Coldstream Informatics
Compliance

Data handling

Subprocessors

The third-party services we rely on to run Coldstream, what each does, and where it processes data.

We use a small number of vetted service providers (“subprocessors”) to operate Coldstream. We share only the data each one needs, under contractual data-protection terms — Google under its Cloud Data Processing Addendum, and OpenAI under a business associate agreement (zero-retention).

Current subprocessors

SubprocessorPurposeLocation
Google Cloud / Firebase — storageDatabase (Firestore), uploaded files, authenticationCanada — Montréal & Toronto (northamerica-northeast1 / 2)
Google Cloud — computeServerless functions + application hostingUnited States (us-central1)
Google Vertex AIAI processing of health information, under Google’s Cloud Data Processing AddendumUnited States (us-east5 / us-central1)
OpenAIAI processing (BAA in place)United States
StripePayment processing (cardholder data never touches our servers)United States / global

We restrict ourselves to HIPAA-eligible services and to providers that will contract for healthcare-grade data protection. See how this fits together in Data protection & residency.

Integrated, but not currently handling health information

These providers are integrated into the platform but are not currently used with patient health information. We would put the required agreements in place before any health data flows to them.

ProviderPurposeStatus
DeepgramSpeech-to-text for clinical dictationNot in use with patient data; a business associate agreement would be signed before any such use.
TwilioSMS / messagingUnited States. Used for messaging features, not for clinical health records.

Changes to this list

We’ll keep this page current. If we add or change a subprocessor that handles personal or health information, we’ll update this list. Customers who need advance notice of subprocessor changes can request it — see Compliance.

Last reviewed 2026-07-04T00:00:00.000Z · Questions? contact@coldstream.info