Subprocessor List
Effective Date: February 2026
Document Version: 2.0
Rymeda, Inc. ("Rymeda," "we," "us") engages the following third-party subprocessors to assist in providing services to our customers. This list is maintained pursuant to Article 28(2) of the GDPR and the corresponding provisions of the Data Processing Agreement ("DPA") and the Business Associate Agreement ("BAA").
Each subprocessor is contractually bound to data protection obligations no less protective than those in our DPA. Where a subprocessor processes Protected Health Information ("PHI"), a Business Associate Agreement has been executed in compliance with HIPAA (45 CFR §164.502(e), §164.504(e)). For details on how we manage subprocessor relationships, see Section 6 of the DPA and Section 6 of the BAA.
Rymeda retains full liability for the acts and omissions of its subprocessors with respect to the processing of personal data, as required by GDPR Article 28(4).
1. Infrastructure Subprocessors
Core infrastructure services providing compute, storage, authentication, encryption, and monitoring.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure — compute, S3 object storage, Cognito authentication, KMS encryption key management, Secrets Manager, CloudWatch logging | All platform data including PHI, ePHI, clinical documents, voice recordings, user credentials, authentication tokens, audit logs, application logs | USA (us-east-1) | Yes | Yes |
| MongoDB, Inc. | Database hosting — primary application database for all user, clinical, operational, and administrative data (MongoDB Atlas) | User accounts, patient records, clinical notes, voice note transcripts, medical reports, provider credentials, billing data, audit logs, organization data | USA | Yes | Yes |
2. AI & Machine Learning Subprocessors
AI and machine learning services powering clinical documentation, transcription, and decision support. For details on each AI system, see the AI Transparency & Ethics Policy.
Training Data Prohibition: No subprocessor is permitted to use customer data, PHI, or clinical content for AI model training. All AI subprocessors have executed contractual agreements prohibiting use of Rymeda data for model training, fine-tuning, or improvement. See the AI Transparency & Ethics Policy Section 2 for details.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| OpenAI, Inc. | AI text and voice processing — Whisper speech-to-text transcription of clinical voice notes; GPT models (via LiteLLM) for AI-assisted SOAP note generation, suggested ICD-10/CPT codes, and clinical summaries | Audio recordings of clinical encounters, voice note transcripts, clinical note content. Zero Data Retention (ZDR) agreement in place — no input/output data retained by OpenAI. | USA | Yes | Yes |
| Google LLC | AI processing — Google Gemini models for AI-assisted clinical documentation generation as an alternative to OpenAI GPT models (via LiteLLM multi-model routing) | Clinical note content, voice note transcripts. Google Cloud HIPAA BAA in place — data processed under healthcare-compliant terms. | USA | Yes | Yes |
| ORIS | Healthcare AI — ORIS (Omniscient Rymeda Intelligence System) clinical AI assistant with RAG-powered decision support, task generation, daily runbooks, medical report generation, and health & wellness Q&A with guardrails | Clinical queries, medical transcripts, SOAP note generation, health-related questions. Guardrails for emergency detection, off-topic filtering, and rate limiting. | USA | Yes | Yes |
| LiteLLM (BerriAI, Inc.) | LLM routing and abstraction — unified API layer for routing requests to OpenAI, Google Gemini, and other model providers with fallback, caching, and performance optimization | API request routing metadata. LiteLLM acts as a routing layer — clinical data is processed by the underlying model provider (OpenAI/Google), not retained by LiteLLM. | USA | Yes | N/A |
3. Payment Subprocessors
Payment processing services for subscriptions, marketplace transactions, and provider billing.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| Stripe, Inc. | Payment processing — subscription billing for provider plans (Starter, Professional, Enterprise), marketplace checkout via Stripe Connect, and payment method management | Customer name, email, payment method details (processed by Stripe, not stored by Rymeda), subscription metadata (user_id, plan type). Stripe is PCI DSS Level 1 certified. No PHI is transmitted to Stripe. | USA | Yes | N/A |
Stripe does not receive or process PHI; therefore a BAA is not required. Stripe acts as an independent data controller for payment card data under PCI DSS.
4. Communication Subprocessors
Email delivery and communication services for transactional notifications.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| Twilio SendGrid (Twilio, Inc.) | Transactional email delivery — provider onboarding confirmations, application status notifications, NPI verification notices, approval/denial emails, admin alerts, billing activation emails | Recipient name and email address, email subject and content (no PHI included in email content). Emails are transactional notifications only; clinical data and PHI are never transmitted via email. | USA | Yes | N/A |
SendGrid does not receive or process PHI; therefore a BAA is not required. Rymeda does not include PHI, clinical data, or patient identifiers in email content. All sensitive notifications direct recipients to sign in to the platform to view details.
5. Telehealth Subprocessors
Live video and communication services for telehealth sessions.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| 100ms, Inc. | Live video infrastructure — provider-patient telehealth video sessions, session management, and optional session recording | Video/audio streams during live telehealth sessions, session tokens, room identifiers, participant metadata. Session recordings (if enabled) are stored in Rymeda-controlled S3 storage. | USA | Yes | Yes |
6. Analytics Subprocessors
Website analytics services. For details on our cookie-free analytics approach, see the Cookie Policy.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| Plausible Insights OÜ | Privacy-first website analytics — cookie-free, no personal data collection, no cross-site tracking, no browser fingerprinting. Aggregate metrics only (page views, referrals, device types, country-level geography). | No personal data processed. IP addresses used transiently for country-level geolocation then immediately discarded. No cookies set. Fully GDPR-compliant without consent requirement. | EU (Estonia) | Yes | N/A |
Plausible does not process personal data or PHI; therefore neither a BAA nor cookie consent is required. Plausible is EU-hosted and open-source.
