Vendors. Listed publicly.
PracticeIQ uses the subprocessors below to deliver the Service. Every vendor handling PHI either has a signed BAA in place or is held out of the PHI path until one is executed. Customers are notified by email 30 days in advance of any addition or material change.
Pilot-transparent status: we are pre-customer-1 and are mid-transition off Vercel (not BAA-eligible on our current plan) to AWS, with the migration scheduled for the weekend of 2026-05-03/04. BAA requests to OpenAI and Anthropic were submitted 2026-04-20 and are pending; until they return, all PHI-bearing LLM traffic routes through Google Vertex AI, whose BAA is signed.
| Subprocessor | Purpose | Data type | BAA status | Region |
|---|---|---|---|---|
| Vapi AI, Inc. | Voice AI orchestration + transcription | PHI (transient) | Signed | US |
| Twilio, Inc. | SMS + voice (PSTN) origination | PHI | Signed | US |
| Google, LLC (Vertex AI) | LLM inference (specialty routing, fallback path) | PHI (transient) | Signed | US |
| OpenAI, LLC | LLM inference (primary chat + intent) | PHI (transient, ZDR required) | Requested 2026-04-20 — PHI traffic held until BAA executed | US |
| Anthropic, PBC | LLM inference (reasoning-heavy turns) | PHI (transient, ZDR required) | Requested 2026-04-20 — PHI traffic held until BAA executed | US |
| Amazon Web Services (primary database + hosting) | Self-hosted Postgres (Supabase OSS) on EC2 us-east-2, root volume KMS-encrypted at rest, S3 backups with versioning + 90-day Glacier transition | PHI | Active via AWS Artifact — executed 2026-04-22 | US East (Ohio) |
| Supabase, Inc. (retired) | Previously hosted Postgres — migrated off 2026-04-22 | No current PHI — legacy project paused as rollback | Not applicable — project paused; no new PHI written after cutover | — |
| Vercel, Inc. | Web app hosting (static + edge rendering, no PHI persistence) | PHI in transit only — no storage | Not required — all PHI persistence happens on AWS | Global |
| Amazon SES (planned) | Transactional email | PHI | Covered by AWS BAA | US East |
| Resend, Inc. | Retired — replaced by AWS SES | — | Not BAA-eligible on current plan — retired from PHI paths | — |
| Stripe, Inc. | Billing, subscription management | Payment data only — no PHI | N/A — no PHI processed | US |
| Cloudflare, Inc. | CDN, DDoS protection, WAF (planned) | PHI in transit | Pending | Global |
We tell you before we change anything.
When we add a subprocessor, remove one, or move data between regions, every active customer receives an email at the contact on file at least 30 days before the change takes effect. If you object, you may terminate per the master agreement.
Subscribe to subprocessor notices: email christian@practiceiq.tech.