Last updated: 2026-05-02.
HealthDash relies on the following third-party service providers ("Subprocessors") to deliver the platform. Each is bound by a Business Associate Agreement (BAA) where they touch PHI, and a Data Processing Addendum otherwise.
| Subprocessor | Role | Touches PHI? | BAA on file | Data location |
|---|---|---|---|---|
| DigitalOcean | Managed Postgres, Valkey, Spaces, App Platform | Yes | ✓ | USA (NYC) |
| Mailgun | Transactional email delivery | Yes (healthcare-tier domain only) | ✓ (signed 2026-05-01) | USA |
| Stripe | Payment processing (subscriptions) | No (PCI scope only) | N/A — DPA | Global |
| Authorize.net | Payment processing (storefronts) | No (PCI scope only) | N/A — DPA | USA |
| Cloudflare | TLS termination, DDoS mitigation, edge cache | In transit only (encrypted) | ✓ | Global |
Notification of changes
We notify Covered Entity Customers at least 30 days before adding any new Subprocessor that will touch PHI. Customers may object during that window per the BAA.