Subprocessors
Below is the current list of subprocessors engaged by Aqueo Health Inc. for operating the Aqueo Dry Eye Check service.
All subprocessors are bound by written agreements requiring:
-
safeguards appropriate to the sensitivity of information,
-
encryption at rest and in transit where applicable,
-
access controls and least-privilege principles,
-
breach-notification and cooperation obligations, and
-
limits on use to providing services to Aqueo on behalf of clinics.
| Service Provider | Purpose | Primary Location | Key Safeguards and Notes |
|---|---|---|---|
| Amazon Web Services (AWS) | Core infrastructure, S3 storage, KMS, Lambda, CloudWatch Logs | Canada (ca-central-1) | SSE-KMS encryption, access logging, least-privilege IAM, regional isolation |
| Amazon Web Services (AWS – SES) | Outbound email delivery for website inquiries (contact form) | Canada (default ca-central-1; configurable) | IAM least privilege; TLS in transit; email delivery scoped to internal recipients |
| Vercel Inc. | Website hosting (static pages and CDN); serverless execution for website contact form | United States / Global | No clinical PHI storage; HTTPS-only; platform may process request metadata in logs |
| Cloudflare Inc. | DNS, network security, TLS termination | United States / Global | TLS termination, DDoS protection; contractual safeguards for privacy |
| jsDelivr | CDN for third-party JavaScript/WASM assets (e.g., MediaPipe libraries) | Global | Receives IP address, user-agent, requested asset URLs and timing; no clinical payloads are sent |
Aqueo reviews this list regularly. Any additions or material changes will be reflected in an updated version of this document and communicated to partner clinics in accordance with contract terms.