Skip to main content
JamEMR

Trust Center

Subprocessors

JamEMR's architecture minimizes subprocessors — clinical AI runs locally, so no subprocessor receives PHI for clinical AI processing. The current minimal list is published here. This is a living document.

Why this list is short

Most AI health products carry a long subprocessor list because their AI runs in someone else’s cloud. JamEMR’s architecture minimizes subprocessors by design: clinical AI inference runs on dedicated local hardware inside the deployment environment, so the usual largest category of subprocessor — a third-party AI provider handling patient data — simply does not exist here.

No subprocessor receives protected health information for clinical AI processing.

Current subprocessors

SubprocessorPurposeData involved
CloudflareInfrastructure, DNS, and CDN for the public jamemr.com website onlyPublic website traffic — no PHI, no patient records
Google WorkspaceEmail and business communicationsBusiness correspondence — not patient records

That is the complete current list.

What is in place today

  • Clinical AI processing (ambient transcription, clinical language-model processing) runs locally in the deployment environment — no AI subprocessor, no PHI leaving for inference.
  • The public website is architecturally separate from clinical systems and holds no PHI; Cloudflare fronts only that public site.
  • Business email through Google Workspace is used for correspondence, not for storing or transmitting patient records.
  • Where a future subcontractor would handle PHI, our Business Associate Agreement obligations require it to be bound by equivalent terms before any PHI access.

On our roadmap

  • This list will be maintained as the service evolves. This page is a living document: if we add a subprocessor, we will list it here — including its purpose and the data involved — before it processes customer data.
  • A formal subprocessor notification process (advance notice of additions to customers under a BAA) is part of the documented policy pack now in progress.
  • As we approach general availability, planned third-party penetration testing and the planned SOC 2 Type II examination will include how we govern any vendors in scope. The SOC 2 examination has not started; we do not claim SOC 2 compliance.

Questions

If your compliance review needs more detail on either vendor above — or written confirmation that no subprocessor receives PHI for clinical AI processing — contact privacy@jamemr.com.

Last updated: this page is reviewed whenever our vendor list changes.

← Trust Center