Current Subprocessors and Service Providers
This table is intentionally conservative. Deployment-specific agreements, regions, and provider contracts may narrow or expand the list for a particular customer.
| Provider | Role | Data involved | PHI status | Notes |
|---|---|---|---|---|
| OpenAI | Model answer generation and search representations where enabled | Prompts, cited source passages, outputs, search representations, metadata depending on route | PHI only under approved BAA-covered configuration | Do not route PHI unless contract and endpoint configuration are approved |
| Amazon Web Services or S3-compatible storage provider | Hosting, storage, infrastructure, object storage, backups | Uploaded documents, index artifacts, logs, application data depending on deployment | PHI only under approved deployment | Provider and region may vary by deployment |
| Vercel | Frontend hosting and edge delivery where used | Frontend delivery data, logs, request metadata | Not approved for PHI unless specifically reviewed and contracted | PHI payloads should not be sent to frontend logs |
| Railway | Backend hosting where used | API/runtime logs, application processing depending on deployment | Not approved for PHI unless specifically reviewed and contracted | Usage may vary by environment |
| Stripe | Billing and payment processing | Billing contact info, payment metadata, invoice details | No PHI should be submitted | Payment processor |
| Email and support providers | Support and transactional email | Contact details, support communications | No PHI unless specifically approved | Users should not include PHI in support tickets |
| Monitoring and logging providers | Error monitoring, uptime, security logs | Logs, error reports, request metadata | No PHI unless specifically approved and scrubbed | Configure scrubbing and retention |
Subprocessor Change Notices
For enterprise customers with signed agreements requiring notice, we will provide notice of new subprocessors according to the applicable agreement. Customers may object to a new subprocessor as provided in their agreement.
Deployment-Specific Subprocessors
A customer's actual subprocessor list may differ based on:
- Public website vs. authenticated app.
- Trial vs. enterprise deployment.
- PHI-off vs. PHI-enabled workspace.
- Cloud-hosted vs. private deployment.
- Enabled features such as SSO, support, analytics, logging, and model routing.
For a deployment-specific list, contact legal@surgic.ai.