Providers
ArchibotChat subprocessors and service providers
Understand service-provider categories used by hosted commercial ArchibotChat.
Last updated
This page summarizes the service-provider categories used by the hosted commercial ArchibotChat service. Contract terms, data processing terms, and any signed security addendum control if they differ from this summary.
Use hosted ArchibotChat only for data your organization has approved for the provider categories below. Enterprise customers can request a security packet before approving sensitive or regulated workflows.
Service provider summary
| Provider or component | Purpose | Data involved |
|---|---|---|
| ISM | Operates ArchibotChat, support, account access, billing configuration, audit handling, and customer operations | Account profile, product access, usage records, support cases, audit events, artifacts, billing metadata |
| Customer identity provider | User sign-in and organization identity proofing | Login identifiers, email address, name, group or claim data provided during sign-in |
| Authentik | Identity broker and application access flow for hosted environments | Login session metadata, email address, name, groups, OIDC flow state |
| Stripe | Subscription checkout, billing, invoices, payment state, and customer portal | Billing contact, plan, payment status, invoice/payment metadata |
| Resend | Product, billing, support, access-request, and notification emails | Recipient email, message metadata, product notification content |
| Archibot public endpoint and configured model providers | Chat and generated API-key model responses | Prompts, request metadata, model parameters, generated responses, usage metadata |
| DigitalOcean | Hosted Kubernetes, managed database where used, load balancing, block storage, and networking | Application runtime data, database contents, object-store volumes, logs/metadata as operated by ISM |
| SeaweedFS or compatible object storage | Artifact byte storage for uploaded and generated artifacts | Artifact files, extracted derivatives, object metadata |
| AWS S3 and Glacier-class storage where configured | Off-cluster backup target for artifacts and database backups | Backup objects, checksums, freshness markers, encrypted/provider-protected storage metadata |
| Cloudflare or DNS/TLS providers where configured | DNS, certificate automation, edge routing support | Domain names, DNS records, TLS validation metadata |
| Microsoft Teams or similar operator alert channels where configured | Operator alerts for health checks and access requests | Minimal alert text, environment name, request status, and operational metadata |
Identity and SSO
Your organization may use Microsoft SSO or another approved identity provider. The identity provider controls its own authentication, MFA, conditional access, and account lifecycle.
ArchibotChat receives only the claims needed for sign-in and product access. If the wrong email address, name, or group appears in ArchibotChat, start with your customer admin or identity administrator.
Billing
Stripe handles checkout, recurring subscriptions, invoices, payment status, and the customer billing portal. ArchibotChat stores billing state and Stripe identifiers needed to enforce product access and support billing questions.
Do not put payment card data into support cases, prompts, artifacts, or API calls.
Resend sends operational email such as billing lifecycle notices, low-credit notices, access-request notifications, support messages, and unsubscribe links where enabled.
If emails land in junk, mark expected Archibot messages as not junk, allowlist the sending domain if your organization requires it, and ask ISM support to review SPF, DKIM, DMARC, and bounce evidence if delivery continues to fail.
Models and prompts
ArchibotChat forwards browser chat and generated API-key requests to the Archibot public endpoint. That endpoint may route to configured model providers.
Prompts, API request bodies, model parameters, attached-artifact metadata, and generated responses may be processed by that endpoint path. Do not send data your organization has not approved for that processing path.
Artifacts and backups
Artifacts can include uploaded files, extracted text derivatives, generated responses, object metadata, and audit records. Hosted environments can use S3-compatible storage and off-cluster backups for recovery.
Artifact retention and backup retention are operator-configured and may not match the moment a user deletes an item from the application. Ask ISM support for the current retention policy for your environment if you have a specific deletion, legal, or compliance need.
Dedicated environments
Commercial hosted ArchibotChat can be complemented by dedicated deployment options when a customer needs stronger boundaries or a customer-specific provider list.
Those options require separate review and written approval. Provider lists, identity, storage, backup, logging, monitoring, support, and authorization boundaries may differ from the public hosted service.
Change requests
Open a support case if your organization needs:
- A current provider list for security review.
- A data-flow review for a specific use case.
- A dedicated commercial tenant.
- The enterprise security packet.
- An email deliverability review.
- A deletion, export, retention, or backup clarification.
Do not include sensitive data in the support case itself. Ask for the approved secure exchange path first.
Related guides
- ArchibotChat security overview
- ArchibotChat data boundaries
- ArchibotChat support cases
- ArchibotChat billing and credits
Done When
- Security reviewers know which provider categories may process account, billing, prompt, artifact, or backup data.
- Users know when to request an enterprise security packet.
- Provider-specific questions go through support without sensitive data in the case text.