Subprocessors
Last updated: June 14, 2026
The third-party services we use to deliver the denial-recovery Service. Every subprocessor that handles protected health information (PHI) is bound by a Business Associate Agreement and by no-sale and no-AI-training obligations.
We keep this list to the minimum necessary to run the Service. We require a signed BAA, encryption, no-sale, and no-AI-training terms from every subprocessor that handles PHI, and we hold them to HIPAA and California CMIA (Civil Code §56 et seq.) confidentiality obligations. We will provide notice of material changes to this list.
| Subprocessor | Purpose | PHI | Location | Status |
|---|---|---|---|---|
| Vercel | Application hosting & compute | Yes | United States | BAA in progress |
| Supabase | Database & storage | Yes | United States | BAA in progress |
| Anthropic (Claude) | AI model for appeal drafting & analysis | Yes | United States | BAA in progress · no-training required |
| Stedi | Clearinghouse / EDI (837P, 835, eligibility) | Yes | United States | BAA in progress |
| SRFax | Secure fax delivery of appeals to payers | Yes | United States / Canada | BAA in progress |
| Lob | Certified mail delivery of appeals | Yes | United States | BAA in progress |
| Resend | Transactional email delivery | Limited | United States | BAA in progress |
| PostHog | Product & website analytics | No | United States | Non-PHI · DPA |
Status note (honest by design): "BAA in progress" means the agreement is being executed and is required before any PHI is processed through that subprocessor in production. We will not move PHI through a subprocessor until its BAA is in place. We'd rather tell you exactly where we stand than overstate it.
Questions about our subprocessors or to request our security documentation: security@volari.ai. See also our Security & HIPAA and Privacy Policy pages.