Subprocessor list.
Third-party service providers Burna engages to deliver and support the platform. Categorized for GDPR Article 28 and HIPAA business associate transparency. Customer-facing change notifications precede any new engagement.
The categories and disclosure structure below are correct for GDPR Article 28 and HIPAA business associate transparency. The specific named subprocessors, processing locations, and data scopes require engineering verification before this page goes live. Sections 3 through 10 are placeholder skeleton tables; each unfilled row is marked with a TODO Engineering chip.
01Introduction
Burna AI uses third-party service providers (subprocessors) to deliver and support its platform. This page lists the categories of subprocessors Burna engages, the purpose of each engagement, and the geographic regions where data may be processed.
Burna AI maintains a Data Processing Agreement (DPA) with each subprocessor that handles personal data, and a Business Associate Agreement (BAA) with each subprocessor that may handle Protected Health Information (PHI) under HIPAA. Subprocessors are evaluated against Burna’s security and compliance standards before onboarding and re-evaluated on a defined cadence.
This page is updated whenever a subprocessor is added, removed, or materially changed. Customers may subscribe to subprocessor change notifications by emailing privacy@burna.ai.
02How to Read This List
For each subprocessor, the table below shows:
- Provider: the legal entity providing the service.
- Purpose: what Burna uses the service for.
- Data categories: what categories of data the subprocessor may process.
- Processing location: the geographic region(s) where data may be stored or processed.
- PHI access: whether the subprocessor may access Protected Health Information under HIPAA.
- Compliance:the subprocessor’s relevant compliance certifications (SOC 2 Type II, ISO 27001, HIPAA BAA).
03Cloud Infrastructure and Hosting
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: cloud provider] | Application hosting, database hosting, file storage | [ENG] | Yes (BAA, region-restricted) | [ENG: SOC 2 Type II, ISO 27001, HIPAA BAA] | TODO · Eng |
[ENG: regional cloud partner] | Sovereign cloud hosting for regional deployments | [ENG: regional] | Yes (BAA, region-restricted) | [ENG: per region] | TODO · Eng |
04Database and Application Infrastructure
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: real-time DB] | Real-time application data and customer metadata | [ENG] | Yes (BAA where applicable) | [ENG: certifications] | TODO · Eng |
[ENG: object storage] | File and document storage | [ENG] | Yes (BAA, encrypted at rest) | [ENG: certifications] | TODO · Eng |
05AI Model Providers (Inference Only)
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: LLM provider] | Language model inference for the twelve-agent cascading constraint pipeline | [ENG: provider regions] | No (PHI is de-identified before model invocation) | [ENG: provider enterprise compliance posture, BAA if applicable] | TODO · Eng |
Burna AI does not allow customer data to be used for model training or fine-tuning without explicit written consent from the customer for that specific use. Enterprise-grade contracts with LLM providers exclude customer data from training corpora by default. See the Responsible AI Statement for the full commitment.
06Email, Communication, CRM
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: transactional email] | Transactional email (account, notifications, brief delivery) | [ENG] | No | [ENG: SOC 2, GDPR DPA] | TODO · Eng |
[ENG: newsletter platform] | Newsletter subscription and delivery | [ENG] | No | [ENG: GDPR DPA] | TODO · Eng |
| Calendly | Calendar booking for conversations | [ENG] | No | [ENG: SOC 2, GDPR DPA] | TODO · Eng |
[ENG: CRM provider] | Pipeline tracking, conversation history | [ENG] | No | [ENG: certifications] | TODO · Eng |
07Analytics and Observability
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: privacy-preserving web analytics] | Aggregated website traffic measurement | [ENG] | No | [ENG: GDPR DPA, no third-party sharing] | TODO · Eng |
[ENG: error monitoring] | Application error tracking | [ENG] | No (PHI stripped from error contexts) | [ENG: SOC 2, GDPR DPA] | TODO · Eng |
[ENG: log aggregation] | Application and infrastructure log aggregation | [ENG] | No (PHI never logged per pre-commit checks) | [ENG: certifications] | TODO · Eng |
08Authentication and Identity
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: auth provider] | Customer authentication, session management | [ENG] | No | [ENG: SOC 2, ISO 27001] | TODO · Eng |
09Payment Processing
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: payment processor] | Subscription and invoice processing | [ENG] | No | [ENG: PCI DSS Level 1, SOC 2] | TODO · Eng |
| WeFunder | Securities crowdfunding platform for the physician-led seed round | US | No | SEC-registered funding portal | Active |
10Other Services
| Provider | Service | Region | PHI | Compliance | Status |
|---|---|---|---|---|---|
[ENG: document signing, legal review, expense tracking, etc.] | [ENG: as applicable] | [ENG] | [ENG] | [ENG] | TODO · Eng |
11Subprocessor Onboarding Process
Burna AI engages a new subprocessor only after:
- Security and compliance review of the subprocessor’s posture (SOC 2 report, ISO 27001 certification, HIPAA BAA capability where applicable).
- Privacy review of the subprocessor’s data handling and subprocessing chain.
- Execution of a Data Processing Agreement (DPA) with appropriate Standard Contractual Clauses for international transfers.
- Execution of a Business Associate Agreement (BAA) where the subprocessor may access PHI.
- Internal documentation of the data flow, retention, and incident response interface.
- Approval by Burna AI’s security and engineering leadership.
12Notification of Changes
Burna AI notifies customers of new subprocessors that may process customer data at least 30 days before the subprocessor is engaged. Customers may object to a new subprocessor in writing within the notification window; Burna AI will work with the customer to find an alternative or, if no alternative is feasible, the customer may terminate the affected portion of the engagement with a pro-rata refund.
Subprocessor change notifications are sent to customer-designated security contacts and posted on this page.
To subscribe to subprocessor change notifications without an active customer relationship, email privacy@burna.ai with the subject line “Subprocessor Change Notifications.”
13Contact
For questions about Burna AI’s subprocessors, processing locations, or data handling practices, reach the inboxes below.
Subprocessor questions
For privacy review, security questionnaires, or to subscribe to subprocessor change notifications. We respond within standard business cycles.