Sub-processor register
Every third-party service that processes customer data on our behalf, with the role each plays and a 30-day change notice before any new processor is added.
Last updated
A sub-processor is any third party we engage to process customer data on your behalf in the course of delivering the HASP platform. Our DPA commits us to giving you advance notice before this list changes.
30-day advance notice. Under DPA §5, HASP will notify customers at least 30 days before adding a new direct sub-processor or making a material change to an existing one. You can object during the notice period and we will work with you in good faith — see change notification and objections below.
PHI handling is not delegated. PHI de-identification, redaction, and re-identification is performed by HASP's own pipeline (built on Microsoft Presidio with healthcare-specific custom recognizers, running on Aptible-managed infrastructure inside the HASP compliance boundary). It is not a sub-processor relationship. Inference flows through the direct provider integrations listed below, under HASP-direct BAAs, with PHI scrubbed before content leaves HASP's substrate.
AI inference providers (HASP-direct BAAs)
Where prompts and completions execute. PHI scanning and redaction occurs before content leaves HASP's substrate to any inference provider — see PHI handling below.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | Claude inference for chat, document analysis, AI Studio, Public API, and agent workflows — direct integration under HASP Healthcare BAA | De-identified prompt and completion content (PHI redacted by HASP before send) | United States |
| OpenAI | GPT inference — alternative provider, direct integration under HASP Enterprise BAA | De-identified prompt and completion content (PHI redacted by HASP before send) | United States |
Auxiliary AI services
Retrieval, document ingestion, and web search used by the AI surfaces. PHI is filtered before content reaches any of these.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Voyage AI | Document embeddings for retrieval-augmented generation (voyage-4 model) | Document text after PHI redaction | United States |
| Amazon Web Services (Textract) | OCR for scanned-document ingestion — under AWS BAA addendum | Uploaded document images and extracted text (PHI may be present pre-redaction) | United States |
| Tavily | Web search for AI responses — primary provider | Search queries only. HASP ensures no PHI is ever transmitted to this provider. | United States |
| Serper | Web-search retrieval — optional fallback provider | Search queries only. HASP ensures no PHI is ever transmitted to this provider. | United States |
Infrastructure
The compute, storage, and network underneath the substrate.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Aptible | Compliance substrate — managed PostgreSQL (compliance data planes), application hosting (compute and network); HIPAA + SOC 2 substrate inheritance | Application data, per-org databases, audit infrastructure | United States (dedicated AWS) |
| Cloudflare | CDN, R2 object storage, DNS, SSL, and custom-domain routing (usehasp.run) | R2 stores app files, file attachments, backups, and org assets (PHI may be present when an org has PHI-mode enabled). CDN/edge nodes process request metadata only — IP, TLS handshake, User-Agent — and never see PHI in transit content. | Global edge; R2 buckets pinned to a customer-configurable region (US default; EU available on Enterprise) |
Business operations
Billing, transactional email, and identity providers required to operate the Service.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Doppler | Secrets management — runtime configuration, encryption keys, third-party API credentials | Application secrets and configuration. No customer data, no PHI. | United States |
| Stripe | Subscription billing, four-meter usage reporting, payment processing, Stripe Tax (US sales tax / EU VAT / UK GST) | Customer billing metadata; no PHI | United States |
| Postmark | Transactional email delivery | Email addresses, transactional message content; no PHI | United States |
| WorkOS | SAML 2.0 SSO and SCIM provisioning (Business + Enterprise tiers) | Identity attributes, group memberships. No PHI. | United States |
| Google · Microsoft | OAuth authentication (only when Customer enables the corresponding sign-in) | Authentication identity attributes; no PHI | United States |
Observability and analytics
Error monitoring and consented product analytics. No PHI processed.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Nightwatch | Application performance monitoring — job queue health, slow queries, scheduled commands, server metrics | Application telemetry; PHI scrubbed at source | United States |
| Sentry | Error tracking — backend exceptions and frontend JavaScript errors | Stack traces, error context; PHI scrubbed at source | United States |
| PostHog | Product analytics — loaded only when the end user consents via the cookie banner | Marketing-site and consented in-app behavior. No PHI. | United States |
How we notify you of changes
When this list changes, HASP follows the process committed in DPA §5:
- Advance notice. At least 30 days before a new direct sub-processor is added or a material change is made to an existing one.
- How notice is delivered. Direct email to the billing and security contacts on record for each Customer organization, plus a dated update to this page.
- Inference-provider routing. When a new inference provider is added, the 30-day notice still applies. Customers on Business and Enterprise tiers can additionally restrict provider routing for their workloads via the org-level inference policy.
If you object to a new sub-processor
If a planned change is incompatible with your obligations or risk posture, you can object during the 30-day notice window:
- Reply to the change-notification email or write to [email protected] stating the specific sub-processor and your reasons.
- HASP will work with you in good faith to address the objection — including by adjusting the rollout, scoping the sub-processor away from your data, or identifying an alternative.
- If no acceptable alternative exists, you may terminate the affected portion of the Service in accordance with the Agreement, with no penalty for early termination tied to the objected sub-processor.
Cross-border data transfers
HASP and all listed sub-processors are headquartered in the United States. Where customer Personal Data is transferred outside the EEA or UK to a HASP sub-processor, HASP relies on the Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, supplemented by the technical and organizational measures documented in DPA §6 and on the Security page. See our GDPR posture for the Schrems II analysis applied to each relevant transfer.