Subprocessor and Third-Party Service Provider List

Scribeable Platform - Data Processing Partners

Last Updated: March 9, 2026

Effective Date: March 9, 2026

Version: 2.3

1. INTRODUCTION

This document lists all subprocessors and third-party service providers ("Subprocessors") that Scribeable, Inc. ("Scribeable") uses to process customer data, including Protected Health Information (PHI) and Personal Data, in connection with providing the Scribeable Platform.

Purpose:

Transparency about data processing partners
GDPR Article 28 compliance
HIPAA Business Associate compliance
Support for customer risk assessments

Updates:

We will update this list when adding or changing Subprocessors
Customers will receive at least 30 days' advance notice of changes
Current version is always available at: https://scribeable.ai/legal/subprocessors

Objection Rights:

Customers may object to new Subprocessors on reasonable data protection grounds
Objections must be submitted within 15 days of notification
Contact: [email protected]

2. SUBPROCESSOR CATEGORIES

2.1 Artificial Intelligence and Machine Learning

Anthropic PBC

Service: AI language models (Claude API) for clinical documentation generation
Data Processed: Clinical notes, patient information, medical records, voice transcripts
Purpose: Generate AI-powered clinical summaries, structured data extraction, clinical decision support
Location: United States
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Standard Contractual Clauses (SCCs) for GDPR
- Contractual prohibition on using customer data for model training
- Encryption in transit (TLS 1.3)
- HIPAA-compliant infrastructure
Certifications: SOC 2 Type II
Website: https://www.anthropic.com
Privacy Policy: https://www.anthropic.com/privacy
Data Center Locations: United States
Date Added: October 2024
BAA Status: ✅ In place

2.2 Voice Transcription Services

Deepgram, Inc.

Service: Medical voice transcription and speech-to-text
Data Processed: Voice recordings, audio files containing clinical encounters, PHI in audio format
Purpose: Convert voice recordings to text for clinical documentation
Location: United States
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Standard Contractual Clauses (SCCs) for GDPR
- Medical-grade transcription with specialized vocabulary
- HIPAA-compliant infrastructure
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Audio files deleted after transcription (not retained by Deepgram)
Certifications: SOC 2 Type II, HITRUST
Website: https://deepgram.com
Privacy Policy: https://deepgram.com/privacy
Data Center Locations: United States
Date Added: October 2024
BAA Status: ✅ In place

2.3 Cloud Infrastructure and Hosting

Google LLC (Google Cloud Platform / Firebase)

Service: Cloud infrastructure, authentication, real-time database, cloud storage
Data Processed: All customer data, PHI, account information, authentication credentials
Purpose:
- Firebase Authentication: User authentication and session management
- Cloud Firestore: Real-time database for patient data, consultations, practice analytics
- Cloud Storage: Encrypted storage for clinical documents and attachments
- Cloud Functions: Serverless backend operations
Location: United States (with global presence)
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Standard Contractual Clauses (SCCs) for GDPR
- Data Processing Addendum (DPA)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Regional data residency controls
- HIPAA-compliant infrastructure
- Comprehensive security controls
Certifications: SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, HIPAA, HITRUST CSF, PCI DSS, FedRAMP
Website: https://cloud.google.com
Privacy Policy: https://cloud.google.com/privacy
Data Center Locations: United States (primary), Europe (optional)
Date Added: October 2024
Data Residency: Customer data stored in us-central1 (Iowa) by default
BAA Status: ✅ In place

Cloudflare, Inc.

Service: CDN, WAF, and DDoS protection
Data Processed: HTTP request metadata, IP addresses, TLS termination (PHI encrypted in transit, not persisted by Cloudflare)
Purpose: Content delivery, web application firewall, DDoS mitigation for all platform traffic
Location: United States / Global (edge network)
Safeguards:
- Business Associate Agreement (BAA) pending
- Standard Contractual Clauses (SCCs) for GDPR
- Encryption in transit (TLS 1.3)
- No PHI cached or persisted at edge
- All traffic passes through Cloudflare before reaching origin servers
Certifications: SOC 2 Type II, ISO 27001
Website: https://www.cloudflare.com
Privacy Policy: https://www.cloudflare.com/privacypolicy
Date Added: February 2026
BAA Status: Pending

OVH US Corporation (OVH Public Cloud)

