Subprocessor List
Last updated May 30, 2026
This list describes third parties that process data on behalf of AdvisorCompass when providing the Service. Status reflects our internal vendor registry as of the date above. Share this page with customers during due diligence; it is not indexed by search engines.
Subprocessors
| Vendor | Service | BAA status | Notes |
|---|---|---|---|
Neon | PostgreSQL database (primary data store) | BAA signed | HIPAA enabled; application-layer encryption for designated fields. |
Google Cloud | Vision OCR; eligible cloud services | BAA signed | BAA accepted in GCP console; HIPAA-eligible services only. |
AWS | SES (newsletter / transactional email pipeline) | BAA signed | BAA accepted via AWS Artifact. |
AssemblyAI | Voice transcription | BAA signed | BAA executed before clinical transcription use. |
Google OAuth | Staff sign-in (workforce authentication) | Not required (documented) | Staff use Google accounts; no case ePHI in the IdP. Customers must require Google 2-Step Verification — see /onboarding#staff-sign-in. |
Vercel | Application hosting, serverless functions | Documented exception | No HIPAA BAA (Enterprise not purchased). Traffic transits Vercel; DB ePHI encrypted at rest elsewhere. |
UploadThing | File uploads (intake documents, attachments, images) | Interim / in review | No vendor HIPAA BAA. Default private ACL; HMAC-signed upload/download URLs; app auth before upload. GCS migration under consideration. |
OpenAI | Optional AI (transcript cleanup, PDF parsing, business cards) | BAA signed | API BAA signed 2026-05-30. Org org-9rQ0xSXXhhOFTRkEDTEUiH6H; Legacy Zero Data Retention on advisor compass project. OpenAI API (chat completions) only. |
Sentry | Error monitoring and performance traces | Interim / in review | No BAA today. sendDefaultPii: false; replay masking; 10% trace sampling. Revisit before large HIPAA deals. |
Vercel KV / Upstash | CRM contact search cache (name, email, phone, company names) | Interim / in review | ~60-minute TTL; CRM contact rows only — not client case ePHI. Encrypted database is source of truth. |
Customer SMTP | Per-organization outbound email | Not required (documented) | Configured by customer; customer’s vendor responsibility. |
Google Maps Platform | Geocoding, place photos | Not required (documented) | Addresses and place IDs only; no clinical narrative in API calls. |
Vercel Analytics / Speed Insights | Performance telemetry | Not required (documented) | Default page-view metrics only; no custom PHI events. |
Contact
Security Officer: Justin Durr — info@advisorcompass.ai