Legal & Commercial Templates

Sub-Processor Flow-Down

AI Diligence Console

Sub-Processor Flow-Down

Date: 2026-05-14

This document describes the cascade by which a customer-facing BAA flows down through every Rōvn vendor that touches PHI. Diligence-grade.

1. The flow-down chain

    ┌────────────────────────────────────────────────┐
    │  Customer facility                             │
    │  (signs Rōvn Customer BAA + MSA)               │
    └─────────────────┬──────────────────────────────┘
                      │
                      │ Customer authorizes Rōvn to engage
                      │ sub-processors disclosed in BAA
                      │
                      ▼
    ┌────────────────────────────────────────────────┐
    │  Rōvn, Inc. (Delaware C-Corp)                  │
    │  (Business Associate to customer)              │
    └─────────────────┬──────────────────────────────┘
                      │
                      │ Rōvn Vendor BAAs (sub-BAAs)
                      │
   ┌──────────────────┼──────────────────────────┬─────────────────────────┐
   │                  │                          │                         │
   ▼                  ▼                          ▼                         ▼
┌──────┐         ┌──────────┐              ┌─────────┐              ┌──────────┐
│ AWS  │         │ Anthropic│              │ Persona │              │ Checkr   │
│ BAA  │         │ BAA + ZDR│              │ BAA     │              │ BAA      │
└──────┘         └──────────┘              └─────────┘              └──────────┘

   ┌──────────────────┬──────────────────────────┬─────────────────────────┐
   │                  │                          │                         │
   ▼                  ▼                          ▼                         ▼
┌──────────┐    ┌─────────────┐           ┌─────────┐             ┌──────────────┐
│ WorkOS   │    │ Drata       │           │ platform eng. partner│             │ Sub-processors│
│ BAA terms│    │ BAA         │           │ Eng SA  │             │ (Sentry PHI- │
│ in MSA   │    │             │           │ + BAA   │             │  scrubbed; no│
└──────────┘    └─────────────┘           └─────────┘             │  BAA needed) │
                                                                   └──────────────┘

2. Cascade enforcement mechanics

Customer-side

Customer reviews Rōvn's published sub-processor list (05_security/SUB_PROCESSOR_REGISTRY.md)
Customer signs Rōvn Customer BAA
Customer BAA includes sub-processor flow-down clause that: - Names the current sub-processor list - Requires Rōvn to maintain BAA-equivalent terms with each - Provides 30 days' advance notice of material sub-processor changes - Allows customer to request opt-out of specific sub-processors (subject to feasibility)

Rōvn-side

Rōvn maintains BAA with every PHI-touching vendor (see 04_compliance/BAA_REGISTRY.md)
Each vendor BAA includes: - PHI handling requirements consistent with Customer BAA - Breach notification obligations - Subcontractor (sub-sub-processor) flow-down
Annual vendor BAA review by founder + outside counsel
New vendor onboarding gated on BAA execution before any PHI flow

Vendor-side

Each Rōvn vendor maintains its own BAA cascade to its sub-processors
Notable: AWS sub-cascade includes all AWS-internal sub-processors covered under AWS BAA
Notable: Anthropic BAA includes Anthropic-internal model serving + storage (ZDR posture means data not retained)

3. Material change protocol

A "material change" to the sub-processor list triggers customer notification:

Change type	Notification window
New PHI-touching sub-processor added	30 days advance
Sub-processor jurisdiction change	30 days advance
Vendor BAA termination	Immediate (and immediate cessation of PHI flow to that vendor)
Vendor name change / acquisition	Within 30 days post-event

4. Opt-out mechanics

Customer may request opt-out of specific sub-processors:

AWS: No opt-out possible (foundational infrastructure)
Anthropic: Opt-out possible by disabling AI-assisted workflows; customer experience degrades but no PHI flows to Anthropic
Persona: Identity verification is workflow-required; opt-out not feasible without alternative arrangement
Checkr: Background checks are workflow-required; alternative arrangement on case basis
WorkOS: SSO is configurable per-hospital; customer can use legacy auth path if WorkOS not desired
Drata: Internal compliance evidence; no customer-side opt-out applicable
Sentry / CloudWatch: Application observability; opt-out not feasible

5. Sub-processor list at signing (frozen reference)

The sub-processor list at customer BAA signing is captured by: 1. Hash-chained audit log entry 2. PDF snapshot stored in S3 audit bucket 3. Email copy sent to customer compliance officer

This snapshot is the diligence record for what the customer agreed to at signing.

6. Breach cascade

If a sub-processor reports a breach affecting Rōvn data: 1. Vendor notifies Rōvn (per Rōvn-vendor BAA terms) 2. Rōvn assesses affected customer scope 3. Rōvn notifies affected customers per Customer BAA terms (typically 60-day max per HIPAA, faster per individual customer SLA) 4. Cascade further to OCR / individuals as required by HIPAA Breach Notification Rule

This cascade is exercised in 05_security/INCIDENT_RESPONSE.md §6.

End of sub-processor flow-down.

Ask the AI agent about this section, the raise, compliance posture, or any cross-document question. Grounded in Rōvn's deep context, with on-page source citations.

AI queries route through AWS Bedrock under BAA · Anthropic Claude (Haiku 4.5) under BAA · zero-data-retention posture · no PHI in prompts.