Subprocessors
Third-party service providers that process data on behalf of Clinic OS Pro
Last Updated: December 25, 2025
Notification of Changes: We will provide at least 30 days' notice before adding new subprocessors. Subscribe to updates by emailing ben@wiebe-consulting.com with subject "Subscribe to Subprocessor Updates".
Current Subprocessors
| Subprocessor | Purpose | Location | Data Type | HIPAA | GDPR |
|---|---|---|---|---|---|
| Vercel Inc. | Application Hosting & CDN | United States | All application data in transit | Yes | Yes |
| Neon Inc. | PostgreSQL Database Hosting | United States (AWS us-east-1) | All stored data (encrypted at rest) | Yes | Yes |
| Twilio Inc. | SMS Messaging Service | United States | Phone numbers, SMS message content | Yes | Yes |
| Resend (or SendGrid) | Transactional Email Delivery | United States | Email addresses, email content | Yes | Yes |
| Stripe, Inc. | Payment Processing | United States | Billing information, payment methods | N/A | Yes |
| Google (OAuth) | Authentication Provider | United States | Email address, name, profile picture | N/A | Yes |
| Sentry | Error Monitoring & Logging | United States | Error logs, performance data (no PHI) | N/A | Yes |
EMR Integration Partners
When you connect your EMR to Clinic OS Pro, we establish a connection to sync patient data. These are not subprocessors (they process data for you, not us), but for transparency:
- WebPT - EMR for physical therapy practices
- Jane App - Practice management software
- Cliniko - Practice management software
- Kareo (Tebra) - Practice management and EHR
- SimplePractice - Practice management software
- TherapyNotes - Mental health EHR (if applicable)
Your use of these services is governed by your separate agreement with them. We only access data you authorize us to sync.
Due Diligence
Before engaging any subprocessor, we verify:
- Security certifications (SOC 2, ISO 27001, etc.)
- Data protection policies and practices
- HIPAA Business Associate Agreement availability (where PHI is involved)
- GDPR Data Processing Agreement availability (for EU data)
- Physical and technical security measures
- Incident response capabilities
Objection Process
Under our Data Processing Addendum, customers have the right to object to new subprocessors. The process is:
- We notify you at least 30 days before adding a new subprocessor
- You may object in writing with specific, reasonable grounds
- We will work with you to address concerns
- If concerns cannot be resolved, you may terminate the service
Data Location
All primary data processing occurs in the United States. We use US-based data centers for:
- Application hosting (Vercel - AWS regions)
- Database storage (Neon - AWS us-east-1)
- Backups (encrypted, US-based)
For customers requiring data localization, please contact us to discuss options.
Contact
For questions about our subprocessors:
Email: ben@wiebe-consulting.comSubject: "Subprocessor Inquiry"
Change Log
| Date | Change |
|---|---|
| Dec 25, 2025 | Initial subprocessor list published |
Document Version: 1.0
Last Reviewed: December 25, 2025