HomeLegal CenterSubprocessor List
Legal · Document 05

Subprocessor List

Every third party we engage to process Customer Content, what it does, where, and under what safeguards. Short list, on purpose: four vendors can touch your records, every one under a BAA with zero-retention, no-training terms.

Last updated: July 7, 2026 Change notice: 30 days in advance

A. Subprocessors of Customer Content

These entities can process the records, imaging, and outputs you upload, solely to provide the Services. Each is bound by a subcontractor BAA and terms no less protective than the DPA — including the no-training flow-down.

Entity
Service
Location
Safeguards
Amazon Web Services, Inc.
Cloud infrastructure: compute, storage, database, and monitoring for the platform (Self-Service plan)
United States
us-east-1 ·
us-west-2 (DR)
BAA executed; HIPAA-eligible services only; isolated VPCs; AES-256 at rest, TLS 1.2+ in transit
Anthropic, PBC
AI model inference: clinical-event extraction, summarization, record Q&A, citation generation
United States
BAA executed; zero-retention inference endpoints; contractual no-training on Customer Content
OpenAI, LLC
AI model inference: vision OCR for scans and handwriting, structured extraction (multi-model pipeline)
United States
BAA executed; zero-retention inference endpoints; contractual no-training on Customer Content
OpenRouter, Inc.
AI inference routing: unified gateway that routes the multi-model pipeline's calls to the approved model endpoints above
United States
BAA executed; zero-retention routing (no prompt or output logging); contractual no-training; routes only to endpoints approved under this list

Plan scope. This table describes Self-Service and Test-a-File processing. Under AI Enablement, records and model inference run inside your AWS or Azure tenancy under your keys and your cloud provider's BAA — the model-inference rows above are not engaged. Under Enterprise On-Prem, no subprocessor receives Customer Content unless you explicitly enable it. Details: DPA Annex 3.

B. Business-operations processors — no access to Customer Content

These vendors support running the business — billing, email, site analytics. They never receive medical records, imaging, or any Customer Content; they process only the visitor, account, and billing data described in the Privacy Notice.

Entity
Service
Location
Data involved
Stripe, Inc.
Payment processing for per-page billing and Order Form invoicing
United States
Billing contact, payment method, transaction amounts — card data goes to Stripe directly, never to us
Google LLC (Workspace)
Business email, documents, and internal collaboration
United States
Correspondence you send us; support and sales communications
Google LLC (Analytics 4)
Website analytics on medrecords.ai — loads only after cookie consent
United States
Pseudonymous usage data per the Cookie Policy; IP anonymization enabled

What every Customer-Content subprocessor signs

Subcontractor BAA under 45 CFR 164.502(e), no weaker than ours with you
Zero-retention inference — no storage of prompts or outputs beyond the request
No training on Customer Content, including de-identified derivatives — the DPA §4.4 flow-down
US-only processing of Customer Content, breach notice to us within 24 hours, audit cooperation

We remain fully liable to you for every subprocessor's performance, as if it were our own (DPA §7.3).

Change notifications & objection rights

We add or replace a subprocessor of Customer Content only after 30 days' advance notice — by email to your account contacts and to everyone subscribed here. You may object on reasonable data-protection grounds within 14 days to [email protected]; if we can't resolve the objection, you may terminate the affected Services with a pro-rata refund of prepaid, unused fees (DPA §7.2). Emergency replacements for security reasons are notified as they happen, with the same objection rights.

Subscribe to changes
Notify me 30 days ahead

Used only for subprocessor notices. Unsubscribe any time.

Changelog

Date
Change
Jul 7, 2026
Added OpenRouter, Inc. (AI inference routing) to the Customer Content table (v1.1).
Jul 7, 2026
Initial publication (v1.0): AWS, Anthropic, OpenAI (Customer Content); Stripe, Google Workspace, Google Analytics (business operations).