Subprocessors
We maintain this live list of third-party service providers that may process data (including PHI/PII) to deliver MediChatApp. We’ll post changes here and can email you upon request.
We maintain this live list of third-party service providers that may process data (including PHI/PII) to deliver MediChatApp. We’ll post changes here and can email you upon request.
We engage reputable providers that meet strict security, availability, and privacy requirements. Where applicable, we execute Business Associate Agreements (BAAs) and/or Data Processing Addenda (DPAs), and we scope access to the minimum necessary.
| Provider | Purpose | Data Types | Data Location | Notes |
|---|---|---|---|---|
| AWS (Amazon Web Services) | Hosting (compute, storage, databases), email delivery (SES) | PHI/PII, account data, operational logs | USA (region selection controlled by MediChatApp) | HIPAA-eligible services; encryption at rest & in transit; VPC isolation. |
| Cloudflare | WAF/CDN/DDoS, DNS, Turnstile CAPTCHA | Network metadata, limited request content as required for edge security | Global network with US processing | Security edge; no persistent storage of PHI beyond transient processing. |
| Stripe | Billing & payments (vendor/customer invoicing) | Billing contact info, payment tokens (no raw card stored by MediChatApp) | USA/EU (per Stripe) | PCI DSS Level 1; used for commercial billing, not clinical care. |
| Google (Analytics / Tag Manager) | Website analytics (marketing site only) | Usage analytics; no PHI intended | Global (per Google) | De-identified website metrics; disabled in app surfaces containing PHI. |
| LinkedIn (Insight Tag) | Advertising analytics (marketing site only) | Marketing attribution data; no PHI intended | Global (per LinkedIn) | Limited to public marketing pages; opt-out available via browser settings. |
| Meta (Pixel) | Advertising analytics (marketing site only) | Marketing attribution data; no PHI intended | Global (per Meta) | Limited to public marketing pages; not enabled on PHI surfaces. |
We’re happy to share diagrams, answer security questionnaires, and execute BAAs/DPAs.