Service: Cloud failover infrastructure hosting for disaster recovery
Data Processed: Application data, database replicas (may include PHI during failover)
Purpose: Cloud failover and disaster recovery hosting
Location: Vint Hill, VA, USA
Safeguards:
- ✅ Business Associate Agreement (BAA) signed
- Encryption in transit (TLS 1.3) and at rest
- HIPAA-compliant infrastructure
- Access restricted to authorized personnel via VPN
Certifications: SOC 2, ISO 27001, HIPAA BAA
Website: https://www.ovhcloud.com
Privacy Policy: https://www.ovhcloud.com/en/terms-and-conditions/privacy-policy/
Date Added: February 2026
BAA Status: ✅ Signed
Note: Cloud failover environment. Hosts warm standby application and streaming database replica for disaster recovery.

Backblaze, Inc.

Service: Cloud storage and encrypted backup (B2 Cloud Storage)
Data Processed: Encrypted backups which may contain PHI
Purpose: Online computer backup and B2 cloud storage for disaster recovery and data retention
Location: United States
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Customer-side encryption required
- HIPAA-compliant infrastructure
- Data destroyed 180 days after service termination
Certifications: SOC 2 Type II
Website: https://www.backblaze.com
Privacy Policy: https://www.backblaze.com/company/privacy.html
Date Added: February 2026
BAA Status: ✅ In place

Redis / Bull (Self-Hosted on GCP)

Service: In-memory data store and job queue processing
Data Processed: Job queue metadata, transient processing state (may include PHI references during note generation)
Purpose: Background job queue management (Bull/BullMQ) for asynchronous note generation and task processing
Location: United States (hosted on Google Cloud Platform infrastructure)
Safeguards:
- Self-hosted on GCP compute instances covered by the existing GCP BAA
- No third-party data sharing — Redis runs within our own infrastructure
- Encryption in transit (TLS) and at rest (GCP disk encryption)
- Transient data only; jobs are removed after completion
Certifications: N/A (self-hosted; covered by GCP certifications and BAA)
Website: https://redis.io
Date Added: February 2026
BAA Status: Covered by GCP BAA (self-hosted on GCP infrastructure)

2.4 Payment Processing

Apple Inc. (Apple In-App Purchase)

Service: Payment processing for iOS app subscriptions and in-app purchases
Data Processed: Transaction data, purchase history, Apple ID (managed by Apple)
Purpose: Process subscription payments and in-app purchases
Location: United States (global processing)
Safeguards:
- Apple's standard data protection commitments
- Scribeable does not receive full payment card information
- Apple handles PCI DSS compliance
- Transaction data encrypted in transit and at rest
Certifications: PCI DSS Level 1, ISO 27001
Website: https://www.apple.com/apple-pay
Privacy Policy: https://www.apple.com/legal/privacy
Note: Apple is the merchant of record for iOS subscriptions
Date Added: October 2024

Stripe, Inc.

Service: Payment processing for web-based subscriptions
Data Processed: Payment card information, billing details, transaction history (zero PHI)
Purpose: Process credit card payments for web and enterprise subscriptions
Location: United States (global processing)
Safeguards:
- Standard Contractual Clauses (SCCs) for GDPR
- PCI DSS Level 1 certified
- Tokenization of payment data
- Scribeable does not store full card numbers
- No PHI is transmitted to Stripe — payment data only
Certifications: PCI DSS Level 1, SOC 2 Type II, ISO 27001
Website: https://stripe.com
Privacy Policy: https://stripe.com/privacy
Date Added: October 2024
Status: Active
BAA Status: Not required (zero PHI processed — payment processor only)

2.5 Analytics and Monitoring

Google LLC (Google Analytics)

Service: Anonymized usage analytics and platform performance monitoring
Data Processed: Anonymized usage data, page views, feature usage (NO PHI)
Purpose: Understand platform usage, improve user experience, identify issues
Location: United States (with global processing)
Safeguards:
- IP anonymization enabled
- PHI explicitly excluded from tracking
- Data retention limits (14 months)
- User-ID feature disabled
- Demographics and interests reports disabled
Certifications: ISO 27001
Website: https://analytics.google.com
Privacy Policy: https://policies.google.com/privacy
Note: Only anonymized, aggregated data is collected; no PHI
Date Added: October 2024
Opt-Out: Users can disable analytics in settings

