We use a small number of vetted service providers (“subprocessors”) to operate Coldstream. We share only the data each one needs, under contractual data-protection terms — Google under its Cloud Data Processing Addendum, and OpenAI under a business associate agreement (zero-retention).
Current subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud / Firebase — storage | Database (Firestore), uploaded files, authentication | Canada — Montréal & Toronto (northamerica-northeast1 / 2) |
| Google Cloud — compute | Serverless functions + application hosting | United States (us-central1) |
| Google Vertex AI | AI processing of health information, under Google’s Cloud Data Processing Addendum | United States (us-east5 / us-central1) |
| OpenAI | AI processing (BAA in place) | United States |
| Stripe | Payment processing (cardholder data never touches our servers) | United States / global |
We restrict ourselves to HIPAA-eligible services and to providers that will contract for healthcare-grade data protection. See how this fits together in Data protection & residency.
Integrated, but not currently handling health information
These providers are integrated into the platform but are not currently used with patient health information. We would put the required agreements in place before any health data flows to them.
| Provider | Purpose | Status |
|---|---|---|
| Deepgram | Speech-to-text for clinical dictation | Not in use with patient data; a business associate agreement would be signed before any such use. |
| Twilio | SMS / messaging | United States. Used for messaging features, not for clinical health records. |
Changes to this list
We’ll keep this page current. If we add or change a subprocessor that handles personal or health information, we’ll update this list. Customers who need advance notice of subprocessor changes can request it — see Compliance.