1. Overview
CliniqFlow engages subprocessors to host infrastructure, authenticate users, process payments, deliver email, perform AI inference, and monitor service health. We require subprocessors to handle data under contractual obligations appropriate to their role.
2. Current subprocessors
| Subprocessor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Database, authentication | Account and clinical records | Project region (typically US) |
| OpenRouter | AI documentation draft generation | Minimized clinical context (no direct identifiers in restricted mode) | United States |
| Razorpay | Subscription billing | Account and payment metadata | India |
| Zoho / SendGrid | Transactional email | Email addresses, message content | India / United States |
| Vercel | Application hosting | Request metadata, logs | United States / EU |
| Upstash | Rate limiting | IP address, request metadata | United States / EU |
| Sentry | Error monitoring | Error context (no patient content by design) | United States |
3. AI provider retention
We send X-OpenRouter-Data-Policy: deny with AI requests to request zero-retention processing. Provider and upstream model policies govern actual retention. We do not guarantee compliance. See AI Disclaimer.
4. Changes
We will update this page when we add or replace subprocessors. Material changes will be communicated to clinic customers with at least thirty (30) days notice where feasible, consistent with our DPA.