Why this list is short
Most AI health products carry a long subprocessor list because their AI runs in someone else’s cloud. JamEMR’s architecture minimizes subprocessors by design: clinical AI inference runs on dedicated local hardware inside the deployment environment, so the usual largest category of subprocessor — a third-party AI provider handling patient data — simply does not exist here.
No subprocessor receives protected health information for clinical AI processing.
Current subprocessors
| Subprocessor | Purpose | Data involved |
|---|---|---|
| Cloudflare | Infrastructure, DNS, and CDN for the public jamemr.com website only | Public website traffic — no PHI, no patient records |
| Google Workspace | Email and business communications | Business correspondence — not patient records |
That is the complete current list.
What is in place today
- Clinical AI processing (ambient transcription, clinical language-model processing) runs locally in the deployment environment — no AI subprocessor, no PHI leaving for inference.
- The public website is architecturally separate from clinical systems and holds no PHI; Cloudflare fronts only that public site.
- Business email through Google Workspace is used for correspondence, not for storing or transmitting patient records.
- Where a future subcontractor would handle PHI, our Business Associate Agreement obligations require it to be bound by equivalent terms before any PHI access.
On our roadmap
- This list will be maintained as the service evolves. This page is a living document: if we add a subprocessor, we will list it here — including its purpose and the data involved — before it processes customer data.
- A formal subprocessor notification process (advance notice of additions to customers under a BAA) is part of the documented policy pack now in progress.
- As we approach general availability, planned third-party penetration testing and the planned SOC 2 Type II examination will include how we govern any vendors in scope. The SOC 2 examination has not started; we do not claim SOC 2 compliance.
Questions
If your compliance review needs more detail on either vendor above — or written confirmation that no subprocessor receives PHI for clinical AI processing — contact [email protected].
Last updated: this page is reviewed whenever our vendor list changes.