Skip to main content
Trust & Compliance

Subprocessors

BenTrustCo uses a limited number of carefully vetted subprocessors to deliver our services. All subprocessors with access to Protected Health Information (PHI) have executed Business Associate Agreements (BAAs) with BenTrustCo.

Last Updated: April 16, 2026

HIPAA Compliance

BenTrustCo requires all subprocessors that create, receive, maintain, or transmit Protected Health Information (PHI) to execute a HIPAA-compliant Business Associate Agreement (BAA) prior to processing any PHI. All subprocessors must implement administrative, physical, and technical safeguards equivalent to those required under 45 C.F.R. Parts 160 and 164.

Vercel Inc.

vercel.com

United States

BAA Executed

Services Provided

  • Application hosting and serverless compute
  • Vercel Blob — encrypted document and file storage
  • Content delivery network (CDN) and edge network

Data Categories Processed

Application data, uploaded documents, logs, session tokens

MongoDB, Inc. (Atlas)

mongodb.com

United States (AWS us-east-1)

BAA Executed

Services Provided

  • Primary database for user accounts, claims, and messages
  • Encrypted at rest and in transit

Data Categories Processed

User profiles, claim records, message threads, authorization records

Stripe, Inc.

stripe.com

United States

Services Provided

  • Payment processing for plan purchases and subscriptions
  • Secure checkout session hosting
  • Webhook delivery for payment lifecycle events

Data Categories Processed

Payment card data (PCI DSS scoped), billing email address, transaction amounts, plan identifiers

Cloudflare, Inc.

cloudflare.com

United States

Services Provided

  • Turnstile CAPTCHA — bot and abuse detection on login, signup, and contact forms

Data Categories Processed

IP addresses, browser metadata, and interaction signals used for bot detection. No PHI is transmitted.

HubSpot, Inc.

hubspot.com

United States

Services Provided

  • CRM — contact form submissions are stored as HubSpot contacts
  • Lead management and follow-up tracking

Data Categories Processed

Name, email address, company, job title, and message content submitted via the contact form

Data Residency

All customer data and PHI is stored and processed in the United States. BenTrustCo does not transfer PHI outside of the United States. Our infrastructure runs on Vercel's US region (powered by AWS us-east-1) and MongoDB Atlas US clusters.

Changes to Subprocessors

BenTrustCo will provide at least thirty (30) days notice before adding or replacing subprocessors that process PHI. Notifications will be sent to the email address associated with your account. To object to a new subprocessor, contact us at privacy@bentrustco.com. To be notified of subprocessor changes, ensure your email address is up to date in your account settings.