7. Government & Verification Services
Government registries and verification services used for provider credentialing.
| Entity | Purpose | Data Processed | Location | DPA | BAA |
|---|---|---|---|---|---|
| CMS NPPES Registry (U.S. Government) | NPI verification — validation of provider National Provider Identifier (NPI) numbers against the CMS National Plan and Provider Enumeration System registry | NPI numbers submitted for verification. Returns publicly available provider information (name, credentials, taxonomy, state, entity type, status). This is a public government API. | USA | N/A | N/A |
The NPPES registry is a public U.S. government service operated by CMS. Only publicly available provider data is returned. No patient data or PHI is transmitted to NPPES.
8. Summary
The following table provides a consolidated view of all subprocessors and their compliance status:
| Subprocessor | Category | Processes PHI? | BAA | DPA | No-Train | Location |
|---|---|---|---|---|---|---|
| Amazon Web Services | Infrastructure | Yes | Yes | Yes | N/A | USA |
| MongoDB, Inc. | Infrastructure | Yes | Yes | Yes | N/A | USA |
| OpenAI, Inc. | AI / ML | Yes | Yes | Yes | ZDR | USA |
| Google LLC | AI / ML | Yes | Yes | Yes | Yes | USA |
| ORIS | AI / ML | Yes | Yes | Yes | Yes | USA |
| LiteLLM (BerriAI) | AI / ML | Routing only | N/A | Yes | N/A | USA |
| Stripe, Inc. | Payment | No | N/A | Yes | N/A | USA |
| Twilio SendGrid | Communication | No | N/A | Yes | N/A | USA |
| 100ms, Inc. | Telehealth | Yes | Yes | Yes | N/A | USA |
| Plausible Insights | Analytics | No | N/A | Yes | N/A | EU |
| CMS NPPES | Verification | No | Gov API | Gov API | N/A | USA |
Legend: ZDR = Zero Data Retention agreement. No-Train = Contractual prohibition on using Rymeda data for AI model training. Gov API = Public government API, not a contractual subprocessor.
9. Change Notification
Rymeda provides advance written notice before engaging a new subprocessor or materially changing an existing subprocessor's scope of data processing.
9.1 Advance Notice
Rymeda will provide at least thirty (30) days' advance written notice before: (a) engaging a new subprocessor; (b) replacing an existing subprocessor with a different entity; or (c) materially changing the scope, purpose, or geographic location of an existing subprocessor's data processing. Notice is sent to the email address associated with the Customer's account and posted on this page.
9.2 Notification Content
Each change notification will include: the subprocessor's entity name and location, the purpose and scope of data processing, the categories of data processed (including whether PHI is involved), the DPA/BAA status, and the effective date of the change.
9.3 Subscribe to Updates
To receive subprocessor change notifications, subscribe by emailing legal@rymeda.com with the subject line "Subscribe: Subprocessor Updates." All customers with an executed DPA or BAA are automatically subscribed.
10. Objection Rights
Customers may object to a new or changed subprocessor in accordance with the Data Processing Agreement.
10.1 Objection Window
Customers have fifteen (15) days from receipt of the change notification to submit a written objection to legal@rymeda.com. The objection must specify the subprocessor and the reasonable grounds for the objection (e.g., data protection concerns, regulatory requirements, geographic restrictions).
10.2 Resolution
Upon receiving a valid objection, Rymeda will make commercially reasonable efforts to: (a) provide a substitute subprocessor that addresses the Customer's concerns; (b) modify the data processing arrangement to exclude the Customer's data from the objected subprocessor; or (c) provide additional contractual safeguards. Rymeda will respond to objections within ten (10) business days.
10.3 Termination Right
If Rymeda is unable to resolve the objection to the Customer's reasonable satisfaction within thirty (30) days, the Customer may terminate the affected services without penalty, subject to the data return and deletion provisions in the DPA Section 12.
11. Data Protection Measures
All subprocessors are subject to the following data protection requirements:
- Contractual obligations — Each subprocessor is bound by data processing terms no less protective than those in our DPA, including data minimization, purpose limitation, and security measures.
- BAA where required — Any subprocessor that processes, stores, or transmits PHI has executed a HIPAA Business Associate Agreement with Rymeda.
- No-training agreements — AI/ML subprocessors are contractually prohibited from using Rymeda data for model training, fine-tuning, or improvement.
- Encryption — All data transmitted to and from subprocessors is encrypted in transit (TLS 1.3). Data at rest is encrypted (AES-256) with per-tenant encryption keys managed via AWS KMS.
- Access controls — Subprocessor access is limited to the minimum necessary data for their stated purpose, consistent with HIPAA's minimum necessary standard (45 CFR §164.502(b)).
- Annual review — Rymeda conducts annual reviews of each subprocessor's security posture, compliance certifications, and data processing practices.
- Incident notification — Subprocessors are contractually required to notify Rymeda of any security incident, data breach, or unauthorized access without undue delay and no later than within twenty-four (24) hours of discovery.
- Audit rights — Rymeda retains the right to audit or inspect subprocessor compliance, either directly or through an independent third-party auditor.
12. Change Log
Record of changes to the subprocessor list:
| Date | Change | Details |
|---|---|---|
| February 2026 | Version 2.0 | Comprehensive rewrite — expanded to 11 subprocessors across 7 categories with detailed data processing descriptions, DPA/BAA/No-Train status, change notification procedures, and objection rights. |
Contact
For questions about our subprocessors, to subscribe to change notifications, or to submit an objection: