Sub-processors
Sub-processors
A "sub-processor" is a third-party service provider that Phiusion Labs uses to operate the Phiusion application. Sub-processors handle personal information only on Phiusion's instructions, under a written contract that includes the safeguards required by HIPAA (Business Associate Agreement, "BAA"), GDPR Art. 28 (Data Processing Agreement, "DPA"), and the equivalent provisions of PIPEDA, PHIPA, and Quebec Law 25.
This page lists every sub-processor Phiusion uses. It is updated each time a sub-processor is added, removed, or replaced. The list is in machine-readable form in content/legal/sub-processors.ts and is regenerated at every build; see §3 below for the per-vendor table.
1. Why we publish this list
GDPR Art. 28(2) requires the controller (your practitioner for patient data; Phiusion for practitioner data) to maintain a current list of sub-processors. PIPEDA Schedule 1 Principle 4.8 (openness) and Quebec Law 25 art. 8 require equivalent transparency. HIPAA §164.314 requires the BAA chain to flow down to any vendor that handles protected health information. This page is the single public source.
2. Material-change notification
We notify customers about sub-processor changes on a two-tier basis:
- Routine changes that affect patient data, photos, or practitioner health-related data — adding a new sub-processor, replacing one, or materially changing the scope of an existing sub-processor's data access. We publish the change here and notify affected customers by in-app banner at least 15 days in advance. Controllers have the right under GDPR Art. 28(2) to object during the notice window; if an objection cannot be resolved, the affected service may be terminated without penalty under the Terms of Service §11.
- Emergency or risk-driven changes — vendor outage, vendor security incident, regulator order, vendor insolvency, or any other circumstance where waiting 15 days would create unacceptable risk to patient data or service continuity. We publish the change here as soon as practicable (typically within 24 hours of the change taking effect) and notify in-app concurrently. The change may take effect before notice, retroactively. Controllers retain the right to object after the fact; where you object, we will work with you to either (i) revert if practicable, or (ii) provide a controller-led termination path for the affected service.
For sub-processors that handle only account, billing, or telemetry data (and never PHI), we update this page and note the change in /legal/changelog without a separate notice.
EU-based customers whose data is in scope of GDPR (which, in Phiusion's architecture, means data flowing through Universkin SAS) have the right under GDPR Art. 28(2) to object to a new sub-processor; instructions are in §6. Phiusion does not currently serve EU customers, so this right is theoretical for now but is preserved against any future change in business posture.
3. Current sub-processors
The table below lists every sub-processor in production as of the effective date in the frontmatter. Each entry includes the legal entity, the service it provides, the categories of data it handles, the storage region, the cross-border transfer mechanism, the BAA / DPA / DPF / TIA status, and a link to the vendor's own privacy policy.
| Vendor (legal entity) | Service | Data categories | Storage / HQ | Transfer mechanism | BAA | DPA | DPF | TIA |
|---|---|---|---|---|---|---|---|---|
| Supabase (Supabase, Inc.) | Database, Auth, Storage | account, health, photos | US / HQ US | SCCs | available | available | no | on file |
| Vercel (Vercel, Inc.) | Hosting, edge functions | account, health, telemetry | US / HQ US | SCCs | available | available | yes | on file |
| Anthropic — Claude (Anthropic, PBC) | LLM for skin overview regeneration | health | US / HQ US | SCCs | available | available | yes | on file |
| Stripe (Stripe, Inc.) | Payments | billing | US / HQ US | SCCs | unavailable | available | yes | on file |
| SendGrid — Twilio (Twilio Inc.) | Transactional email + CASL-compliant unsubscribe | account, comms | US / HQ US | SCCs | unavailable | available | yes | on file |
| AfterShip (AfterShip Limited) | Shipping tracking | account | US / HQ HK | SCCs | unavailable | available | n/a | on file |
| remove.bg — Kaleido AI (Kaleido AI GmbH) | Photo background removal | photos | EU / HQ AT | EU-internal | unavailable | available | n/a | n/a |
| Google Maps Platform (Google LLC) | Address autocomplete | account | US / HQ US | SCCs | not-applicable | available | yes | on file |
| Sentry (Functional Software, Inc.) | Error monitoring (post-scrub) | telemetry | US / HQ US | SCCs | available | available | yes | on file |
| Universkin SAS — SkinXS API (Universkin SAS) | AI skin analysis | health, photos | EU / HQ FR | EU-internal | available | available | n/a | n/a |
Column definitions
- Data categories —
account(practitioner identity, login, contact),billing(Stripe customer ID, billing address),health(patient health background, skin assessment results),photos(frontal + profile facial photographs),comms(transactional emails and notifications),telemetry(aggregate analytics + error monitoring). - Storage / HQ — the region where data is stored at rest, followed by the vendor's corporate headquarters.
