Subprocessors
Every third-party service that processes customer data on our behalf. Publicly mirrored to /security/subprocessors on the marketing site.
| Subprocessor | Purpose | Country | Touches PHI | BAA |
|---|---|---|---|---|
| Clerk | Authentication + user management | US | No | N/A (no PHI) |
| Neon | Postgres database | US | No | N/A (no PHI stored) |
| Fly.io | Scanner worker runtime | US | No | N/A (no PHI) |
| Cloudflare R2 | Report storage | US | No | N/A (no PHI) |
| Cloudflare | CDN + DNS + WAF | US | No | N/A (no PHI) |
| Vercel | Marketing + app hosting | US | No | N/A (no PHI) |
| Postmark | Transactional email (alerts) | US | No | N/A — alerts contain no PHI |
| Twilio | SMS alerts (Pro) | US | No | N/A — SMS contains no PHI |
| Stripe | Payments | US | No | N/A (no PHI) |
| Anthropic | LLM classification of public review text | US | No | N/A — input is public review content only |
| Sentry | Error tracking | US | No | Logs scrubbed; no PHI |
| PostHog | Product analytics | US | No | PII-only event tagging |