Subprocessors
Last updated: 2026-06-10
These are the vendors in our infrastructure and exactly what each one handles. IntakeFlow is currently in pre-launch: no client PHI is processed until every vendor in the PHI path operates under a signed BAA, and we keep this page accurate to what is signed — not what is merely available.
| Vendor | Services | Purpose | BAA | Region |
|---|---|---|---|---|
| AWS | SES, KMS, Bedrock, ECS Fargate, CloudWatch | Application hosting, transactional email, encryption-key management, LLM-assisted intake extraction, logs. Only services on the AWS HIPAA Eligible Services Reference touch PHI. | Signed | United States |
| Neon (a Databricks company) | Serverless Postgres | Primary database. PHI is stored as ciphertext only (per-tenant envelope encryption); Neon never holds plaintext client data. | Pending — required before launch | United States |
| Google Workspace | Gmail | The practice intake mailbox our screener reads from, where a practice connects one. | Signed | United States |
Hosting transition note
The application is moving to AWS ECS Fargate (covered by our signed AWS BAA). During the transition the public site is served from Vercel, which does not process client PHI in this period — launch, and any real client data, waits until the AWS migration and the pending BAA above are complete.
Vendors that do NOT process PHI
We also use these vendors. They never receive client data, by design:
- Stripe — subscription billing for the practice itself. Patients never touch our billing; no client names, emails, or clinical references ever appear in any Stripe field.
- GitHub — source code only; no PHI in the repository, ever (synthetic test data only).
- Google Cloud DNS — name resolution only.
LLM processing
Intake extraction and crisis-signal detection run on Claude models via Amazon Bedrock, inside AWS and covered by the AWS BAA. Prompts are not retained by Bedrock by default and are never used to train models. We do not send client data to any AI vendor outside that BAA boundary.
Notification of changes
We notify all account owners by email at least 14 days before any subprocessor is added, and immediately on removal. Continued use after the effective date constitutes acceptance.
Object to a subprocessor
If you have a documented compliance reason to refuse a new subprocessor, contact privacy@emhnj.com within 14 days of notification. We'll work with you or terminate without penalty.