Sentry

Service: Error tracking and application performance monitoring
Data Processed: Error logs, stack traces, device information (PHI scrubbed)
Purpose: Monitor application health, identify and fix bugs
Location: United States
Safeguards:
- Data scrubbing rules to remove PHI
- Encryption in transit and at rest
- Limited data retention (90 days)
- IP address anonymization
Certifications: SOC 2 Type II, ISO 27001
Website: https://sentry.io
Privacy Policy: https://sentry.io/privacy
Date Added: October 2024

Meta Platforms, Inc. (Meta Pixel)

Service: Marketing analytics and advertising conversion tracking (Website Only — NO PHI)
Data Processed: Anonymized page views, marketing conversion events, cookie identifiers (NO PHI, NO clinical data)
Purpose: Measure marketing campaign effectiveness and website visitor engagement on the public marketing site
Location: United States (global processing)
Safeguards:
- Never loaded on the authenticated practice dashboard — restricted to the public marketing site (scribeable.ai) only
- Loaded only after explicit cookie consent via cookie consent banner
- No PHI, clinical data, or authenticated user data is transmitted
- No tracking pixels on any authenticated or clinical pages
- Data Processing Terms executed
Certifications: ISO 27001
Website: https://www.facebook.com/business/tools/meta-pixel
Privacy Policy: https://www.facebook.com/privacy/policy
Date Added: February 2026
BAA Status: N/A (no PHI processed; marketing site only)
Note: Meta Pixel is only present on the unauthenticated marketing website. It is never loaded in the authenticated dashboard, mobile app, or any environment where PHI is present. Requires cookie consent before activation.

Google LLC (Google Tag Manager)

Service: Tag management and analytics orchestration (Website Only — NO PHI)
Data Processed: Page views, user interactions, conversion events, cookie identifiers (NO PHI, NO clinical data)
Purpose: Centralized management of marketing and analytics tags on the public marketing site
Location: United States (global processing)
Safeguards:
- Never loaded on the authenticated practice dashboard — restricted to the public marketing site (scribeable.ai) only
- Loaded only after explicit cookie consent via cookie consent banner
- No PHI, clinical data, or authenticated user data is transmitted
- No tags deployed on any authenticated or clinical pages
- Data Processing Terms executed
Certifications: ISO 27001
Website: https://tagmanager.google.com
Privacy Policy: https://policies.google.com/privacy
Date Added: March 2026
BAA Status: N/A (no PHI processed; marketing site only)
Note: Google Tag Manager is only present on the unauthenticated marketing website. It is never loaded in the authenticated dashboard, mobile app, or any environment where PHI is present. Requires cookie consent before activation.

Google LLC (Google Ads)

Service: Advertising conversion tracking (Website Only — NO PHI)
Data Processed: Conversion events (demo requests, pricing page views, trial signups), anonymized page interaction data (NO PHI, NO clinical data)
Purpose: Measure advertising campaign effectiveness and conversion attribution on the public marketing site
Location: United States (global processing)
Safeguards:
- Never loaded on the authenticated practice dashboard — restricted to the public marketing site (scribeable.ai) only
- Loaded only after explicit cookie consent via cookie consent banner
- No PHI, clinical data, or authenticated user data is transmitted
- No tracking on any authenticated or clinical pages
- Data Processing Terms executed
Certifications: ISO 27001
Website: https://ads.google.com
Privacy Policy: https://policies.google.com/privacy
Date Added: March 2026
BAA Status: N/A (no PHI processed; marketing site only)
Note: Google Ads conversion tracking is only present on the unauthenticated marketing website. It is never loaded in the authenticated dashboard, mobile app, or any environment where PHI is present. Requires cookie consent before activation.

