OfferReady· Legal

Transparency

Customer-facing document

Subprocessors & Security Overview

v2.0 · Effective July 3, 2026

Effective July 3, 2026. This document is provided by OfferReady, a Florida limited liability company. It is informational and is not legal advice.

This overview provides transparency about the categories of third-party subprocessors OfferReady uses to operate the Platform and describes OfferReady’s security practices at the category level.

OfferReady, a Florida limited liability company (“OfferReady”), uses a small set of third-party subprocessors to operate the OfferReady platform. This document describes those subprocessor categories and OfferReady’s security practices at the category level.

It is informational; it does not itself create contractual commitments beyond those in the Terms of Service or an executed Data Processing Addendum, which control.

What this does

  • Lists subprocessor categories, vendors, data processed, and locations where evidenced in the current application build or verified deployment facts.
  • Describes security practices at the practice level: encryption, access controls, application permissioning, data retention, and incident response.
  • States that Platform data is primarily stored and processed in the United States.
  • Explains how subprocessor changes are communicated, including the DPA’s notice-and-objection mechanism for enterprise customers.

What this does NOT do

  • It does not itself create contractual commitments beyond those in the Terms of Service or an executed DPA, which control.
  • It does not assert SOC 2, ISO 27001, or similar certifications; none are asserted as of the effective date.
  • It does not assert any certification, audit, or specific control not listed in the document.

Full document text

1. PURPOSE

1.1 This document provides transparency about (a) the categories of third-party subprocessors OfferReady, a Florida limited liability company (“OfferReady”) uses to operate the OfferReady platform (the “Platform”), and (b) OfferReady’s security practices at the category level. It is informational; it does not itself create contractual commitments beyond those in the Terms of Service or an executed Data Processing Addendum (“DPA”), which control.

2. SUBPROCESSOR CATEGORIES

2.1 OfferReady uses subprocessors in the following categories. Named vendors are listed only where evidenced in the current application build or in verified deployment facts.

Integrations that are installed but disabled in production (currently: PostHog analytics, Sentry error monitoring, SMS, and inbound-email processing, per the deployed build’s runtime configuration) are not active subprocessors and are listed prospectively where relevant.

CategoryFunctionVendor(s)Data processedLocation
Cloud hosting & infrastructureApplication hosting, storage, databases, authenticationGoogle Cloud / Firebase (App Hosting, Firestore, Authentication)Platform data, including personal dataUnited States (primary)
Payment processingSubscription billingStripePayment and billing data (card data is handled by Stripe; OfferReady does not store card numbers)United States
AI processingRecaps, drafts, summariesOpenRouter and the model providers it routes to (AI drafting); Deepgram (voice transcription)Content submitted to AI featuresUnited States (primary)
CommunicationsTransactional emailResendContact details, message contentUnited States. No SMS vendor is currently engaged (SMS features are disabled in production)
Bot protection & securityBot and abuse protection on public formsCloudflare (Turnstile)Request metadata and device signals used for bot detectionUnited States (global edge network)
AnalyticsProduct usage analyticsPostHog — SDK installed but disabled in production; not currently active. Would activate only if analytics launch, together with the consent banner required by the Cookie & Tracking NoticeUsage events, device data (if activated)United States (if activated)
Error monitoring & loggingReliability and debuggingGoogle Cloud (platform logging included in the hosting infrastructure)Technical logs, may incidentally include personal dataUnited States (primary)

3. SECURITY OVERVIEW

The following describes OfferReady’s security practices at the practice level. OfferReady does not assert any certification, audit, or specific control not listed here.

3.1 Encryption. Data is encrypted in transit using TLS/HTTPS and at rest using the encryption Google Cloud provides by default across OfferReady’s hosting infrastructure.

3.2 Access controls. Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis and protected by authentication controls. Access is reviewed periodically.

3.3 Application permissioning. The Platform enforces role- and scope-based access (accounts, brokerage admin roles, scoped collaborators) so users see only data within their permission scope.

3.4 Data retention. Personal data is retained for as long as needed to provide the Platform and meet legal obligations, then deleted or de-identified per the Privacy Policy and, for enterprise customers, the DPA.

3.5 Certifications. OfferReady does not currently assert SOC 2, ISO 27001, or similar certifications. Only certifications actually held will be listed here; none are asserted as of the date above.

4. DATA LOCATION

4.1 Platform data is primarily stored and processed in the United States. Some subprocessors may process data in additional regions identified in Section 2. Enterprise transfer terms, where applicable, are addressed in the DPA.

5. INCIDENT RESPONSE; BREACH NOTIFICATION

5.1 OfferReady maintains an incident-response process for identifying, containing, and remediating security incidents. Notification of personal-data breaches is provided as required by applicable law (including Fla. Stat. § 501.171, the Florida Information Protection Act) and, for enterprise customers, within the timeline stated in the executed DPA.

6. UPDATES TO THIS DOCUMENT

6.1 OfferReady may add, remove, or replace subprocessors. OfferReady will update this document and, for customers with an executed DPA, provide notice of new subprocessors per the DPA’s notice-and-objection mechanism. The version and effective date shown above reflect the current version. Customers may request update notifications by emailing albert@arbicgroup.com.

7. SECURITY CONTACT

7.1 Security inquiries and vulnerability reports: albert@arbicgroup.com.

This is not legal advice, not lending advice, not valuation advice, and not tax, inspection, or insurance advice.

OfferReady is organizational software. It does not draft, interpret, recommend, negotiate, approve, or execute legal agreements, and it is not a brokerage, lender, title company, escrow agent, appraiser, inspector, or law firm.

OfferReady · Legal document · v2.0, effective July 3, 2026

This document is not legal advice. Questions: albert@arbicgroup.com.