Subprocessors
Last updated: 2026-05-22
These are the vendors that handle PHI on our behalf. Each operates under a signed BAA. We notify customers at least 14 days before adding a new subprocessor.
| Vendor | Services | Purpose | BAA | Region |
|---|---|---|---|---|
| AWS | RDS Postgres, S3, SES, KMS, CloudWatch, IAM | Hosting, database, transactional email, key management, logs, identity. | Accepted via AWS Artifact | us-east-1 (N. Virginia) |
| Anthropic | Claude API | LLM extraction of intake fields and detection of crisis signals. | Signed BAA addendum | US (per Anthropic Trust Center) |
| Vercel | Next.js hosting (Enterprise) | Marketing site and authenticated app hosting. Status: pending — see footnote. | Available on Enterprise tier | US edge + US compute |
| Inngest | Background jobs (Enterprise) | Durable cron + retries for the polling and digest pipelines. PHI is NOT carried in event payloads — only tenantId and intakeId. | Available on Enterprise tier | US |
| Stripe | Stripe Billing | Subscription billing only. We do not send PHI to Stripe. | Available (we do not transmit PHI) | US |
Footnote on Vercel
Hosting is currently deferred — for early beta we run on AWS-only (ECS Fargate) so the BAA chain is just AWS. We'll add Vercel here if we move marketing to it. See the M0 decision matrix at /security.
Vendors that do NOT process PHI
We also use these vendors, but they do not have access to PHI:
- GitHub — source code only; no PHI in the repo.
- Plausible (self-hosted) — marketing-site analytics; never loaded on authenticated pages.
Notification of changes
We notify all account owners by email at least 14 days before any subprocessor is added, and immediately on removal. Continued use after the effective date constitutes acceptance.
Object to a subprocessor
If you have a documented compliance reason to refuse a new subprocessor, contact privacy@psychtoday-screener.com within 14 days of notification. We'll work with you or terminate without penalty.