Subprocessor list

Entire PHI path. Single AWS BAA (executed via AWS Artifact) covers Amazon RDS Postgres (structured clinical data, variants, audit logs), Amazon S3 with SSE-KMS (encrypted document storage), AWS KMS (encryption-key management), AWS Textract (PDF extraction during the Tier-3 OCR step), AWS Lambda + API Gateway + Step Functions (compute), AWS Cognito (authentication), AWS Amplify Hosting (app surface at app.unmiri.com; the app SSR layer holds no database driver and reaches RDS only through the VPC-attached api.unmiri.com), and AWS CloudWatch Logs (audit trail). All run in a single AWS production account, us-east-1 region pinned.

Data category

All PHI flows through AWS HIPAA-eligible services within the BAA account only.

Region

us-east-1 (US East, N. Virginia)

BAA status

Active. AWS Business Associate Addendum, in effect for UNMIRI as of 2026-05-09. Account-scoped to a single production AWS account.

Narrow LLM inference path. Microsoft Online Services HIPAA Business Associate Agreement covers Azure OpenAI Service — used for two purposes: Tier-4 vision LLM (extraction edge cases on PDF pages that fail Tier-1/2/3 deterministic parsing) and an LLM-judge step that verifies high-uncertainty findings. Final clinical surfaces are rendered from deterministic templates, not LLM prose. Azure OpenAI network access is locked to UNMIRI's AWS NAT egress IP (firewall allow-list) as of 2026-05-12; the Modified Content Filters program is not in use (the application was reviewed and declined under the "unmanaged customer" criterion on 2026-05-10, which does not affect Abuse Monitoring opt-out or the BAA itself).

Data category

De-identified variant context and extraction prompts. No PHI identifiers in prompts.

Region

Microsoft cloud regions (US)

BAA status

Active. Microsoft General HIPAA BAA (May 2025 form), in force for UNMIRI since Azure tenant activation per the Microsoft Online Services Terms; acknowledged via Microsoft Online Services on 2026-05-09. Azure OpenAI network lockdown active as of 2026-05-12.

Marketing site hosting and edge delivery for unmiri.com only. By design, the marketing site takes no file uploads, has no authenticated routes, and never connects to RDS or any data store containing PHI. Marketing forms collect business inquiries (name, email, company, role) and route via Resend; a visible "please do not include patient information" notice sits adjacent to every free-text field. Inadvertent PHI submission is handled via the documented incident-response procedure.

Data category

Public marketing site traffic and business-inquiry form fields only. Zero PHI by architecture.

Region

US (iad1, sfo1)

BAA status

Not applicable — out of BAA scope by design. No HIPAA add-on purchased; none required under this architecture. If marketing requirements ever change to include PHI handling, the route moves to app.unmiri.com (AWS) instead of expanding Vercel's BAA scope.

Transactional email delivery for marketing inquiries (Resend standard tier). UNMIRI's email convention: messages never contain PHI in subject, preview, or body. Opaque report identifiers and authenticated-app links replace patient names, MRNs, and dates of birth. This convention keeps Resend out of BAA scope. If a future product requirement ever needs PHI in email content, the BAA conversation happens then; current architecture intentionally avoids it.

Data category

Marketing-form contents and authentication-related notifications. Zero PHI by convention.

Region

US

BAA status

Not applicable — out of BAA scope by email-content convention.

Managed Neo4j graph database holding reference clinical knowledge (CIViC variant evidence, ClinVar identifiers, ClinicalTrials.gov metadata, openFDA drug labels, CPIC pharmacogenomics guidelines, PubMed identifiers). Reference data only. UNMIRI's write-time PHI guard prevents any PHI from being persisted to Aura by design.

Data category

Public reference knowledge bases only. No PHI by design.

Region

AWS us-east-1 (Aura's managed deployment)

BAA status

Not applicable — reference data only, no PHI.

Application error monitoring and performance tracing for the marketing site (unmiri.com), the app surface (app.unmiri.com), and the API (api.unmiri.com). Sentry is configured so PHI never reaches it: request bodies are never captured (request-body capture disabled), stack-trace local variables are stripped, and a before-send scrubber redacts request data, query strings, cookies, authorization headers, and user identifiers (email, IP, username) before any event leaves the process. Session Replay is disabled. This configuration keeps Sentry out of BAA scope.

Data category

Error metadata, stack traces, and performance spans with request bodies and identifiers stripped before send. Zero PHI by configuration.

Region

US (Sentry US data region)

BAA status

Not applicable — out of BAA scope by configuration. No PHI is transmitted to Sentry, so no BAA is required (free tier in use). A PHI-bearing diagnostics need would require signing Sentry's Business-tier BAA first; this entry would then be updated.