The list below covers every subprocessor that may receive personal data (including PHI when the Customer has explicitly enabled the relevant integration and attested a BAA).
| Vendor | Purpose | Region | PHI? |
|---|---|---|---|
| AWS (us-east-1, eu-west-1, ap-southeast-2) | Hosting, Postgres RDS, S3 storage, KMS | Region of Customer's choice | Yes |
| Stripe | Payment processing | US | No |
| Sentry | Error tracking — PHI scrubbed before send | US | No |
| Datadog | Metrics + structured logs (no PHI fields) | US / EU | No |
| Plausible Analytics | Aggregate website analytics — marketing site only | EU | No |
| Postmark | Transactional email (account / billing / verification) | US | No |
| Cloudflare | CDN, DDoS protection, WAF | Global | No |
| OpenAI | AI skills — only when Customer enables and attests BAA | US (Zero Data Retention) | Yes |
| Anthropic | AI skills — only when Customer enables and attests BAA | US | Yes |
| Daily.co | Telehealth video — only when Customer enables and attests BAA | US | Yes |
| Twilio | SMS reminders — only when Customer enables and attests BAA | US | Yes |
Onboarding new subprocessors
We give Customers at least 30 days' written notice before adding a new subprocessor that processes PHI. To object, email [email protected]. We work with you to find a mutually acceptable solution; if none is reached, you may terminate the affected Service.
Subscribe to changes
Customer admins can subscribe to subprocessor change notices in the tenant settings. Email subscribers receive notification 30 days before any new subprocessor processes PHI on their behalf.
Customer-controlled subprocessors
Several subprocessors above are activated only by an explicit Customer action (enabling the integration AND attesting a BAA). Until both happen, no data flows to that vendor:
- OpenAI / Anthropic — AI skill execution
- Daily.co — telehealth video
- Twilio — SMS reminders
- SendGrid / SES — transactional email if not Postmark
Contact
Privacy Officer: [email protected].