Subprocessor list.
Third-party service providers Burna engages to deliver and support the platform. Categorized for GDPR Article 28 and HIPAA business associate transparency. Customer-facing change notifications precede any new engagement.
01Introduction
Burna AI uses third-party service providers (subprocessors) to deliver and support its platform. This page lists the categories of subprocessors Burna engages, the purpose of each engagement, and the geographic regions where data may be processed.
Burna AI maintains a Data Processing Agreement (DPA) with each subprocessor that handles personal data, and a Business Associate Agreement (BAA) with each subprocessor that may handle Protected Health Information (PHI) under HIPAA. Subprocessors are evaluated against Burna’s security and compliance standards before onboarding and re-evaluated on a defined cadence.
This page is updated whenever a subprocessor is added, removed, or materially changed. Customers may subscribe to subprocessor change notifications by emailing privacy@burna.ai.
02How to Read This List
For each subprocessor, the table below shows:
- Provider: the legal entity providing the service.
- Purpose: what Burna uses the service for.
- Data categories: what categories of data the subprocessor may process.
- Processing location: the geographic region(s) where data may be stored or processed.
- PHI access: whether the subprocessor may access Protected Health Information under HIPAA.
- Compliance:the subprocessor’s relevant compliance certifications (SOC 2 Type II, ISO 27001, HIPAA BAA).
03Cloud Infrastructure and Hosting
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Primary cloud infrastructure provider | Application hosting, database hosting, file storage | United States | Yes (BAA, region-restricted) | SOC 2 Type II, ISO 27001, HIPAA BAA | Active |
| Regional cloud partners | Sovereign cloud hosting for regional deployments | Per regional deployment | Yes (BAA, region-restricted) | SOC 2 Type II or regional equivalent, HIPAA BAA where applicable | Active |
04Database and Application Infrastructure
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Real-time application database platform | Real-time application data and customer metadata | United States | Yes (BAA where applicable) | SOC 2 Type II, HIPAA BAA | Active |
| Object storage provider | File and document storage | United States | Yes (BAA, encrypted at rest) | SOC 2 Type II, HIPAA BAA | Active |
05AI Model Providers (Inference Only)
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Enterprise large language model provider | Language model inference for the twelve-agent cascading constraint pipeline | United States and provider enterprise regions | No (PHI is de-identified before model invocation) | Enterprise compliance posture; SOC 2 and HIPAA BAA where applicable; customer data excluded from training | Active |
Burna AI does not allow customer data to be used for model training or fine-tuning without explicit written consent from the customer for that specific use. Enterprise-grade contracts with LLM providers exclude customer data from training corpora by default. See the Responsible AI Statement for the full commitment.
06Email, Communication, CRM
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Transactional email provider | Transactional email (account, notifications, brief delivery) | United States | No | SOC 2, GDPR DPA | Active |
| Newsletter platform | Newsletter subscription and delivery | United States | No | GDPR DPA | Active |
| Calendly | Calendar booking for conversations | United States | No | SOC 2, GDPR DPA | Active |
| Customer relationship management platform | Pipeline tracking, conversation history | United States | No | SOC 2, GDPR DPA | Active |
07Analytics and Observability
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Privacy-preserving web analytics | Aggregated website traffic measurement | United States | No | GDPR DPA, no third-party data sharing | Active |
| Error monitoring provider | Application error tracking | United States | No (PHI stripped from error contexts) | SOC 2, GDPR DPA | Active |
| Log aggregation provider | Application and infrastructure log aggregation | United States | No (PHI never logged per pre-commit checks) | SOC 2, GDPR DPA | Active |
08Authentication and Identity
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Authentication and identity provider | Customer authentication, session management | United States | No | SOC 2, ISO 27001 | Active |
09Payment Processing
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Payment processor | Subscription and invoice processing | United States | No | PCI DSS Level 1, SOC 2 | Active |
| WeFunder | Securities crowdfunding platform for the physician-led seed round | US | No | SEC-registered funding portal | Active |
10Other Services
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
| Document signing, legal, and operations tools | Contract execution, professional services, and internal operations | United States | No | SOC 2 or GDPR DPA, as applicable | Active |
11Subprocessor Onboarding Process
Burna AI engages a new subprocessor only after:
- Security and compliance review of the subprocessor’s posture (SOC 2 report, ISO 27001 certification, HIPAA BAA capability where applicable).
- Privacy review of the subprocessor’s data handling and subprocessing chain.
- Execution of a Data Processing Agreement (DPA) with appropriate Standard Contractual Clauses for international transfers.
- Execution of a Business Associate Agreement (BAA) where the subprocessor may access PHI.
- Internal documentation of the data flow, retention, and incident response interface.
- Approval by Burna AI’s security and engineering leadership.
12Notification of Changes
Burna AI notifies customers of new subprocessors that may process customer data at least 30 days before the subprocessor is engaged. Customers may object to a new subprocessor in writing within the notification window; Burna AI will work with the customer to find an alternative or, if no alternative is feasible, the customer may terminate the affected portion of the engagement with a pro-rata refund.
Subprocessor change notifications are sent to customer-designated security contacts and posted on this page.
To subscribe to subprocessor change notifications without an active customer relationship, email privacy@burna.ai with the subject line “Subprocessor Change Notifications.”
13Contact
For questions about Burna AI’s subprocessors, processing locations, or data handling practices, reach the inboxes below.
Subprocessor questions
For privacy review, security questionnaires, or to subscribe to subprocessor change notifications. We respond within standard business cycles.