The third parties NovaScribe uses to deliver its medical scribe service, organized by whether they handle Protected Health Information (PHI).
Customers are notified at least 30 days in advance of any new sub-processor gaining PHI access, per our Business Associate Agreement (BAA) terms. Security or compliance questions: security@novascribe.us.
These vendors access, store, process, or transmit Protected Health Information on NovaScribe's behalf. An executed BAA is in place with each.
| Vendor | Service | Data accessed | Region | Certifications |
|---|---|---|---|---|
| Amazon Web Services, Inc. | EC2 hosting, RDS PostgreSQL, S3 audio staging, CloudWatch logs, ALB, WAF, CloudFront, Parameter Store, Route 53, DLM | All PHI (at rest in RDS/EBS/S3; in transit via ALB/CloudFront) | US-East-2 (Ohio) | SOC 2 Type 2, HITRUST CSF, HIPAA-eligible services, ISO 27001 |
| Amazon Web Services, Inc. (Bedrock) | AI inference for clinical note generation and analysis | Transcripts, clinical note context, problem-list context | US-East-2 | Covered under AWS master BAA; Bedrock is HIPAA-eligible |
| Deepgram, Inc. | Audio transcription | Audio files (streamed / uploaded) | US | SOC 2 Type 2, HIPAA |
| Microsoft (Azure) | AI inference and audio transcription (fallback paths) | Audio files, transcripts, clinical note context | US | SOC 2 Type 2, HITRUST, HIPAA BAA-eligible, ISO 27001 |
| Google LLC (Google Cloud) | AI inference (alternative path for problem-list curation and clinical analysis) | Transcripts, clinical context | US | SOC 2 Type 2, HITRUST, HIPAA BAA-eligible |
| Anthropic, PBC | AI inference (direct API path; majority of access is routed via AWS Bedrock under the AWS master BAA above and is covered by that BAA) | Transcripts, clinical context | US | SOC 2 Type 2 |
| Proctor Medical Consulting (independent contractor — backup security contact) | Emergency system access per Business Continuity Plan | Production access; PHI access only during incident response | US | Bound by individual BAA and background check |
These vendors support NovaScribe operations but do not access PHI.
| Vendor | Service | Data accessed | Certifications |
|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management | Customer billing email, card tokens, subscription metadata — no PHI | PCI DSS Level 1, SOC 2 Type 2 |
| GitHub, Inc. | Source code hosting, dependency scanning, GitHub Actions CI | NovaScribe application source code (no PHI) | SOC 2 Type 2, ISO 27001 |
| Hiscox Inc. | Cyber liability insurance carrier | Incident details if a claim is filed — not real-time access | Regulated insurance carrier |
| Amazon SES (covered under master AWS BAA) | Transactional email (account verification, password reset, billing receipts) | Email addresses and subject lines — no PHI in body | Covered under AWS master BAA |
| Google LLC (Search Console) | Search indexing and SEO monitoring of public marketing pages | Public site content only — no PHI access | SOC 2, ISO 27001 |
| Microsoft (Bing Webmaster Tools) | Search indexing of public marketing pages | Public site content only — no PHI access | SOC 2, ISO 27001 |
The following AWS services are consumed under the master AWS BAA listed in §1. They are listed here for transparency:
All of the above inherit AWS's SOC 2 Type 2, HITRUST CSF, and HIPAA-eligible-services controls.
To be notified of changes to this list (additions, removals, or scope changes for PHI sub-processors), email security@novascribe.us with subject "Subscribe to subprocessor updates".