AdaptivMapr engages a small set of carefully-selected vendors (“subprocessors”) to deliver the Services. This page lists every vendor that processes customer data — what they do, where the data lives, and the legal posture (BAA, DPA, or scope exclusion) we rely on. The list is referenced from the AdaptivMapr DPA, Security overview, and Privacy Policy.
1. Current subprocessors
| Vendor | Role | Region / data residency | BAA / DPA status |
|---|---|---|---|
| Cloudflare | Workers compute (API + dashboard), KV (rate-limit counters, statistics cache), R2 (asset storage), Analytics Engine, DNS, DDoS protection, edge cache | Global PoPs (per-customer region selectable on Cloudflare Enterprise) | BAA available on Cloudflare Enterprise (commitment — see deploy notes) |
| Supabase | Postgres database (authentication, sessions, rate-limit ledger, audit log, upload metadata) + Auth | US or EU per project (Ireland by default for EU workloads) | HIPAA add-on on Supabase Teams / Enterprise (commitment — see deploy notes) |
| phi-cloud | Layer-5 LLM provider for full-data mode (PHI-aware OpenAI-compatible gateway) | Per X-Region header — CH-resident, EU-resident, or US-resident BAA-covered models | BAA in place with model providers (commitment — see deploy notes) |
| Stripe | Subscription billing, payment processing, invoice flow, customer-portal sessions | Ireland (with US affiliate) | Out of PHI scope — no clinical data flows through billing. DPA and Standard Contractual Clauses in place via Stripe. |
| SMTP / transactional email | Magic-link sign-in, billing receipts, usage alerts, dunning notices | Per configured provider (Postmark, SendGrid, AWS SES, Cloudflare Workers Email) | Scoped to non-PHI content; no patient-identifying data in transactional email |
2. Deploy-side commitments
Rows flagged (commitment — see deploy notes) describe the contractual posture AdaptivMapr commits to when running the Services for an operator. The actual coverage depends on the operator having executed the relevant upstream agreement — for example:
- Cloudflare BAA. Cloudflare offers a HIPAA Business Associate Agreement on its Enterprise plan. AdaptivMapr will not process PHI through Cloudflare Workers, KV, R2, or Analytics Engine unless the operator's Cloudflare account is on Enterprise with a signed BAA covering the relevant services.
- Supabase HIPAA add-on. Supabase offers HIPAA-eligible hosting on Teams and Enterprise tiers with a signed BAA. The AdaptivMapr Supabase project must be configured against a BAA-covered Supabase organization before any PHI can be persisted to account metadata or audit logs.
- phi-cloud BAA chain. phi-cloud holds BAAs with each downstream LLM provider in its region matrix (CH-resident inference, EU-resident inference, US-resident BAA-covered models). AdaptivMapr inherits this chain when full-data mode routes through phi-cloud under the operator's active AdaptivMapr subscription.
If you are evaluating AdaptivMapr for a HIPAA-regulated workload, request the deployment certificate at compliance@adaptivmapr.com — it documents which of the above upstream commitments are active for your deployment.
3. Notice of new or replaced subprocessors
Updates to this list are notified to customers under signed BAA at least 30 days in advance of taking effect. You may object to a new subprocessor in writing within 30 days of the notice on reasonable data-protection grounds; if we cannot resolve the objection in good faith, you may terminate the affected portion of the Services without penalty and receive a pro-rata refund of any prepaid fees.
To subscribe to subprocessor change notifications, email compliance@adaptivmapr.com with your workspace name and a contact address.
4. Out of scope
The following providers handle AdaptivMapr operational data but do not process customer-submitted records or PHI, and are not subprocessors within the meaning of GDPR Art. 28 or the HIPAA Rules:
- Source control and CI/CD — GitHub, used for the AdaptivMapr source tree and build pipelines. No customer data.
- Error reporting — Cloudflare Workers logs and structured request tracing. IP addresses are truncated at the edge before they reach application logs; row content is never logged.
- Status page —
status.adaptivmapr.comfor incident and maintenance notifications.
5. Contact
Compliance and subprocessor questions: compliance@adaptivmapr.com. Data-protection requests: dpo@adaptivmapr.com. Security disclosures: security@adaptivmapr.com.