Subprocessors
Last updated: July 9, 2026
The third-party services we use to deliver the denial-recovery Service. Protected health information (PHI) is processed by only four of them — Fly.io, Stedi, Sinch, and Lob — each bound by a Business Associate Agreement and by no-sale and no-AI-training obligations. Every other service operates on de-identified or non-PHI data only.
We keep this list to the minimum necessary to run the Service. We require a signed BAA, encryption, no-sale, and no-AI-training terms from every subprocessor that handles PHI, and we hold them to HIPAA and California CMIA (Civil Code §56 et seq.) confidentiality obligations. We will provide notice of material changes to this list.
| Subprocessor | Purpose | PHI | Location | Status |
|---|---|---|---|---|
| Fly.io | Application hosting & compute (isolated PHI enclave) | Yes | United States | BAA in place |
| Stedi | Clearinghouse / EDI (837P, 835, eligibility) | Yes | United States | BAA in progress |
| Sinch | Secure fax delivery of appeals to payers | Yes | United States | BAA in place |
| Lob | Certified mail delivery of appeals | Yes | United States | BAA in progress |
| Anthropic (Claude) | AI drafting & analysis on de-identified data only — no PHI; never trained on your data | No | United States | No PHI · no-training |
| Vercel | Marketing site & app shell — PHI routes proxy to the Fly.io enclave | No | United States | No PHI · DPA |
| Supabase | Authentication & non-PHI application data | No | United States | No PHI · DPA |
| Resend | Transactional email — PHI-free by design | No | United States | No PHI · DPA |
| PostHog | Product & website analytics | No | United States | Non-PHI · DPA |
Questions about our subprocessors or to request our security documentation: security@volari.ai. See also our Security & HIPAA and Privacy Policy pages.