Subprocessors
Third-party service providers we engage to deliver the Cloud Anesthesia Service, including the categories of data they process and whether they have access to Protected Health Information (PHI).
Cloud Anesthesia Solutions, LLC (“Cloud Anesthesia”) engages a limited number of third-party subprocessors to support delivery of our scheduling software-as-a-service. Each subprocessor below is bound by a written agreement requiring them to protect the data they process. Subprocessors that have access to Protected Health Information operate under a signed Business Associate Agreement (BAA) consistent with HIPAA's requirements.
This list is maintained as required by Section 6.9 of our Terms of Service and Section 4.2 of our Privacy Policy. Subprocessors with PHI access are also identified in Appendix B of our Business Associate Agreement.
Current Subprocessors
| Subprocessor | Purpose | Data Categories | PHI Access | Location |
|---|---|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure hosting (compute, block storage, networking) | All Service data, including PHI, at rest and in transit | Yes — under BAA | United States |
| Cloudflare, Inc. | Authoritative DNS (DNS-only / non-proxy mode) | Domain name records only; no Service traffic, no PHI | No | United States (global DNS network) |
| Internet Security Research Group (Let's Encrypt) | Issuance and renewal of TLS certificates for *.cloud-anesthesia.com | Domain names only (no user or Service data) | No | United States |
How We Choose Subprocessors
Before engaging any subprocessor with access to Customer Data, we evaluate the subprocessor's information-security posture, contractual commitments, applicable certifications (such as SOC 2, HITRUST, or ISO 27001), and ability to comply with HIPAA where PHI is involved. We require a signed Business Associate Agreement before granting PHI access to any subprocessor.
Notifications of Changes
We will update this page when we add, replace, or remove a subprocessor with access to Customer Data. Customers may also subscribe to subprocessor change notifications by writing to legal@cloud-anesthesia.com. For changes affecting PHI subprocessors, we provide written notice consistent with the timing obligations in our Business Associate Agreement (typically not less than thirty (30) days where commercially feasible).
What Cloudflare Does (and Does Not Do)
Cloud Anesthesia uses Cloudflare for authoritative DNS only (gray-cloud / DNS-only mode). Cloudflare does not proxy, terminate, inspect, or cache any Service traffic. Customer Data, including PHI, never traverses Cloudflare infrastructure. For this reason, a Business Associate Agreement with Cloudflare is not required for our deployment configuration.
Questions
For questions about this page or our subprocessors, contact legal@cloud-anesthesia.com. For security-related questions, contact security@cloud-anesthesia.com.