Sub-Processor Registry
Date: 2026-05-14 Source: Customer-facing BAA flow-down disclosure list.
Every vendor that touches PHI or platform data. Each row: Purpose · Data Type · Location · BAA Status · Renewal.
1. PHI-touching sub-processors
| Vendor | Purpose | Data Type | Location | BAA Status | Renewal |
|---|---|---|---|---|---|
| AWS | Compute, database, storage, secrets, audit retention, Bedrock executor | PHI (encrypted at rest + in transit) | us-east-2AWS region07.2 AWS Infrastructure Memo · single-region ECS / RDS / S3 in us-east-2 (HIPAA-eligible) | Executed (account-level) | Auto-renews |
| AWS BedrockAI provider chain07.3 AI Architecture · AWS Bedrock under BAA → Anthropic Claude Haiku 4.5 under BAA → Rōvn ECS | Claude executor invocation under AWS BAA boundary (AI chain: AWS BedrockAI provider chain07.3 AI Architecture · AWS Bedrock under BAA → Anthropic Claude Haiku 4.5 under BAA → Rōvn ECS under BAA → Anthropic Claude (Haiku 4.5)Model identity07.3 AI Architecture · Haiku 4.5 chosen for cost + latency + BAA chain under BAA → Rōvn backend on ECS) | PHI when workflow requires (BAA + ZDR) | us-east-2AWS region07.2 AWS Infrastructure Memo · single-region ECS / RDS / S3 in us-east-2 | Executed (via AWS BAA) | Auto-renews |
| Anthropic | Claude model provider relationship via Bedrock + Opus 4.7 advisor beta tool | PHI when workflow requires (BAA + ZDR) | US (Anthropic-managed) | Executed | Annual |
| Persona | IAL2 identity verification | Identity documents (PII; non-clinical PHI minimal) | US | Executed | Annual |
| Checkr | Background checks | PII + background check data | US | Executed | Annual |
| WorkOS | Hospital SSO federation | Hospital user identity (no clinical PHI) | US | Standard BAA in MSA | Auto-renews |
| Drata | SOC 2 evidence platform | Metadata (no PHI in evidence by design) | US | Executed | Annual |
| Platform engineering partner (named under NDA) | Engineering services + compliance support | Platform code + ops access | United States | Engineering services agreement with BAA | Effective date available on request through diligence room access |
2. Non-PHI sub-processors
| Vendor | Purpose | Data Type | Location | BAA Status | Renewal |
|---|---|---|---|---|---|
| Cloudflare | Marketing site + product app static (Cloudflare Pages) | Public marketing content | Global | N/A, no PHI | n/a |
| Stripe | Billing | Billing metadata only (no PHI) | US | N/A, PCI-DSS compliant, no PHI | n/a |
| Sentry | Error tracking | Error frames (PHI scrubbed before send) | US | Scrubbing engaged; BAA TBD if PHI inadvertently observed | n/a |
| GitHub | Code hosting | Source code (no PHI) | US | N/A | n/a |
| Cal.com | Booking system for sales calls | Booking metadata (no PHI) | US/EU | N/A, no PHI | n/a |
Twilio (via app/services/sms.py) |
SMS notifications | Phone numbers + notification text (workflow events, no PHI) | US | Will execute BAA if SMS scope expands to include PHI | n/a |
3. Source authority adapters (not technically sub-processors: they're verification sources, but disclosed for transparency)
These are data sources Rōvn queries on behalf of customers rather than processors of customer data. PHI flows out of Rōvn to the source for verification; verified facts flow back. Rōvn runs 9 source adapters; the verification status below reflects honest LIVE vs PARTIAL/TARGET state. Where an adapter is not live, manual primary source verification (PSV) is the fallback. The 9 adapters serve a coverage catalog of 43 roles × 51 jurisdictionsCoverage grid43 roles × 51 jurisdictions = 2,193 coverage cells · 11.3 + 07.7 = 2,193 role/state cells.
| # | Source adapter | Purpose | Data Type | Location | Status |
|---|---|---|---|---|---|
| 1 | NPDB (HRSA) | Practitioner data bank query | Practitioner data | US federal | LIVE |
| 2 | Nursys (NCSBN) | Nurse license + e-Notify subscription | License data | US | LIVE |
| 3 | NPPES | NPI registry lookup | Provider identity data | US federal | LIVE |
| 4 | DEA | DEA registration verification | Registration data | US federal | PARTIAL, source-access credential pending |
| 5 | FSMB | Federation of State Medical Boards | Physician board status | US | TARGET, source-access agreement pending |
| 6 | OIG LEIE | Federal exclusion check | Exclusion data | US federal | LIVE |
| 7 | SAM.gov | Federal sanction check | Sanction data | US federal | LIVE |
| 8 | State board of nursing | State license verification (non-Nursys states) | License data | Per-state US | PARTIAL, per-state agreements rolling out |
| 9 | Verifiable | State board federation | License data | US | PARTIAL, integration scaffolded |
These are not "sub-processors" in the HIPAA BAA flow-down sense (they don't process customer data on Rōvn's behalf). They are verification destinations. Rōvn maintains BAA-equivalent terms or data-use agreements per source authority.
4. Customer disclosure language (template)
Per customer BAA, the following disclosure is provided:
Rōvn engages the following sub-processors to perform services on customer's behalf. Customer is hereby notified of these sub-processors and acknowledges that Rōvn maintains a Business Associate Agreement (BAA) or equivalent with each PHI-touching sub-processor. Customer may request opt-out of specific sub-processors (subject to feasibility); please contact compliance@rovn.to.
[Insert PHI-touching sub-processor table from Section 1]
Rōvn will provide customer with 30 days' advance notice of any material change to the sub-processor list. Material changes include: (a) addition of a new PHI-touching sub-processor; (b) change in jurisdiction; (c) termination of a vendor BAA.
5. Quarterly review
Sub-processor list reviewed quarterly by founder + outside counsel. Changes are:
- Logged in hash-chained audit log
- Communicated to customers per Section 4 disclosure language
- Reflected in BAA_REGISTRY.md and this registry
End of sub-processor registry.