LEGAL // SUB-PROCESSORS
Sub-processors
Generated from lib/subprocessors.ts. We update this list within 30 days of any change. To be notified of changes, email support@brainiacstechsolutions.com with subject "subprocessor notice".
| Vendor | Purpose | Region | HIPAA / BAA | DPA |
|---|---|---|---|---|
| Stripe, Inc. | Payments, subscription billing, payout, fraud screening (Stripe Radar). | United States (global PCI scope) | BAA available | executed |
| Cloudflare / Caddy front-end | Edge TLS termination, DDoS shielding, rate-limiting. | Global anycast | No PHI access | executed |
| Anthropic PBC | Large-language-model inference for natural-language workflows (intake summarization, response drafting). | United States | No BAA — no PHI to this vendor | standard-terms |
| OpenAI, OpenAI LLC | Optional secondary LLM for non-PHI flows. | United States | No BAA — no PHI to this vendor | standard-terms |
| Twilio, Inc. | Programmable SMS for booking confirmations, reminders, MFA. | United States | BAA available | executed |
| Deepgram, Inc. | Speech-to-text for the voice receptionist. | United States | BAA available | executed |
| Postmark / SMTP relay | Transactional email (receipts, password reset, dunning notices). | United States | BAA available | executed |
| Hetzner Online GmbH | Primary application + database hosting (EU primary, US fail-over). | Germany (EU) | No PHI access | executed |
PHI handling
For our HIPAA-aware products (MedFlow, DentalFlowDesk, and any VetDeck deployment that captures human PHI), Protected Health Information is only sent to vendors that hold a current Business Associate Agreement with us. Vendors marked "No BAA" above are isolated from the PHI path: those products run in a "no-PHI to AI" mode until the BAA is executed.
Notification of changes
We notify customers at least 30 days before adding a new sub-processor that will process their data, except where the change is required for security or legal reasons, in which case we notify as promptly as practicable.