Subprocessors
Below is the current list of subprocessors engaged by Aqueo Health Inc. for operating the Aqueo platform.
All subprocessors are bound by written agreements requiring:
-
safeguards appropriate to the sensitivity of information,
-
encryption at rest and in transit where applicable,
-
access controls and least-privilege principles,
-
breach-notification and cooperation obligations, and
-
limits on use to providing services to Aqueo on behalf of clinics.
| Service Provider | Purpose | Primary Location | Key Safeguards and Notes |
|---|---|---|---|
| Amazon Web Services (AWS) | Core infrastructure, S3 storage, KMS, Lambda, CloudWatch Logs | Canada (ca-central-1) | SSE-KMS encryption, access logging, least-privilege IAM, regional isolation |
| Amazon Web Services (AWS – SES) | Outbound email delivery for website inquiries (contact form) | Canada (default ca-central-1; configurable) | IAM least privilege; TLS in transit; email delivery scoped to internal recipients |
| Vercel Inc. | Application-tier serverless execution of the Aqueo Next.js app (patient, clinic, and admin portals — SSR, middleware, API route handlers); website hosting (static pages, marketing site); serverless contact-form execution | United States / Global | No PHI persisted on Vercel (PHI transits execution environment but is not retained); HTTPS-only; platform may process request metadata (IP, user-agent, timing) in logs; engaged under Vercel DPA |
| Cloudflare Inc. | DNS, network security, TLS termination | United States / Global | TLS termination, DDoS protection; contractual safeguards for privacy |
| jsDelivr | CDN for third-party JavaScript/WASM assets (e.g., MediaPipe libraries) | Global | Receives IP address, user-agent, requested asset URLs and timing; no clinical payloads are sent |
Aqueo reviews this list regularly. Any additions or material changes will be reflected in an updated version of this document and communicated to partner clinics in accordance with contract terms.