Subprocessor changes
We notify clinic subscribers at least 30 days before adding new subprocessors that process protected health information. Customers may object to a new subprocessor on reasonable grounds by emailing privacy@tarsi.ca.
| Subprocessor | Purpose | Country | Data Type |
|---|---|---|---|
| Supabase (AWS ca-central-1) | Database, Authentication, Storage | Canada (Montreal) | All PHI and personal information |
| Cloudflare | CDN, Pages hosting, Workers, R2 object storage | United States / Global edge | Metadata, treatment photos |
| Stripe | Payment processing, payouts, terminal payments | United States | Payment data (no PHI) |
| Resend | Transactional email delivery | United States | Name, email, appointment metadata |
| Anthropic | AI features (Claude API) | United States | Query context only (no PHI stored at Anthropic) |
This list is the public view of our subprocessor inventory and will be replaced or augmented by counsel-drafted data processing agreements (DPA) once the formal privacy program is in place. For the underlying signed agreements (BAA, DPA, SPA), contact legal@tarsi.ca.