Subprocessors

Last updated: 2026-06-10

These are the vendors in our infrastructure and exactly what each one handles. IntakeFlow is currently in pre-launch: no client PHI is processed until every vendor in the PHI path operates under a signed BAA, and we keep this page accurate to what is signed — not what is merely available.

VendorServicesPurposeBAARegion
AWSSES, KMS, Bedrock, ECS Fargate, CloudWatchApplication hosting, transactional email, encryption-key management, LLM-assisted intake extraction, logs. Only services on the AWS HIPAA Eligible Services Reference touch PHI.SignedUnited States
Neon (a Databricks company)Serverless PostgresPrimary database. PHI is stored as ciphertext only (per-tenant envelope encryption); Neon never holds plaintext client data.Pending — required before launchUnited States
Google WorkspaceGmailThe practice intake mailbox our screener reads from, where a practice connects one.SignedUnited States

Hosting transition note

The application is moving to AWS ECS Fargate (covered by our signed AWS BAA). During the transition the public site is served from Vercel, which does not process client PHI in this period — launch, and any real client data, waits until the AWS migration and the pending BAA above are complete.

Vendors that do NOT process PHI

We also use these vendors. They never receive client data, by design:

  • Stripe — subscription billing for the practice itself. Patients never touch our billing; no client names, emails, or clinical references ever appear in any Stripe field.
  • GitHub — source code only; no PHI in the repository, ever (synthetic test data only).
  • Google Cloud DNS — name resolution only.

LLM processing

Intake extraction and crisis-signal detection run on Claude models via Amazon Bedrock, inside AWS and covered by the AWS BAA. Prompts are not retained by Bedrock by default and are never used to train models. We do not send client data to any AI vendor outside that BAA boundary.

Notification of changes

We notify all account owners by email at least 14 days before any subprocessor is added, and immediately on removal. Continued use after the effective date constitutes acceptance.

Object to a subprocessor

If you have a documented compliance reason to refuse a new subprocessor, contact privacy@emhnj.com within 14 days of notification. We'll work with you or terminate without penalty.