AVD Clinical uses a small, deliberate set of vendors. Every vendor in this list has been selected based on security posture, certifications, and data handling practices. We do not use advertising networks, analytics platforms that sell data, or data brokers.
Current Subprocessors
| Vendor | Role | Data processed | Location | Certifications |
|---|---|---|---|---|
| Supabase Privacy policy ↗ | Database, authentication, and storage backend | User accounts, profiles, medicine reminders, calculator projects, watched resources, session tokens, OTP codes (hashed) | AWS us-east-1 (Virginia, USA) | SOC 2 Type II ISO 27001 HIPAA eligible* |
| Stripe Privacy policy ↗ | Payment processing and subscription billing | Payment card data (Stripe only — AVD never receives card numbers), billing email, transaction records, customer portal sessions | United States (Stripe-managed global infrastructure) | PCI DSS Level 1 SOC 2 Type II ISO 27001 |
| Resend Privacy policy ↗ | Transactional email delivery | Email address (for OTP delivery, contact form forwarding, newsletter); email delivery logs | United States | SOC 2 Type II |
| Twilio Privacy policy ↗ | SMS OTP delivery | Phone number (for SMS OTP only); SMS delivery logs | United States | ISO 27001 SOC 2 Type II |
| Cloudflare Privacy policy ↗ | Static site hosting, CDN, DDoS protection, form handling | IP addresses (transient, not logged by AVD), HTTP request headers, form submissions (contact/newsletter), static file delivery | Global edge network (content delivery); form data processed in US | ISO 27001 SOC 2 Type II |
* Supabase is HIPAA-eligible under a BAA agreement. AVD Clinical does not currently have a BAA with Supabase because the current platform does not process PHI. A BAA will be required as part of any future enterprise/regulated deployment. See HIPAA Notice.
What We Do Not Use
AVD Clinical does not use the following categories of vendor:
- Advertising networks or retargeting platforms (Google Ads, Meta Pixel, etc.)
- Behavioural analytics or session recording tools (Hotjar, FullStory, Mixpanel, etc.)
- Data enrichment or identity resolution services
- Third-party CRM platforms with data resale terms
- AI/ML training data aggregators
Notifications of Changes
This page will be updated when any subprocessor is added, removed, or materially changed. Enterprise customers who have entered into a Data Processing Agreement (DPA) with AVD Clinical will receive 30 days' advance notice of new subprocessors that process personal data within scope of their DPA.
No DPA is currently required for standard platform use. A DPA template will be available when enterprise agreements are offered. To enquire, email [email protected].
Further Information
- Data flow diagram — what data moves where at a technical level
- Security page — encryption, access controls, and incident response
- Privacy Policy — full data handling description
- HIPAA & PHI Notice — why PHI is prohibited on the current platform