Microsoft Corporation (Microsoft UET)

Service: Universal Event Tracking for advertising conversion measurement (Website Only — NO PHI)
Data Processed: Anonymized page views, conversion events, cookie identifiers (NO PHI, NO clinical data)
Purpose: Measure Microsoft Advertising campaign effectiveness on the public marketing site
Location: United States (global processing)
Safeguards:
- Never loaded on the authenticated practice dashboard — restricted to the public marketing site (scribeable.ai) only
- Loaded only after explicit cookie consent via cookie consent banner
- No PHI, clinical data, or authenticated user data is transmitted
- No tracking on any authenticated or clinical pages
- Data Processing Agreement executed
Certifications: SOC 2 Type II, ISO 27001
Website: https://about.ads.microsoft.com
Privacy Policy: https://privacy.microsoft.com/en-us/privacystatement
Date Added: March 2026
BAA Status: N/A (no PHI processed; marketing site only)
Note: Microsoft UET is only present on the unauthenticated marketing website. It is never loaded in the authenticated dashboard, mobile app, or any environment where PHI is present. Requires cookie consent before activation.

LinkedIn Corporation (LinkedIn Insight Tag)

Service: Marketing analytics and B2B advertising conversion tracking (Website Only — NO PHI)
Data Processed: Anonymized page views, professional demographic insights, marketing conversion events (NO PHI, NO clinical data)
Purpose: Measure B2B marketing campaign effectiveness and website engagement on the public marketing site
Location: United States (global processing)
Safeguards:
- Never loaded on the authenticated practice dashboard — restricted to the public marketing site (scribeable.ai) only
- Loaded only after explicit cookie consent via cookie consent banner
- No PHI, clinical data, or authenticated user data is transmitted
- No tracking tags on any authenticated or clinical pages
- Data Processing Agreement executed
Certifications: ISO 27001
Website: https://business.linkedin.com/marketing-solutions/insight-tag
Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Date Added: February 2026
BAA Status: N/A (no PHI processed; marketing site only)
Note: LinkedIn Insight Tag is only present on the unauthenticated marketing website. It is never loaded in the authenticated dashboard, mobile app, or any environment where PHI is present. Requires cookie consent before activation.

2.6 Communication Services

SendGrid (Twilio Inc.)

Service: Transactional email delivery
Data Processed: Email addresses, email content (service notifications, password resets, alerts)
Purpose: Send platform notifications, security alerts, account-related emails
Location: United States
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Data Processing Addendum (DPA)
- Standard Contractual Clauses (SCCs) for GDPR
- Encryption in transit (TLS)
- No PHI included in email communications
- Limited data retention
Certifications: SOC 2 Type II, ISO 27001
Website: https://sendgrid.com
Privacy Policy: https://www.twilio.com/legal/privacy
Note: SendGrid is a product of Twilio Inc. No PHI is transmitted in any email communications — emails are limited to service notifications, security alerts, and account management.
Date Added: October 2024
BAA Status: ✅ In place

Twilio Inc.

Service: SMS notifications (optional feature)
Data Processed: Phone numbers, SMS message content (alerts, 2FA codes)
Purpose: Send SMS notifications and two-factor authentication codes
Location: United States (global delivery)
Safeguards:
- ✅ Business Associate Agreement (BAA) in place
- Standard Contractual Clauses (SCCs)
- End-to-end encryption for messages
- No PHI in SMS messages
Certifications: SOC 2 Type II, ISO 27001, HIPAA
Website: https://www.twilio.com
Privacy Policy: https://www.twilio.com/legal/privacy
Status: Optional feature, not enabled by default
Date Added: October 2024
BAA Status: ✅ In place
Note: Twilio Inc. is the parent company of SendGrid. No PHI is transmitted in any SMS or email communications.

2.7 Customer Support

Zendesk, Inc. (Planned)

Service: Customer support ticket management
Data Processed: Support requests, user information, conversation history (may contain PHI)
Purpose: Provide customer support and technical assistance
Location: United States
Safeguards:
- Business Associate Agreement (BAA) to be executed
- Standard Contractual Clauses (SCCs)
- Encryption at rest and in transit
- Access controls and audit logging
- Staff training on PHI handling
Certifications: SOC 2 Type II, ISO 27001, ISO 27018, HIPAA
Website: https://www.zendesk.com
Privacy Policy: https://www.zendesk.com/company/privacy-and-data-protection
Status: Planned implementation
Alternative: Currently using direct email support

3. DATA FLOW AND ARCHITECTURE

3.1 Primary Data Flow

User Device (iOS/Web/Extension)
    ↓ [TLS 1.3 encrypted]
Cloudflare (CDN / WAF / DDoS Protection)
    ↓ [TLS 1.3 encrypted, proxied]
Google Cloud Platform (Firebase) — Production
    ↓ [API calls, encrypted]
Anthropic Claude API (AI summaries)
Deepgram API (transcription)
Redis/Bull (job queue — self-hosted on GCP)
    ↓ [Response, encrypted]
Google Cloud Platform (storage)
    ↓ [TLS 1.3 encrypted]
Cloudflare (CDN / WAF / DDoS Protection)
    ↓ [TLS 1.3 encrypted]
User Device

