Subprocessors
Last Updated: April 27, 2026
AlignSure uses the following third-party service providers to deliver our platform. All subprocessors are selected based on SOC 2 Type 2 certification (or equivalent), HIPAA eligibility, United States data residency, encryption at rest and in transit, and role-based access controls.
HIPAA-eligible configurations are activated for each subprocessor upon customer onboarding in accordance with our staged compliance activation process. For current BAA execution status with any specific subprocessor, contact [email protected].
Infrastructure Providers
Vercel
- Service
- Frontend hosting, CDN, edge network
- Data processed
- Static application assets (JavaScript, CSS, HTML). AlignSure is a single-page application architecture where API calls route directly from the browser to the API layer. PHI does not transit Vercel infrastructure.
- Location
- United States (global CDN)
- Certifications
- SOC 2 Type 2, ISO 27001, PCI DSS
- HIPAA-eligible
- Yes (Pro and Enterprise plans)
Render
- Service
- API hosting, background workers
- Data processed
- API requests, application logic. PHI transits through API endpoints.
- Location
- United States
- Certifications
- SOC 2 Type 2, ISO 27001
- HIPAA-eligible
- Yes (Organization and Enterprise plans, dedicated access-restricted hosts)
Neon (Databricks)
- Service
- PostgreSQL database
- Data processed
- All persistent application data including PHI
- Location
- United States
- Certifications
- SOC 2 Type 2, ISO 27001, ISO 27701
- HIPAA-eligible
- Yes (Scale plan, tenant-isolated projects, pgaudit extension)
Microsoft Azure
- Service
- Entra ID (identity), Azure SQL Ledger DB (immutable audit trail), Blob Storage (WORM retention), Key Vault (secrets management)
- Data processed
- Identity tokens, immutable audit records, compliance evidence, encryption keys
- Location
- United States (East US)
- Certifications
- SOC 2 Type 2, ISO 27001, FedRAMP, HITRUST
- HIPAA-eligible
- Yes (standard Microsoft BAA covers all listed services)
Cloudflare
- Service
- DNS, edge security, MTA-STS for email security, DDoS protection
- Data processed
- Domain DNS records, TLS certificates, request metadata at the edge. Application PHI does not flow through Cloudflare's edge for AlignSure.
- Location
- Global edge network
- Certifications
- SOC 2 Type 2, ISO 27001, PCI DSS
- HIPAA-eligible
- BAA available. AlignSure is not currently in a HIPAA-bound configuration since no PHI flows through Cloudflare's edge.
Application Services
Auth0 (Okta)
- Service
- Authentication, authorization, identity management
- Data processed
- User credentials, session tokens, identity claims
- Location
- United States
- Certifications
- SOC 2 Type 2, ISO 27001
- HIPAA-eligible
- Yes (Enterprise plan)
Sentry
- Service
- Error monitoring, performance tracking
- Data processed
- Application error logs and stack traces. PHI is excluded from error payloads by platform configuration.
- Location
- United States
- Certifications
- SOC 2 Type 2
- HIPAA-eligible
- Yes (Business plan)
HubSpot
- Service
- Marketing forms and customer relationship management. Captures inquiries submitted through public website forms (demo, contact, partner, BAA request).
- Data processed
- Contact information submitted through public website forms: name, work email, company, job title, phone, and free-text use-case descriptions. Application data and PHI do not flow through HubSpot.
- Location
- United States
- Certifications
- SOC 2 Type 2, ISO 27001, ISO 27018
- HIPAA-eligible
- No. HubSpot does not offer a BAA. Form fields collect contact details and stated intent only; PHI is excluded by form design.
Resend
- Service
- Transactional email delivery. Used as a fallback notification path when the primary CRM submission path is unavailable.
- Data processed
- Form-submission contents emailed to AlignSure's notification address when the primary path fails. Contact data and use-case descriptions only; no application PHI.
- Location
- United States
- Certifications
- SOC 2 Type 2
- HIPAA-eligible
- No. Resend does not offer a BAA. Used only as a fallback notification path for marketing-form submissions; PHI does not flow through Resend.
Data Handling Principles
No customer data is transferred outside the United States without prior written consent.
All subprocessors provide encryption at rest (AES-256 minimum) and in transit (TLS 1.2+). Subprocessor selection criteria include independent security certification, US data residency, BAA availability, and demonstrated incident response capability.
Subprocessor Change Notification
Newf Technology will notify customers at least 30 days in advance of any new subprocessor that may process PHI. Customers may object to new subprocessors within the notification period.
To receive notifications of subprocessor changes, contact your account manager or email [email protected].
Questions
For questions about subprocessors or to request security documentation: [email protected]