Privacy PolicyTerms of Service

Copyright © Advisor Compass

Subprocessor List

Last updated May 30, 2026

This list describes third parties that process data on behalf of AdvisorCompass when providing the Service. Status reflects our internal vendor registry as of the date above. Share this page with customers during due diligence; it is not indexed by search engines.

← Security overview

Subprocessors

VendorServiceBAA statusNotes

Neon

PostgreSQL database (primary data store)

BAA signed

HIPAA enabled; application-layer encryption for designated fields.

Google Cloud

Vision OCR; eligible cloud services

BAA signed

BAA accepted in GCP console; HIPAA-eligible services only.

AWS

SES (newsletter / transactional email pipeline)

BAA signed

BAA accepted via AWS Artifact.

AssemblyAI

Voice transcription

BAA signed

BAA executed before clinical transcription use.

Google OAuth

Staff sign-in (workforce authentication)

Not required (documented)

Staff use Google accounts; no case ePHI in the IdP. Customers must require Google 2-Step Verification — see /onboarding#staff-sign-in.

Vercel

Application hosting, serverless functions

Documented exception

No HIPAA BAA (Enterprise not purchased). Traffic transits Vercel; DB ePHI encrypted at rest elsewhere.

UploadThing

File uploads (intake documents, attachments, images)

Interim / in review

No vendor HIPAA BAA. Default private ACL; HMAC-signed upload/download URLs; app auth before upload. GCS migration under consideration.

OpenAI

Optional AI (transcript cleanup, PDF parsing, business cards)

BAA signed

API BAA signed 2026-05-30. Org org-9rQ0xSXXhhOFTRkEDTEUiH6H; Legacy Zero Data Retention on advisor compass project. OpenAI API (chat completions) only.

Sentry

Error monitoring and performance traces

Interim / in review

No BAA today. sendDefaultPii: false; replay masking; 10% trace sampling. Revisit before large HIPAA deals.

Vercel KV / Upstash

CRM contact search cache (name, email, phone, company names)

Interim / in review

~60-minute TTL; CRM contact rows only — not client case ePHI. Encrypted database is source of truth.

Customer SMTP

Per-organization outbound email

Not required (documented)

Configured by customer; customer’s vendor responsibility.

Google Maps Platform

Geocoding, place photos

Not required (documented)

Addresses and place IDs only; no clinical narrative in API calls.

Vercel Analytics / Speed Insights

Performance telemetry

Not required (documented)

Default page-view metrics only; no custom PHI events.

Contact

Security Officer: Justin Durr — info@advisorcompass.ai