QRRXQR Rx
    Legal

    Subprocessors

    The third-party service providers QR Rx uses to deliver the platform, where they sit in the system, and how patient data is protected at each layer.

    Last updated · May 5, 2026

    A subprocessor is a third-party company that QR Rx engages to help operate the platform. This page lists every subprocessor that may, in the course of its role, come into contact with information governed by our Business Associate Agreement or our Privacy Policy. If you are a healthcare provider doing procurement, this is the canonical list to share with your privacy and compliance team.

    §1

    HIPAA-covered subprocessors

    Each of the following providers may, in the course of operating the platform, come into contact with Protected Health Information (PHI). Each maintains a signed Business Associate Agreement (BAA) with QR Rx.

    Render, Inc.

    Purpose
    Compute hosting and Postgres database infrastructure for the QR Rx application and its data plane.
    Region
    United States (HIPAA-eligible workspace)
    Data accessed
    All application data including PHI processed on behalf of customers.
    BAA
    Yes

    Amazon Web Services, Inc.

    Purpose
    Object storage for clinic logos, branding assets, and provider-uploaded files (Amazon S3). Encryption-key management (AWS KMS).
    Region
    United States (us-east region)
    Data accessed
    Provider branding assets, file uploads, encryption keys protecting at-rest data.
    BAA
    Yes

    Paubox, Inc.

    Purpose
    HIPAA-compliant transactional email delivery. Sends care plan emails, recovery reminders, password resets, team invitations, and outcome digests.
    Region
    United States
    Data accessed
    Recipient email address, patient first name, procedure type, secure care plan link, PIN reference.
    BAA
    Yes

    Telnyx LLC

    Purpose
    SMS delivery for care plan links, recovery check-ins, and unscanned-plan nudges. Delivery receipt webhooks for per-message status.
    Region
    United States
    Data accessed
    Recipient phone number, patient first name, secure care plan link.
    BAA
    Yes

    Google LLC (Cloud Translation API)

    Purpose
    Procedure-level care plan translation into the patient's preferred language. Used only on the de-identified care plan content, not on patient identifiers.
    Region
    United States (Google Cloud)
    Data accessed
    Procedure type, instructions, milestone descriptions, medication names. No patient identifiers transmitted.
    BAA
    Yes
    §2

    Non-PHI subprocessors

    The following subprocessors support specific platform features but are never sent Protected Health Information. We list them here in the interest of full transparency.

    Anthropic, PBC

    Purpose
    Large language model API used as the last-resort tier for the Cura AI care plan assistant, after the provider FAQ library and the verified cross-clinic Knowledge Base. See the BAA Section 22 for the full lookup chain.
    Region
    United States
    Data accessed
    De-identified care plan content (procedure type, instructions, medication names) plus the patient's question text. Patient names, dates of birth, phone numbers, and email addresses are stripped before any payload leaves QR Rx infrastructure. No PHI is transmitted.
    BAA
    Not applicable. Anthropic does not handle PHI; QR Rx de-identifies every payload before transmission. Anthropic's API is configured for zero-retention of inputs and outputs.

    Stripe, Inc.

    Purpose
    Subscription billing, payment processing, and customer billing portal for healthcare providers. Patients are never billed by QR Rx; Stripe is on the provider-account side only.
    Region
    United States
    Data accessed
    Provider billing contact, payment method, subscription status. No patient information.
    BAA
    Not applicable. Stripe does not access PHI. Stripe is PCI DSS Level 1 certified.

    Cloudflare, Inc.

    Purpose
    Bot-protection challenge (Turnstile) on public forms (contact, intake, patient verification). Reduces automated abuse without impacting legitimate users.
    Region
    Global edge network
    Data accessed
    Anonymous challenge tokens. No form contents and no PHI are transmitted to Cloudflare.
    BAA
    Not applicable.

    Google LLC (Sign-In)

    Purpose
    OAuth identity provider for the optional Sign in with Google flow. Used at the provider-portal sign-in surface and the qrrx.net patient account surface.
    Region
    United States
    Data accessed
    Email address, full name, profile picture URL (the standard Google OAuth scope). No PHI.
    BAA
    Not applicable. Used only for identity, not for any PHI flow.
    §3

    Notification of changes

    Business Associate will notify Covered Entities of material changes to this subprocessor list at least 30 calendar days before a new subprocessor with PHI access is engaged, and within 30 calendar days of any other change. Material changes are also reflected in the BAA at qrrx.io/baa. The most current list always lives on this page.

    §4

    Contact us

    For procurement, security review, or compliance questions about any subprocessor on this list, email security@qrrx.io with the subject line "Subprocessor Review."