The authoritative real-time list of every third party that processes customer data on LouDNAi's behalf.
Updated within 5 business days of any change. Customers receive 30 days advance notice of new sub-processors via email and the customer portal. Subscribe below to receive notifications directly.
Notification commitments
Three commitments LouDNAi makes contractually under every Data Processing Agreement and Business Associate Agreement.
30-day advance notice
Before any new sub-processor begins processing customer data, LouDNAi gives all affected customers at least 30 days advance notice via email and the customer portal. Notice includes the new sub-processor's identity, role, region, and BAA / DPA status.
Right to object
Customers may object to a new sub-processor in good faith on documented privacy or security grounds. LouDNAi will work in good faith to address the objection — including offering a workaround, an alternative sub-processor, or termination of the affected services. See §05.
Real-time public list
This page is the authoritative list. Updated within 5 business days of any addition, removal, or material change. Quarterly compliance review on the 30th day of January, April, July, and October.
Subscribe to sub-processor change notifications
Get an email any time a sub-processor is added, removed, or materially changed. Procurement teams and security reviewers should subscribe whether or not LouDNAi is currently a vendor.
Active sub-processors
Organized by category. Each entry includes role, processing region, country of incorporation, data category processed, BAA status, DPA status, and date added. Entries marked "BAA: Yes" have a current Business Associate Agreement with LouDNAi for PHI workloads.
Cloud & infrastructure
3 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| Amazon Web ServicesAWS, Inc. | Primary cloud — compute, object storage, managed databases, networking, KMS. | us-east-1 us-west-2 eu-west-1 HQ: USA |
All customer production data, including PHI on healthcare engagements. Encrypted at rest with AES-256. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| CloudflareCloudflare, Inc. | CDN, DNS, WAF, DDoS protection, edge TLS termination. | Global edge HQ: USA |
Customer request metadata (IPs, request paths). No PHI or persistent customer data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| VercelVercel, Inc. | Static site hosting and edge functions for marketing site (loudnai.ai). | Global edge HQ: USA |
Public marketing-site analytics. No customer production data, no PHI. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
AI & ML providers
4 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| AnthropicAnthropic, PBC | Claude foundation models — primary reasoning and long-context workloads. | USA HQ: USA |
Customer prompts, model outputs. PHI workloads route only to BAA-eligible Claude API tier. Zero data retention configured. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| OpenAIOpenAI, OpCo, LLC | GPT foundation models — tool-use, structured-output, and multimodal workloads. | USA HQ: USA |
Customer prompts, model outputs. PHI workloads route only to OpenAI Enterprise tier with BAA. Zero data retention configured. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| Google Cloud Vertex AIGoogle LLC | Gemini models for cost-optimized and multimodal inference. | us-central1 HQ: USA |
Customer prompts, model outputs. BAA available via Google Cloud HIPAA-eligible services for PHI workloads. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| OpenAI Embeddingsvia OpenAI API | Text embeddings for retrieval and semantic search (text-embedding-3-large). | USA HQ: USA |
Document fragments for embedding. PHI embeddings only via Enterprise BAA tier. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Data stores
2 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| PineconePinecone Systems, Inc. | Managed vector database — semantic retrieval index for non-PHI workloads. | us-east-1 (AWS) HQ: USA |
Embeddings of customer documents (vectors only, no source content). Per-tenant index isolation enforced. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| pgvector (self-hosted on AWS RDS)PostgreSQL extension | Self-hosted vector store for PHI workloads and customers requiring data residency in LouDNAi-controlled VPC. | us-east-1 (AWS) Software, no vendor |
Embeddings of customer documents including PHI. Encrypted at rest via AWS RDS KMS. Per-tenant logical isolation. | Yes via AWS BAA |
Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Observability & monitoring
3 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| LangfuseLangfuse GmbH | LLM observability — agent traces, prompt/response logging, eval harness. | eu-central-1 (cloud) or self-hosted in LouDNAi VPC HQ: Germany |
Agent traces, prompt/response pairs, evaluation results. PHI workloads use self-hosted deployment in LouDNAi VPC; no PHI ever sent to Langfuse Cloud. | Self-host only | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| DatadogDatadog, Inc. | Infrastructure monitoring, APM, log aggregation, alerting. | us1.datadoghq.com HQ: USA |
Infrastructure metrics, application logs (with PHI scrubbing). Audit logs of system access. PII redacted before ingestion. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| SentryFunctional Software, Inc. | Application error tracking and exception monitoring. | USA HQ: USA |
Error stack traces and exception metadata. PII / PHI scrubbing enabled at ingestion. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Authentication & identity
2 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| WorkOSWorkOS, Inc. | Customer SSO, SAML, SCIM provisioning. Enterprise identity layer. | USA HQ: USA |
Customer admin and end-user identity (name, email, role). No customer business data. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| 1PasswordAgileBits, Inc. | Workforce password manager and secrets vault. | USA / Canada HQ: Canada |
Workforce credentials only. No customer data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Communications
2 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| PostmarkWildbit, LLC | Transactional email — system notifications, password resets, customer alerts. | USA HQ: USA |
Customer admin email addresses, system event metadata. No PHI in email content under any circumstance. | No PHI | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| TwilioTwilio, Inc. | Outbound SMS and voice for customer-facing agents (Site Voice, Schedule Sentinel). | USA HQ: USA |