- Transfer mechanism —
SCCs= EU Standard Contractual Clauses;EU-internal= no cross-border transfer to a third country from the EU perspective;BAA= HIPAA Business Associate Agreement governs the relationship;EU-US-DPF= vendor is self-certified under the EU-US Data Privacy Framework;PIPEDA-adequacy= transfer covered by the European Commission's adequacy decision for Canadian commercial organizations. - BAA —
signed(executed BAA on file);available(vendor offers a BAA on the appropriate plan but Phiusion has not yet signed at the time of this publication — see notes below);not-applicable(vendor does not handle PHI);unavailable(vendor does not sign BAAs — Phiusion routes around that vendor architecturally so that no PHI reaches it). - DPA —
signed/available/not-applicable/unavailable, with the same meanings. - DPF — whether the vendor is self-certified under the EU-US Data Privacy Framework as of the effective date.
- TIA — whether Phiusion holds an internal Transfer Impact Assessment for the vendor (yes for any US-storage vendor handling personal data).
Notes on the table
Several BAA statuses currently read available rather than signed. Those signings are scheduled for the Phase 4 launch gate; until then, Phiusion's clinical processing remains pre-production. The full procurement matrix — including monthly cost deltas, signing process per vendor, and replacement plans for the three vendors that do not sign BAAs — is filed at content/legal/internal/sub-processor-baa-verification.md and is available to regulators on request.
The three vendors with baa.unavailable status (Stripe, SendGrid via Twilio, AfterShip) are excluded from PHI paths by architectural design: Phiusion's request flow never sends patient identifiers, photos, health background, or assessment results to those vendors. Stripe sees only billing and shipping addresses for B2B orders; SendGrid sees transactional email metadata with opaque order IDs and no patient context; AfterShip sees shipping addresses and tracking numbers. If any future product change required a PHI path through one of those vendors, that vendor would be replaced before launch.
remove.bg also reads baa.unavailable. It receives patient photos for background removal but the vendor is EU-based and the photographs are returned without retention; replacement of remove.bg with an in-network background-removal pipeline is a deferred work item.
4. Cross-border transfer mechanisms
The mechanisms are distinct and not interchangeable. The table column "Transfer mechanism" identifies the primary mechanism for each leg. The detail below applies to every vendor in the table.
- Canada → EU (France): the European Commission's PIPEDA-adequacy decision permits the transfer of practitioner and patient information from Phiusion Labs in Canada to Universkin SAS in France without a further mechanism.
- EU (Universkin SAS) → US sub-processors: Standard Contractual Clauses (Module 2 or Module 3 as appropriate), plus EU-US Data Privacy Framework self-certification where the vendor participates (see the DPF column), plus a per-vendor Transfer Impact Assessment on file. Supplementary measures per European Data Protection Board Recommendations 01/2020 are applied: encryption in transit and at rest, pseudonymisation of telemetry, and contractual challenge-and-notify obligations against third-country government access.
- Canada (Phiusion Labs) → US sub-processors: PIPEDA Schedule 1 Principle 4.1.3 contractual flowdowns ensuring a comparable level of protection. This is not the same mechanism as EU SCCs and is documented separately in each vendor agreement.
- UK → US sub-processors: UK International Data Transfer Agreement or the UK Addendum to EU SCCs.
- Switzerland → US sub-processors: Swiss Federal Data Protection and Information Commissioner ("FDPIC")-recognised SCCs or the Swiss extension of the EU-US DPF.
5. Platform-operator sub-processing — Universkin SAS
Universkin SAS, the French company that operates the platform on our behalf, is the primary platform operator. Universkin builds the application, runs SkinXS, and supplies the infrastructure on which the other sub-processors are layered. The Business Associate Agreement and Data Processing Agreement between Phiusion Labs and Universkin SAS govern this relationship. They are filed internally and are available to regulators and to data subjects exercising access rights on request.
The BAA + DPA includes the France L34-1 CPCE / third-country disclosure clause described in content/legal/internal/d15-universkin-phiusion-intercompany-dpa-baa.md §X: Universkin commits to challenge, notify, and suspend compliance with any French or other third-country government access request directed at Phiusion-routed data, to the maximum extent permitted by French law.
6. Questions and objections
For questions about any sub-processor on this page, or to object to a planned addition (for EU customers exercising GDPR Art. 28(2)), write to:
- Privacy Officer (Phiusion Labs):
Jonathan Garbutt,privacy@phiusionlabs.app. - Data Protection Officer (Universkin SAS, France): Maître Eric ELABD, +33 (4) 93.00.11.96,
dpo@universkin.com.
The full table above is regenerated from content/legal/sub-processors.ts at every build. The typed source includes a notes field for each vendor (with cost-delta, replacement, and architectural-invariant notes) that is available to regulators on request but is not published on this page to keep the public surface compact.
7. Vendor privacy policies
| Vendor | Privacy policy URL |
|---|---|
| Supabase | https://supabase.com/privacy |
| Vercel | https://vercel.com/legal/privacy-policy |
| Anthropic | https://anthropic.com/legal/privacy |
| Stripe | https://stripe.com/privacy |
| SendGrid (Twilio) | https://www.twilio.com/legal/privacy |
| AfterShip | https://www.aftership.com/legal/privacy |
| remove.bg | https://www.remove.bg/privacy |
| Google Maps Platform | https://policies.google.com/privacy |
| Sentry | https://sentry.io/privacy |
| Universkin SAS | https://universkin.com/privacy |
For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Cookie & Tracking Notice, and the HIPAA Business Associate Agreement.