Subprocessors
Subprocessors
Below is the current list of subprocessors engaged by Aqueo Health Inc. for operating the Aqueo Dry Eye Check service.
All subprocessors are bound by written agreements requiring:
-
safeguards appropriate to the sensitivity of information,
-
encryption at rest and in transit where applicable,
-
access controls and least-privilege principles,
-
breach-notification and cooperation obligations, and
-
limits on use to providing services to Aqueo on behalf of clinics.
| Service Provider | Purpose | Primary Location | Key Safeguards and Notes |
|-------------------------|-------------------------------------------|----------------------------|----------------------------------------------------------------------------|
| Amazon Web Services | Core infrastructure, S3 storage, KMS, | Canada (ca-central-1) | SSE-KMS encryption, access logging, least-privilege IAM, regional isolation |
| (AWS) | Lambda, CloudWatch Logs | | |
| Vercel Inc. | Static app hosting, CDN, edge caching | United States / EU regions | No PHI storage; HTTPS-only; Aqueo's clinical APIs and PHI do not terminate on Vercel |
| Cloudflare Inc. | DNS, network security, TLS termination | United States / Global | TLS termination, DDoS protection; contractual safeguards for privacy |
| PostHog (EU Cloud, optional) | Anonymous or de-identified product analytics | European Union | No clinical payloads; IP anonymization; can be disabled for stricter environments |
Aqueo reviews this list regularly. Any additions or material changes will be reflected in an updated version of this document and communicated to partner clinics in accordance with contract terms.