Subprocessors
Last updated: April 17, 2026
Ralt Health uses the subprocessors listed below to operate the website and the Ralt Health Dashboard product. Practice customers subject to HIPAA can request a Business Associate Agreement (BAA) as part of any engagement where Ralt Health may create, receive, maintain, or transmit Protected Health Information on behalf of the customer. Where a subprocessor supports BAAs for their service tier, we execute them before that subprocessor is involved in handling customer data.
Website (ralthealth.com)
These subprocessors support the marketing website only. No Protected Health Information passes through the website; our Privacy Policy explicitly requests that visitors not submit PHI through contact forms.
| Subprocessor | Purpose | Data handled | Location | BAA available |
|---|---|---|---|---|
| Cloudflare, Inc. | Hosting (Cloudflare Pages), DNS, CDN, web analytics | Anonymous web analytics (pageviews, approximate region, device class). No cookies, no fingerprinting. | USA (edge network global) | Yes |
| Calendly, LLC | Appointment scheduling | Name, email, appointment time selected | USA | Not required |
| Web3Forms | Contact form backend + free-audit-tool submission logging | Contact form: name, email, phone, practice name, free-text message. Audit tool: URL entered, IP address, IP-derived location (country, region, city, postal code), user agent, referrer, timestamp. | USA | Not required |
| Google LLC (PageSpeed Insights API) | Public-URL audit tool — fetches accessibility and performance scores for a URL the visitor provides | The URL submitted by the visitor. No personal data transmitted to Google. | USA | Not required |
Ralt Health Dashboard
These subprocessors support the Ralt Health practice performance dashboard offered to customers. The product is currently in a no-PHI v1: customer data includes operational signals (appointment flow, billable events with anonymous codes) but not names, dates of birth, medical record numbers, or clinical detail. Where a subprocessor is BAA-eligible, BAAs are executed before production data flows.
| Subprocessor | Purpose | Data handled | Location | BAA available |
|---|---|---|---|---|
| Vercel, Inc. | Dashboard hosting (Next.js runtime, edge functions) | Dashboard session cookies, server logs | USA | Yes |
| Supabase, Inc. | Dashboard Postgres database, authentication, realtime | Per-practice operational data (appointments, billable events — no PHI in v1) | USA | Yes |
| Microsoft Corporation | Microsoft Entra (SSO auth) and Microsoft Graph (Mail, Calendar, Teams integrations) | User identity tokens, Graph API payloads as opted into by the practice | USA | Yes |
| Anthropic, PBC | AI features (read-only agent interface in v1) | Structured queries and derived summaries; no PHI transmitted in v1 | USA | Yes |
| Functional Software, Inc. d/b/a Sentry | Error monitoring and performance telemetry | Stack traces, request metadata; sensitive fields scrubbed server-side before transmission | USA | Yes |
| Resend, Inc. | Transactional email (magic-link sign-in, admin invites) | Recipient email, message content | USA | Yes |
Changes
We will update this page before materially changing our subprocessor roster. Customers with signed Master Services Agreements will receive direct notice consistent with those agreements.
Contact
Questions about our subprocessors? Email us at contact@ralthealth.com.