Customer end-user phone numbers, SMS / voice content. PHI workloads route only to Twilio HIPAA-eligible products with executed BAA. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Billing & finance
2 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| StripeStripe, Inc. | Card and ACH payment processing for customer billing. | USA HQ: USA |
Customer billing contact, payment method, transaction history. No customer business data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| QuickBooks OnlineIntuit Inc. | Invoicing, accounts receivable, bookkeeping for LouDNAi internal finance. | USA HQ: USA |
Customer billing entity name, invoice line items, AR aging. No customer business data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
GRC & security tools
2 active| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| VantaVanta, Inc. | SOC 2 GRC platform — continuous control monitoring, evidence collection, auditor coordination. | USA HQ: USA |
Workforce identity, infrastructure config metadata, control evidence. No customer business data, no PHI. | Yes | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| SnykSnyk Limited | Software composition analysis (SCA) and static analysis (SAST) on the LouDNAi codebase. | USA / EU HQ: UK |
Source code metadata and dependency manifests. No customer data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Internal tooling
5 active · disclosed for transparency| Sub-processor | Role | Region · HQ | Data category | BAA | DPA | Since · last reviewed |
|---|---|---|---|---|---|---|
| GitHubGitHub, Inc. (Microsoft) | Source code management and CI/CD. | USA HQ: USA |
LouDNAi source code, deployment metadata. No customer data. | N/A | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| Google WorkspaceGoogle LLC | Workforce email, calendar, drive. Internal collaboration only. | USA HQ: USA |
Workforce communications. Customer-facing communications only by exception (sales conversations, contract email). PHI never transmitted via email. | Yes via Workspace HIPAA |
Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| NotionNotion Labs, Inc. | Internal documentation and knowledge base. | USA HQ: USA |
Internal LouDNAi documentation. Customer information limited to entity name, contract status. No PHI. | No PHI | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| LinearLinear Orbit, Inc. | Engineering project management and issue tracking. | USA HQ: USA |
Engineering tasks, internal bug reports. Customer issue context limited to non-PHI summaries. | No PHI | Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
| SlackSlack Technologies, LLC (Salesforce) | Internal team communication. | USA HQ: USA |
Workforce communications. Customer entity names only. No PHI, no customer business data, no credentials. | Yes via Enterprise Grid |
Yes | Since Apr 2026 Reviewed Apr 30, 2026 |
Sub-processor change history
Material additions, removals, and changes to the sub-processor list. Each entry is dated and tagged. Customers receive email notification of changes per the commitments in §02.
Future entries will document each material change with date, change tag (Added / Removed / Updated), sub-processor name, and brief description.
Right to object to a new sub-processor
Customers may object to a new sub-processor on documented privacy or security grounds. The process below operationalizes the right and is incorporated into the LouDNAi Data Processing Agreement.
How to file an objection
Step 1. Within 30 days of LouDNAi's notice of the new sub-processor, send a written objection to legal@loudnai.ai. The objection must state the privacy or security grounds, reference the affected sub-processor, and identify the LouDNAi services impacted.
Step 2. Within 10 business days, LouDNAi will respond with one of: (a) a workaround that addresses the objection while retaining the sub-processor, (b) an alternative sub-processor that meets the customer's requirements, or (c) confirmation that no remediation is feasible.
Step 3. If no resolution is reached within 30 days of LouDNAi's response, the customer may terminate the affected services without penalty, with prorated refund of pre-paid fees for the affected period.
Step 4. All objections, responses, and resolutions are documented and made available to the customer's legal team on request.
Objection rights apply to new sub-processors. Objections to currently active sub-processors at the time of contract signing should be raised during initial DPA negotiation, not via this process.
Definitions
Plain-language definitions of the terms used on this page. The legal definitions in the LouDNAi MSA, DPA, and BAA control where there is any conflict.
Third party processing customer data on LouDNAi's behalf
Any third-party service provider engaged by LouDNAi that processes personal data, customer business data, or PHI on behalf of LouDNAi customers. Excludes vendors that do not access customer data (e.g., office utilities).
Business Associate Agreement
A HIPAA-required contract between LouDNAi and a sub-processor that handles Protected Health Information (PHI) on LouDNAi's behalf. Required of every sub-processor in the chain that touches PHI.
Data Processing Agreement
A GDPR-grade contract governing the processing of personal data, including obligations on confidentiality, sub-processing, security measures, and customer rights. Executed with every sub-processor that processes any personal data.
Protected Health Information
Individually identifiable health information defined under HIPAA at 45 CFR § 160.103. Includes patient identifiers tied to health status, care, or payment.
Non-personal customer information
Customer-uploaded documents, configurations, agent outputs, and operational data. May include personal data of the customer's end users (employees, patients, clients) — handled per the DPA and, where PHI is involved, the BAA.
Processing region · entity headquarters
The region where the sub-processor processes data on LouDNAi's behalf, and the country of incorporation of the sub-processor entity. Both matter for cross-border transfer analysis.
BAA not applicable
The sub-processor does not process PHI under any LouDNAi engagement. A BAA is not required because no PHI flows to this sub-processor.
Conditional BAA via self-hosted deployment
For PHI workloads, this sub-processor's software is deployed inside LouDNAi's VPC (under the AWS BAA), not as a managed service. The vendor itself does not see PHI.