Skip to content
TherapyTracked
  • Features
  • Pricing
  • Security
  • About
Log in Request access
← Security & Trust
Legal & trust

Subprocessors

Last updated 2026-07-05 Version 1.1

A subprocessor is any third party we engage that may create, receive, maintain, or transmit protected health information (PHI) on our behalf. Under the HIPAA "chain of assurances," we obtain a signed Business Associate Agreement (BAA) from every such subprocessor before it handles PHI. A vendor that provably cannot access PHI is listed here for transparency but is not, strictly, a PHI subprocessor.

Subprocessors that handle or are covered for PHI

SubprocessorPurposeLocationPHIAssurance
Amazon Web Services Cloud infrastructure: database, encrypted document storage, secrets, logging, and transactional email (Amazon SES). United States Yes — hosts all PHI AWS BAA signed
Google Workspace Our own internal company email and documents. Policy is that customer PHI never enters Workspace. United States No customer PHI Google Workspace BAA in place (belt-and-suspenders)

Vendors that are not PHI subprocessors

These vendors support the business but do not receive customer PHI:

VendorPurposeWhy no PHI
Stripe Subscription billing and payments. Billing data only (practice name, email, plan). No patient data is ever sent to Stripe, so a BAA is not required.
Amazon SES (AWS) Transactional email — login codes, invitations, and reminder digests. Messages carry no PHI (digests are counts only); covered by the AWS BAA regardless.
GitHub Source-code hosting and CI. The repository holds code and synthetic fixtures only — never PHI.
Notion Internal business and compliance documentation. Business documents only — never PHI.
Sentry Application error monitoring. Currently not enabled in any environment. If ever enabled in a PHI environment, it is gated on a written no-PHI determination or a BAA first.
Your SSO identity provider Authentication assertions, if your practice uses SSO. Belongs to you; it supplies an identity assertion and receives no PHI from us.

Change notification

When we add, remove, or materially change a PHI subprocessor, we will:

  • Update this page before the new subprocessor processes any PHI;
  • Obtain the subprocessor's BAA (or a written no-PHI determination) first; and
  • Notify affected practices per the mechanism and window in each executed BAA — the executed BAA controls.

Review cadence

On any subprocessor change, and at least annually, the Security Official re-verifies each entry: the BAA is still in force, the service is still HIPAA-eligible and configured per guidance, and the PHI-exposure classification and data location are still accurate.


Not legal advice. This register reflects the Company's good-faith determinations as of the date above and is pending vCISO / counsel validation. Where an executed customer BAA imposes stricter subprocessor terms, the BAA controls. Questions: security@therapytracked.com.

TherapyTracked

TherapyTracked, LLC. HIPAA-compliant compliance tracking for therapy practices — behavioral, physical, occupational, and speech. This site never stores patient data.

Product

  • Features
  • Pricing
  • Security & Trust
  • Request access

Company

  • About
  • Contact
  • Log in

Legal & trust

  • Security Overview
  • Subprocessors
  • Privacy Policy
  • Terms of Service
© 2026 TherapyTracked, LLC. All rights reserved.