Sub-Processors
Effective Date: April 29, 2026 · Last Updated: April 29, 2026
1. Purpose
This page is the canonical, public list of third-party service providers ("Sub-Processors") engaged by Veri-Tech, Inc. to support the Veri-Tech platform ("Service"). It is referenced by:
- Section 5.3 of the Data Processing Agreement (DPA) — for general data protection sub-processor disclosure.
- Section 3(d) of the Veri-Tech Business Associate Agreement (BAA) — for HIPAA Subcontractor flow-down disclosure.
Customers should treat this page as the authoritative source for the current list.
2. Scope of Customer Data Veri-Tech Processes
The Veri-Tech platform is an administrative tool used by IT, security, and compliance engineers. The Service does not request, require, or process Protected Health Information (PHI) or any clinical data. The data Veri-Tech processes consists of:
- Microsoft 365 tenant configuration metadata (policies, security baselines, device management settings, conditional access rules);
- Configuration snapshots, diffs, and audit logs derived from the above;
- Account references for the small set of administrators who interact with the Service: portal users, JIT consenters, and customer-designated emergency-access account holders.
Mailbox content, file content, chat messages, individual end-user activity, and any patient or clinical record are out of scope. Free-text fields in the Service (AI chat, support ticket descriptions) are labeled accordingly and Customers acknowledge in the BAA that they will not submit PHI through the Service.
3. Change Notification
Veri-Tech provides at least thirty (30) days' advance notice before adding or replacing a Sub-Processor. Notification is given by:
- Updating the table in Section 4 below; and
- Recording the change in the Change Log in Section 7, including the effective date.
Customers who wish to receive proactive email notification of changes may subscribe by emailing privacy@veri-tech.net with the subject line "Subprocessor notifications".
Customers may object to a new Sub-Processor on documented privacy or security grounds within the notice period. If an objection cannot be resolved, the Customer may terminate the underlying agreement without penalty as provided in the DPA and (where applicable) the BAA.
4. Active Sub-Processors
The BAA in Place column reflects whether Veri-Tech has executed a HIPAA Business Associate Agreement (or equivalent) with each provider. Where "Not required" appears, it reflects Veri-Tech's position that the data flow does not include PHI; see Section 2 above and the Customer's BAA for the contractual basis.
| Sub-Processor | Role | Data Processed | Location | BAA in Place |
|---|---|---|---|---|
| Microsoft Corporation Azure (compute, storage, networking, Application Insights) | Cloud infrastructure hosting all backend services, blob storage, table storage, key vault, and application telemetry. | Tenant configuration metadata, job records, generated documents, audit logs, application telemetry. | United States (East US 2) | Yes — Microsoft Online Services DPA & BAA |
| Microsoft Corporation Microsoft Graph API | API conduit used to read tenant configuration and apply customer-authorized remediation changes against the Customer's own Microsoft 365 tenant. | Tenant configuration settings, policy definitions, role assignments, group memberships referenced by policies. | Microsoft global infrastructure | Yes — Microsoft Online Services DPA & BAA |
| Microsoft Corporation Microsoft Bookings | Scheduling for sales, onboarding, and security calls. Used by prospects who book a meeting with Veri-Tech, not by authenticated portal users. | Prospect-submitted contact details (name, email, optional message). | Microsoft global infrastructure | Yes — Microsoft Online Services DPA & BAA |
| Vercel, Inc. | Web hosting for the public marketing site and authenticated portal (veri-tech.net). No tenant data, scan results, or generated documents are stored on Vercel. | HTTP request metadata, session cookies, authentication tokens issued by NextAuth, edge logs. | United States (iad1) | Not required — no PHI processed |
| Stripe, Inc. | Payment processing and subscription management for paid plans. | Customer billing contact, payment method tokens (held by Stripe), invoice and subscription history. | United States | Not required — no PHI processed |
| Resend, Inc. | Transactional email delivery (job-completion notifications, drift alerts, invitation emails). | Recipient email address, message subject, message body containing job metadata (job ID, scan summary, control names). | United States | Not required — no PHI processed |
| Anthropic, PBC | AI-assisted features: support assistant, in-product Copilot, and remediation plan generation. Invoked only when a user actively engages an AI feature or requests a generated plan. | User-typed chat messages; control IDs, control titles, severity, domain, and pass/fail status of the active scan; tenant license SKU list (e.g., ENTERPRISEPACK); AI-generated executive summaries. Tenant identifiers, customer email addresses, mailbox or file content are not transmitted. | United States | Not in place. Veri-Tech's commercial-tier Anthropic API does not transmit PHI by design and the Service UI instructs users not to enter PHI in AI chat fields. An Anthropic Enterprise tier agreement with HIPAA BAA is on the post-launch hardening roadmap. |
| GitHub, Inc. Veri-Tech support-ticket repository | Issue intake for support tickets submitted from the in-portal support form. Issues land in a private Veri-Tech-owned repository accessible only to Veri-Tech support staff. | Ticket subject and description (free-text written by the submitter), category, priority, tenant identifier, submitter email, and an optional transcript of any prior AI support conversation that the user attaches. | United States | Not in place. The support form instructs users not to enter PHI; tickets are administrative in nature (login issues, billing questions, feature requests). |
4.1 Note on Microsoft as Primary Sub-Processor
Microsoft Azure, Microsoft Graph API, and Microsoft Bookings are listed as separate entries because they fulfill distinct roles, even though all are operated by Microsoft Corporation under the same Online Services contractual framework (DPA + BAA). Microsoft's downstream sub-processors are governed by Microsoft's published Online Services DPA and are not re-listed here.
5. Sub-Processors Not Used
For Customer awareness, Veri-Tech affirms that the following categories of third party are not engaged as of the effective date above:
- Generative AI providers other than Anthropic (e.g., OpenAI, Google AI, AWS Bedrock). Anthropic is the sole AI provider; see Section 4.
- Third-party analytics or marketing pixels on authenticated portal pages. The marketing site uses first-party Vercel Analytics only.
- Offshore support or development contractors with access to production data.
Adding a Sub-Processor in any of these categories would be subject to the Section 3 notice requirement.
6. Customer-Configured Integrations
Veri-Tech supports optional integrations that the Customer enables and configures with the Customer's own credentials (e.g., ConnectWise Manage, Autotask, Halo PSA, Jira, ServiceNow, Freshservice, Slack, Microsoft Teams, GitHub for SOP / runbook push to a Customer-owned repository). These are not Veri-Tech Sub-Processors. The Customer's direct relationship with each integration provider governs that data flow, and the Customer is responsible for executing any required BAA or DPA with that provider. Veri-Tech transmits to these providers only the minimum payload needed to fulfill the Customer's configured action.
7. Change Log
| Date | Change | Effective |
|---|---|---|
| April 29, 2026 | Initial publication. Sub-Processors at launch: Microsoft Azure, Microsoft Graph API, Microsoft Bookings, Vercel, Stripe, Resend, Anthropic, GitHub. | April 29, 2026 |
8. Contact
Veri-Tech, Inc. — Privacy & Compliance
Email: privacy@veri-tech.net
Legal: legal@veri-tech.net
Website: veri-tech.net