Security · Subprocessors

Every third party. Listed. Updated as we add or change them.

A subprocessor is any third party that processes data on our behalf. Below is the current list, what each one does, what data it sees, where it operates, and the data-processing agreement that governs the relationship. We update this list when we add, change, or remove a subprocessor.

Back to Security

Current subprocessors

Three today. All US-based.

Cloudflare, Inc.

Purpose

Static site hosting (Cloudflare Pages), content delivery network, DDoS protection, anonymized Web Analytics, and DNS.

Data types

Public site request metadata. IP address (truncated within 24 hours). No cookies, no fingerprinting, no third-party trackers.

Location

Global edge network. Primary US data centers.

DPA

Cloudflare Data Processing Addendum (publicly available).
Stripe, Inc.

Purpose

Payment processing for paid HCBS.AI subscriptions.

Data types

Card data (held by Stripe under PCI-DSS, never transmitted to HCBS.AI), billing name, billing email, transaction status.

Location

United States.

DPA

Stripe Data Processing Addendum (publicly available).
Email delivery provider

Purpose

Transactional email (account verification, password reset, receipts) and Daily Brief delivery.

Data types

Email address, subject line, message body, send status. Disclosed on request to BAA-eligible parties.

Location

United States.

DPA

Provider-standard Data Processing Addendum.

Our subprocessor commitments

How we vet, contract, and notify.

Vetting. Every subprocessor passes a security and contractual review before we share any customer data with them. SOC 2 Type II or equivalent is the baseline; we document the assessment.
Contracting. Every subprocessor is bound by a Data Processing Addendum incorporating GDPR Article 28 obligations, plus HIPAA Business Associate Agreement provisions where the subprocessor touches PHI.
Notification. We notify customers at least thirty days before adding or changing a subprocessor that processes their data. Subscribe to updates by emailing wecare@hcbs.ai .
PHI subprocessors. Subprocessors that handle Protected Health Information are disclosed under BAA to the covered entity. We never expand PHI access to a new subprocessor without your written consent.

The contract

You take care of the people. We take care of the rest.

Tell us about your agency. Nine short questions, four minutes. You walk away with your agency snapshot, your income projection, your state-specific regulatory primer, and tomorrow's brief at 6 AM.

See what changes Talk to a human

Direct: hello@hcbs.ai wecare@hcbs.ai

Every third party. Listed. Updated as we add or change them.

Cloudflare, Inc.

Stripe, Inc.

Email delivery provider

How we vet, contract, and notify.

You take care of the people. We take care of the rest.