Cloud Failover (Disaster Recovery):
OVH Public Cloud (Vint Hill, VA, USA) — Warm standby

3.2 Data Processing Locations

Primary Data Storage:

Google Cloud Platform: us-central1 (Iowa, USA)

Cloud Failover:

OVH Public Cloud: Vint Hill, VA, USA (warm standby for disaster recovery)

Data Processing:

AI Processing: United States (Anthropic)
Transcription: United States (Deepgram)
CDN / WAF: United States / Global (Cloudflare edge network)
Job Queue: United States (Redis/Bull, self-hosted on GCP)
Analytics: United States (Google Analytics, Sentry)

Data Transfers:

All data transfers use encrypted channels (TLS 1.3)
Standard Contractual Clauses apply to transfers to/from EEA
UK International Data Transfer Addendum applies to UK transfers

3.3 Data Retention by Subprocessor

Subprocessor	Retention Period	Purpose
Anthropic	No retention (processed in memory only)	AI model inference
Deepgram	No retention (audio deleted after transcription)	Transcription processing
Google Cloud Platform	Per customer retention policy (7 years for PHI)	Primary data storage
Cloudflare	Transient only (no PHI cached/persisted)	CDN/WAF/DDoS protection
Backblaze	180 days after service termination	Encrypted cloud backup
OVH Public Cloud	Per customer retention policy (mirrors primary)	Cloud failover hosting
Redis/Bull (self-hosted)	Transient only (jobs removed after completion)	Job queue processing
Apple	Per Apple's payment records policy	Transaction records
Google Analytics	14 months	Analytics (anonymized only)
Google Tag Manager	Per Google's data retention policy	Tag management (no PHI)
Google Ads	Per Google's data retention policy	Conversion tracking (no PHI)
Microsoft UET	Per Microsoft's data retention policy	Conversion tracking (no PHI)
Meta Pixel	Per Meta's data retention policy	Marketing analytics (no PHI)
LinkedIn Insight Tag	Per LinkedIn's data retention policy	Marketing analytics (no PHI)
Sentry	90 days	Error logs
SendGrid (Twilio Inc.)	30 days	Email delivery logs
Twilio (SMS)	30 days	SMS delivery logs

4. SECURITY AND COMPLIANCE

4.1 Subprocessor Security Requirements

All Subprocessors must:

Execute Business Associate Agreements (for PHI processing)
Execute Data Processing Addenda (for GDPR compliance)
Implement appropriate technical and organizational measures
Maintain industry-standard security certifications (SOC 2, ISO 27001, or equivalent)
Provide encryption in transit and at rest
Maintain audit logging and monitoring
Undergo regular security assessments
Report security incidents promptly
Cooperate with security audits

4.2 Compliance Certifications Summary

Subprocessor	SOC 2	ISO 27001	HIPAA	HITRUST	GDPR	CCPA	BAA Signed
Anthropic	✓	Planned	✓	-	✓	✓	✅ Yes
Deepgram	✓	✓	✓	✓	✓	✓	✅ Yes
Google Cloud	✓	✓	✓	✓	✓	✓	✅ Yes
Backblaze	✓	-	✓	-	✓	✓	✅ Yes
Cloudflare	✓	✓	-	-	✓	✓	Pending
OVH Public Cloud	✓	✓	✓	-	✓	✓	✅ Yes
Redis/Bull (self-hosted)	N/A	N/A	N/A	N/A	N/A	N/A	Covered by GCP BAA
Apple	✓	✓	-	-	✓	✓	N/A
Stripe	✓	✓	✓	-	✓	✓	N/A (no PHI)
Sentry	✓	✓	-	-	✓	✓	N/A (no PHI)
Google Tag Manager	-	✓	-	-	✓	✓	N/A (no PHI; marketing site only)
Google Ads	-	✓	-	-	✓	✓	N/A (no PHI; marketing site only)
Microsoft UET	✓	✓	-	-	✓	✓	N/A (no PHI; marketing site only)
Meta Pixel	-	✓	-	-	✓	✓	N/A (no PHI; marketing site only)
LinkedIn Insight Tag	-	✓	-	-	✓	✓	N/A (no PHI; marketing site only)
SendGrid (Twilio Inc.)	✓	✓	✓	-	✓	✓	✅ Yes
Twilio (SMS)	✓	✓	✓	-	✓	✓	✅ Yes

