Skip to main content
Trust & Compliance

Subprocessors

ezHealthRCM uses a limited number of carefully vetted subprocessors to deliver our services. All subprocessors with access to Protected Health Information (PHI) have executed Business Associate Agreements (BAAs).

Last Updated: May 1, 2026

HIPAA Compliance

ezHealthRCM requires all subprocessors that create, receive, maintain, or transmit Protected Health Information (PHI) to execute a HIPAA-compliant Business Associate Agreement (BAA) prior to processing any PHI. All such subprocessors must implement administrative, physical, and technical safeguards as required under 45 C.F.R. Parts 160 and 164. Subprocessors marked BAA not required operate on non-PHI data (e.g., payment processing, infrastructure orchestration) and are not classified as Business Associates under HIPAA.

Vercel Inc.

vercel.com

United States

BAA Executed

Services Provided

  • Application hosting and serverless compute
  • Content delivery network (CDN) and edge network

Data Categories Processed

Application data, server logs, session tokens

MongoDB, Inc. (Atlas)

mongodb.com

United States (AWS us-east-1)

BAA Executed

Services Provided

  • Primary database for provider accounts, claims, denials, and payments
  • Encrypted at rest (AES-256) and in transit (TLS 1.3)

Data Categories Processed

Provider profiles, patient claim records, PHI related to claims processing, denial records, payment data

Google Cloud Platform (GCP)

cloud.google.com

United States (us-central1)

BAA Executed

Services Provided

  • Per-organization encrypted document storage (Google Cloud Storage)
  • Envelope encryption with customer-managed keys (Cloud KMS)
  • Storage of credentialing documents, insurance cards, and provider vault credentials

Data Categories Processed

Credentialing documents, insurance card images, patient intake documents, encrypted provider credentials (vault)

Amazon Web Services (AWS)

aws.amazon.com

United States (us-east-1)

BAA Executed

Services Provided

  • Underlying cloud infrastructure for Vercel and MongoDB Atlas
  • Data residency within US regions only

Data Categories Processed

Infrastructure-level access; AWS does not have direct access to application data or PHI

Resend

resend.com

United States

BAA Not Required

Services Provided

  • Transactional email delivery for system notifications and account-related messages
  • Branded email rendering and delivery tracking

Data Categories Processed

Workforce and account email addresses only. No PHI is transmitted through Resend; patient-facing communications are not routed through this provider.

Stripe, Inc.

stripe.com

United States

BAA Not Required

Services Provided

  • Patient statement invoicing and hosted payment pages
  • Payment processing and customer billing portal
  • Webhook event delivery for payment status updates

Data Categories Processed

Patient name, email address, billing amounts, and payment card data (Stripe PCI-DSS compliant; ezHealthRCM does not store card numbers)

Inngest, Inc.

inngest.com

United States

BAA Not Required

Services Provided

  • Background job orchestration for document processing and eligibility checks
  • Per-organization infrastructure provisioning workflows

Data Categories Processed

Organization identifiers and job metadata passed in event payloads; no direct PHI stored by Inngest

Data Residency

All customer data and PHI is stored and processed in the United States. ezHealthRCM does not transfer PHI outside of the United States. Our infrastructure runs on Vercel's US region (powered by AWS us-east-1) and MongoDB Atlas US clusters. All data remains within US jurisdiction at all times.

Changes to Subprocessors

ezHealthRCM will provide at least thirty (30) days notice before adding or replacing subprocessors that process PHI. Notifications will be sent to the email address associated with your account. To object to a new subprocessor or to ask questions, contact us at privacy@ezhealthrcm.com.