Subprocessors

Third-party providers that process data on behalf of Scribe Mutual.

Draft status: This list is a draft pending counsel review and finalization of subprocessor agreements. Specific provider names (particularly generative AI vendors) will be confirmed prior to publication.

Scribe Mutual uses the third-party providers listed below to deliver the Scribe Mutual application and marketing website. Where a provider may handle Protected Health Information ("PHI") on behalf of a Customer, Scribe Mutual engages that provider under a Business Associate Agreement ("BAA"). Other providers are engaged under data processing or service agreements appropriate to the data they handle.

This page is the source of truth referenced by the Privacy Policy, Terms of Service, EULA, and BAA. We update it when material changes occur.

Application subprocessors

These providers may process Customer data, including PHI, in connection with the Scribe Mutual application.

Subprocessor Purpose Processing region BAA
Amazon Web Services (AWS) Cloud infrastructure and managed services supporting hosting, storage, key management, identity, transactional email, and AI/ML processing United States Yes
Generative AI providers AI-assisted documentation drafting United States Yes (where PHI is processed)
Stripe Subscription billing and payment processing United States N/A — Stripe does not receive PHI

Marketing website subprocessors

These providers support scribemutual.com only. The marketing website is not designed to receive PHI, and the providers below do not process PHI.

Subprocessor Purpose Processing region
Netlify Website hosting and form submission delivery United States
Google Analytics 4 Aggregate website analytics United States / global per provider

Optional integrations

These providers process Customer data only when a Customer enables the corresponding integration.

Subprocessor Purpose BAA / DPA
Customer-designated email or messaging providers Patient notifications via email or SMS, when configured by the Customer Engaged as required by the integration
Customer-designated calendar providers (e.g., Google Calendar, Microsoft 365) Calendar integration, when enabled by the Customer Engaged as required by the integration

How we manage subprocessors

  • Providers are reviewed before engagement under our third-party security review process.
  • Providers that may handle PHI are engaged under BAAs that flow down HIPAA obligations consistent with 45 C.F.R. § 164.502(e).
  • We restrict providers to the categories of data necessary for their role and apply contractual confidentiality and security obligations.

Notice of changes

We update this page when we add, remove, or replace a material subprocessor. For Customers with executed agreements that include subprocessor-change notice requirements, we provide notice consistent with those agreements.

AI transparency

Where artificial intelligence and machine learning components are used to process Customer data:

  • AI outputs are clinician-assistive drafts only and require clinician review before reliance.
  • Identified PHI is not used to train or fine-tune third-party foundation models.
  • De-identified or aggregated data may be used for service quality, reliability, safety, and AI evaluation, consistent with 45 C.F.R. § 164.514, as described in the Privacy Policy.

General privacy and subprocessor inquiries: privacy@scribemutual.com

Legal inquiries: legal@scribemutual.com

Scribe
Mutual