4.3 Audit Rights

Customers have the right to:

Request copies of Subprocessor certifications
Review Subprocessor security documentation
Request information about Subprocessor data processing practices
Audit our selection and management of Subprocessors
Object to Subprocessors on reasonable data protection grounds

5. SUBPROCESSOR MANAGEMENT

5.1 Due Diligence Process

Before engaging a Subprocessor, we:

Conduct security and privacy due diligence
Review certifications and audit reports
Assess data protection capabilities
Evaluate business continuity and disaster recovery
Review financial stability
Negotiate appropriate contractual protections
Execute BAAs and DPAs as required

5.2 Ongoing Monitoring

We continuously monitor Subprocessors for:

Security incident notifications
Certification status and renewals
Compliance with contractual obligations
Service level performance
Security posture changes
Regulatory compliance

5.3 Subprocessor Changes

Adding New Subprocessors:

Complete due diligence and contracting
Notify customers at least 30 days in advance
Update this Subprocessor List
Provide objection period (15 days)
Address any objections or offer alternatives

Removing Subprocessors:

Update Subprocessor List within 30 days
Ensure data return or destruction
Maintain records for audit purposes

Replacing Subprocessors:

Follow "adding" process for new Subprocessor
Follow "removing" process for old Subprocessor
Ensure seamless transition with no data loss

6. CUSTOMER RIGHTS AND NOTIFICATIONS

6.1 Notification Methods

Customers will be notified of Subprocessor changes via:

Email to registered account email address
In-app notification
Update to this document with change log
Website announcement (https://scribeable.ai/legal/subprocessors)

6.2 Objection Process

To object to a new Subprocessor:

Email: [email protected] within 15 days of notification
Include: Account information and specific objection grounds
Provide: Detailed explanation of data protection concerns
We will respond within 10 business days

If objection is accepted:

We will seek alternative Subprocessor
We will work with you to address concerns
You may terminate affected services without penalty if no solution is found

If objection is not accepted:

We will explain our decision
You may terminate affected services without penalty

6.3 Information Requests

To request Subprocessor information:

Email: [email protected]
Request specific information needed
Allow 30 days for response
Some information may be subject to confidentiality restrictions

7. SUB-SUBPROCESSORS

Some Subprocessors may engage their own sub-processors (sub-subprocessors):

Google Cloud Platform:

May use regional data center operators
May use network service providers
All subject to Google's BAA and security commitments

Other Subprocessors:

Must obtain our approval before engaging sub-subprocessors
Must flow down equivalent data protection obligations
Remain fully liable for sub-subprocessor performance

8. CHANGE LOG

Date	Change Description	Subprocessor Affected	Notice Sent
2025-10-24	Initial publication	All subprocessors	N/A (initial)
2026-02-05	v2.0: Added Cloudflare (CDN/WAF/DDoS), OVH Public Cloud (disaster recovery), Redis/Bull (self-hosted on GCP), Meta Pixel, LinkedIn Insight Tag. Updated data flow diagram.	Cloudflare, OVH, Redis/Bull, Meta Pixel, LinkedIn, SendGrid, Twilio	Pending
2026-02-12	v2.2: Added Backblaze, Inc. for B2 cloud storage and encrypted backup. BAA in place. Updated compliance matrix and retention table.	Backblaze (added)	Pending
2026-03-09	v2.3: Added Google Tag Manager, Google Ads, and Microsoft UET (all marketing site only, no PHI). Clarified AWS is not used in production (optional/unused integration). Updated compliance matrix and retention table.	GTM, Google Ads, Microsoft UET (added)	Pending

Note: All future changes will be logged here with 30 days advance notice to customers.

9. CONTACT INFORMATION

9.1 General Inquiries

For questions about this Subprocessor List:

Email: [email protected]
Subject: "Subprocessor Inquiry"
Response Time: 10 business days

9.2 Objections