Legal

Sub-processors

Last updated: 2026-05-04 (draft)

DRAFT — pending legal review

This document is a working draft generated as part of the Pratvi AI platform build-out. It has not yet been reviewed by legal counsel and must not be relied upon. The final, legally-reviewed version will replace this document before any public-facing rollout. If you are reviewing this internally and have edits, contact legal@pratvi.ai.

This page lists the third parties ("sub-processors") that process Customer Data on Pratvi AI's behalf. Inclusion on this list signifies a contractual relationship — typically a Data Processing Addendum (under GDPR Article 28) and where applicable a HIPAA Business Associate Agreement, GLBA Service Provider Agreement, or equivalent.

We notify customers at least 30 days before adding, removing, or replacing a sub-processor that handles Customer Data, consistent with our customer-agreement templates.

Currently in private beta. Inclusion on this list reflects sub-processors selected during the build-out of the Pratvi AI platform. Not all sub-processors will receive Customer Data until customers are onboarded and contracts signed.

Supabase, Inc.

United States (EU on enterprise tier)

Managed Postgres database hosting

Data access: All Customer Data at rest (encrypted)

SOC 2 Type II

Encryption at rest

Row-level security

Railway Corp.

United States

Application compute and container hosting

Data access: Customer Data in memory during processing (ephemeral)

Container isolation

TLS 1.3 in transit

Cloudflare, Inc.

Global edge network

CDN, WAF, DDoS protection

Data access: TLS-terminated traffic; no Customer Data cached

SOC 2 Type II

ISO 27001

ISO 27018

PCI DSS

Doppler

United States

Secrets management

Data access: Encryption keys and configuration secrets only (not Customer Data)

SOC 2 Type II

HSM-backed key storage

Anthropic, PBC

United States

Claude API for compliance Q&A and report generation

Data access: Tokenized prompts only — no raw PHI/NPI/Personal Data

Tokenization enforced

No training on customer data

Zero retention API

OpenAI, LLC

United States

Embeddings API for regulatory document search

Data access: Regulatory text only — no Customer Data

No Customer Data transmitted

Zero retention API

Sentry, Inc.

United States

Error monitoring

Data access: Application errors only; PII scrubbed before transmission

SOC 2 Type II

PII scrubbing enforced

Axiom

United States

Structured log aggregation

Data access: Application logs (PHI/NPI tokenized before submission)

SOC 2

Tokenization enforced

Resend

United States

Transactional email (account verification, alerts)

Data access: Recipient email addresses only

TLS 1.3 in transit

Vercel, Inc.

Global edge network

Marketing site and frontend hosting

Data access: Marketing-site traffic; no Customer Data

SOC 2 Type II

ISO 27001