Back to home
Legal
Subprocessors
The vendors that may process customer data on Wilma's behalf, what they do, and where they sit.
Last updated
We give customers at least 30 days' notice before adding or replacing any subprocessor that handles PHI. Subscribe to subprocessor change notices ↓
Current list
The following subprocessors may process customer data as part of operating the Wilma platform. Voice and telephony providers handling PHI are bound by Business Associate Agreements.
| Vendor | Purpose | Location | Agreement |
|---|---|---|---|
| Vercel | Frontend hosting, edge runtime | United States | BAA in place |
| Amazon Web Services (AWS) | Application servers, primary database, object storage | United States (us-east-1, us-west-2) | BAA in place |
| Twilio | Telephony — inbound/outbound voice and SMS | United States | BAA in place |
| Resend | Transactional email (confirmations, recall notices) | United States | BAA on request |
| Stripe | Billing & payment processing (card-on-file collections) | United States | PCI DSS Level 1 / BAA on request |
| DentalXChange | Real-time insurance eligibility & benefits | United States | BAA in place |
| Voice processing partner | Real-time speech synthesis & speech recognition | United States | Listed in BAA addendum (Group plan) |
| Sentry | Error monitoring (no PHI captured) | United States | DPA in place; PHI scrubbing enabled |
| Vercel Analytics | First-party usage analytics on marketing pages only | United States | No PHI / DPA in place |
How we evaluate subprocessors
Before engaging any vendor that touches customer data, we review:
- SOC 2 Type II report (or equivalent)
- Data-processing terms and where they store data
- Encryption at rest and in transit
- Breach-notification timelines
- Sub-subprocessor disclosures
For any vendor that may handle PHI, we additionally require a Business Associate Agreement and proof of HIPAA Security Rule compliance.
Get notified of changes
To receive email notice when we add, remove, or change a subprocessor handling PHI, email our legal team and ask to join the subprocessor notice list.