Subprocessors
A subprocessor is any third party we engage that may create, receive, maintain, or transmit protected health information (PHI) on our behalf. Under the HIPAA "chain of assurances," we obtain a signed Business Associate Agreement (BAA) from every such subprocessor before it handles PHI. A vendor that provably cannot access PHI is listed here for transparency but is not, strictly, a PHI subprocessor.
Subprocessors that handle or are covered for PHI
| Subprocessor | Purpose | Location | PHI | Assurance |
|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure: database, encrypted document storage, secrets, logging, and transactional email (Amazon SES). | United States | Yes — hosts all PHI | AWS BAA signed |
| Google Workspace | Our own internal company email and documents. Policy is that customer PHI never enters Workspace. | United States | No customer PHI | Google Workspace BAA in place (belt-and-suspenders) |
Vendors that are not PHI subprocessors
These vendors support the business but do not receive customer PHI:
| Vendor | Purpose | Why no PHI |
|---|---|---|
| Stripe | Subscription billing and payments. | Billing data only (practice name, email, plan). No patient data is ever sent to Stripe, so a BAA is not required. |
| Amazon SES (AWS) | Transactional email — login codes, invitations, and reminder digests. | Messages carry no PHI (digests are counts only); covered by the AWS BAA regardless. |
| GitHub | Source-code hosting and CI. | The repository holds code and synthetic fixtures only — never PHI. |
| Notion | Internal business and compliance documentation. | Business documents only — never PHI. |
| Sentry | Application error monitoring. | Currently not enabled in any environment. If ever enabled in a PHI environment, it is gated on a written no-PHI determination or a BAA first. |
| Your SSO identity provider | Authentication assertions, if your practice uses SSO. | Belongs to you; it supplies an identity assertion and receives no PHI from us. |
Change notification
When we add, remove, or materially change a PHI subprocessor, we will:
- Update this page before the new subprocessor processes any PHI;
- Obtain the subprocessor's BAA (or a written no-PHI determination) first; and
- Notify affected practices per the mechanism and window in each executed BAA — the executed BAA controls.
Review cadence
On any subprocessor change, and at least annually, the Security Official re-verifies each entry: the BAA is still in force, the service is still HIPAA-eligible and configured per guidance, and the PHI-exposure classification and data location are still accurate.
Not legal advice. This register reflects the Company's good-faith determinations as of the date above and is pending vCISO / counsel validation. Where an executed customer BAA imposes stricter subprocessor terms, the BAA controls. Questions: security@therapytracked.com.