Trust Centre · Sub-processors

Trusted providers. Controlled use.

OHS uses established infrastructure and service providers to host, secure, connect, process, and support clinic workflows. Provider selection is guided by healthcare privacy realities: PHIPA-aligned workflow design, Canadian privacy expectations, and the practical sensitivity of health identifiers. Sub-processors are not invisible background tools. They are part of the trust architecture: selected deliberately, scoped to the work they perform, and governed through the OHS operating layer.

SOC 2 Type II-audited vendors PHIPA-aligned selection Limited-purpose use Published vendor list
Why this page exists

A platform is only as trustworthy as the systems it depends on. So we chose carefully.

OHS is built on established infrastructure and service providers with serious security and operational controls. That foundation matters because healthcare workflow software cannot sit on fragile systems.

Vendor trust is not just about choosing strong providers. It is about choosing providers with healthcare privacy in mind, limiting what each provider does, understanding what data may flow through each service, and keeping OHS responsible for how those services are configured, connected, monitored, and governed.

How OHS thinks about sub-processors

Three principles shape the OHS vendor model.

OHS does not treat third-party services as interchangeable plug-ins. Each provider has a defined role in the system, a clear reason for being used, and a bounded place inside the OHS operating layer.

01

Built on serious infrastructure

OHS uses infrastructure and service providers with SOC 2 Type II-audited controls for core platform operations.

That foundation matters. Clinics can trust that the systems underneath OHS are established, reviewed, and appropriate for sensitive operational workflows.

02

Data exposure is limited by design

OHS is designed to avoid sending more information to a provider than the workflow requires. Some providers host infrastructure. Some process workflow data. Some support authentication, messaging, AI processing, payment workflows, OCR, document extraction, or connected-service access.

Each provider’s role stays scoped, intentional, and proportionate to the task. Health information requires this discipline. OHS provider use is shaped by PHIPA-aligned workflow design, Canadian privacy expectations, and the practical sensitivity of health identifiers.

03

Provider use remains reviewable

Clinics can understand which providers support the platform and what role they play.

The sub-processor list stays clear enough for clinic owners, privacy reviewers, and due-diligence readers to understand the OHS operating model without needing to reverse-engineer the stack.

The current vendor list

Current and module-specific providers.

The providers below currently support OHS or are planned for specific OHS modules. Provider use is scoped to the role each service performs inside the platform. Certifications shown belong to each provider for its own systems.

Provider
Role in OHS
Use in OHS
Primary assurance
Published compliance
Vercel
Hosting and deployment
Hosts OHS web properties and applications
SOC 2 II
SOC 2 Type II attestation
Supabase
Database and backend services
Client environments, workflow metadata, authentication, storage, and backend services
SOC 2 II ISO 27001
SOC 2 Type II, ISO 27001, HIPAA, PCI DSS, GDPR
Google Workspace / Google Cloud
Connected inbox and OAuth services
Gmail OAuth, connected inbox workflows, and Google infrastructure services
SOC 2 II ISO 27001
SOC 2 Type II reports, ISO certifications, broader compliance documentation
Google Cloud Document AI
OCR and document extraction
Fax Intelligence and document-processing workflows
SOC 2 II
Google Cloud SOC 2 Type II reports and compliance documentation
GitHub
Source control and deployment workflow
Code hosting, version control, and deployment workflow
SOC 2 II ISO 27001
SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2022, PCI DSS attestation
Resend
Email delivery
Transactional and workflow-related email
SOC 2 II
SOC 2 Type II
Anthropic
AI processing
Classification, drafting, review, and workflow intelligence
SOC 2 II ISO 42001
SOC 2 Type I and Type II, ISO/IEC 42001
OpenAI
AI processing
Classification, drafting, review, and workflow intelligence
SOC 2 II ISO 27001
SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701
Stripe
Payments and billing
Payment workflows where enabled
SOC 2 II PCI DSS
SOC 1 and SOC 2 Type II reports, PCI-focused payment security controls
The standard

The vendor stack supports OHS. The discipline doesn’t change.

OHS chooses infrastructure and service providers deliberately, but the clinic relationship remains with OHS. The platform is responsible for how providers are selected, configured, connected, scoped, monitored, and governed inside clinic workflows.

As OHS adds modules, expands into new workflows, or evaluates better-fit providers, the selection discipline doesn’t move: serious infrastructure, limited data exposure, healthcare-grade privacy thinking, and reviewable vendor use.

Some providers will be replaced. The standard for replacing them will not be.

In practice

What this means for a clinic using OHS.

Sub-processor governance should be visible enough for review and practical enough to support real clinic operations.

Clear provider roles

Each provider has a defined function inside the OHS platform. No mystery infrastructure, no anonymous third parties handling clinic workflow data.

Audited infrastructure foundation

OHS uses SOC 2 Type II-audited infrastructure and service providers for core platform foundations.

Limited-purpose processing

Provider access is tied to the workflow being performed, not treated as broad background access. Each service does its job and nothing more.

Reviewable vendor model

The Trust Centre gives clinics and reviewers a clear place to understand which systems support OHS and why.

Sub-processors · Trust Centre · Last reviewed May 2026 · v1.0 Questions about this page? → Visit OHS Flow