Service API traffic goes directly from the user's browser/Word client to api.arslex.ai (AWS). |
| 8 | Porkbun LLC | Domain registrar; authoritative DNS for arslex.ai and related domains |
Registrar and DNS resolution only. Porkbun does not process Customer Content or routed email content (mail flow goes through Microsoft 365 and Resend per the MX/SPF configuration documented in our operations runbook). |
C. Notes on data flow
For evidentiary clarity:
- Customer Content at rest: lives in AWS RDS (relational records about Customer's documents — names, metadata, project associations) and in self-hosted Qdrant (vector embeddings + chunk text) running on AWS EBS-backed storage within the same AWS account.
- Customer Content in transit to inference: sent over TLS to OpenAI's API endpoint solely for the purpose of producing the AI-derived output requested by the Customer. Per our OpenAI API configuration, inputs and outputs are not used to train OpenAI models and are retained by OpenAI for up to 30 days for abuse monitoring, after which they are deleted from OpenAI systems. We will revise this section if and when ARSLEX LC obtains formal Zero-Data-Retention (ZDR) status from OpenAI.
- Authentication metadata: session tokens are minted by the Service and stored in the user's browser/Word client (
sessionStorage/ in-memory) per the §12 / §4b auth architecture; no Subprocessor sees raw session secrets. - Payment data: entered by the Customer directly into Stripe-hosted UI elements. ARSLEX LC never receives or stores raw card data; we receive only the subscription ID, customer ID, and last-four-of-card metadata.
D. Notice of changes
Per Terms of Service §14:
- ARSLEX LC will provide reasonable advance written notice (via the email address on the Customer's account or via in-product notice) before adding a Subprocessor that materially expands the categories of data processed or the geographic region of processing.
- A Customer may object to a new Subprocessor by following the procedure described in the Terms of Service §14.
- This document's version date at the top of the page is the authoritative version reference.
E. Contact
For Subprocessor-related questions, including DPA requests, sub-processor notice preferences, and inquiries from Customer counsel:
Email: legal@arslex.ai
Mailing address:
ARSLEX LC
30 N Gould St Ste R
Sheridan, WY 82801
United States