Trust
Subprocessors
Last updated: 2026-05-07
Waiting Room uses the third-party services listed below to operate the platform. Each one has signed (or will sign before that data type lands) our Data Processing Agreement and is bound to the same confidentiality and security obligations we owe to clinics under our PHIPA Agent relationship.
We do not share data with any party not on this list. We update this page before adding a new subprocessor.
| Vendor | Purpose | Data | Region | DPA |
|---|---|---|---|---|
| Supabase (AWS) | Postgres database, authentication, realtime | All app data: clinics, appointments, encrypted phones, audit log | AWS ca-central-1 (Canadian region on Pro tier) | Signed |
| Twilio | SMS delivery (outbound + inbound) | Phone numbers, message bodies | US (TLS in transit; HIPAA Eligible enrollment planned for US expansion) | Signed |
| Google Maps Platform | Travel time and geocoding (when leave-by feature is enabled) | Origin coordinates, clinic coordinates | US | Covered under Google Cloud DPA |
| Vercel | Hosting and edge runtime | All app data passing through request/response | Global edge, primary US | Signed |
| Sentry | Error monitoring | Sanitized error events — phone numbers, names, JWTs, IPs are scrubbed before send | US | Signed |
| Stripe | Subscription billing (clinic-side only) | Clinic billing email, payment method (held by Stripe, not us) | US/Canada | Signed when paid plans launch |
Cross-border transfer
The primary database lives in Canada (AWS ca-central-1). Some subprocessors (Twilio, Google Maps, Vercel edge, Sentry) operate in the United States. We disclose this transfer in our Privacy Policy and the consent rider clinics include in their patient intake.
Questions? Email support@a77inc.com.