1. About This Document
This document lists all third-party subprocessors engaged by AITACS CRM (the "Processor") that may process
personal data on behalf of the User (the "Controller"). It is maintained in accordance with GDPR Article 28(2) and
the Data Processing Agreement (DPA).
1.1. The Controller has granted general written authorization for
the Processor to engage the subprocessors listed below (see DPA
§6.1).
1.2. The Processor shall notify the Controller at least 14
days in advance of any addition, removal, or replacement of a subprocessor. Notification will be sent
via email to the address associated with the Controller's account.
1.3. The Controller may object to a new subprocessor on reasonable
data protection grounds within the 14-day notice period. If the objection cannot be resolved, the Controller may
terminate the affected service component without penalty (see DPA
§6.3).
2. Summary
| Subprocessor |
Country |
Function |
Receives PHI? |
Transfer Safeguard |
| OpenAI, LLC |
USA |
AI processing |
No — de-identified data only |
SCCs + Safe Harbor de-identification |
| Hetzner Online GmbH |
Germany |
Database hosting |
Yes — encrypted |
SCCs + TLS 1.2+ |
| Google LLC (Firebase) |
USA |
Authentication |
No — email & UID only |
Google DPA + SCCs |
| PayPal Holdings, Inc. |
USA |
Payment processing |
No — financial data only |
PCI DSS Level 1 + PayPal DPA |
3. Detailed Subprocessor Information
Function:
AI-assisted clinical session analysis, technique recommendations, progress summaries, and
general chat assistance within the Platform.
Data received:
De-identified data only: client pseudonym (nickname), age (integer, not
date of birth), gender, clinical context (presenting complaints, session notes, therapeutic goals) — all
scrubbed of residual PII patterns. See Privacy
Policy §2–3 for full data flow.
Data NOT sent:
Real names, dates of birth, phone numbers, email addresses, physical addresses, emergency
contacts, or any other direct identifier.
PHI status:
Not PHI — data is de-identified per HIPAA
Safe Harbor (45 CFR §164.514(b)) before transmission. All 18 identifier categories removed via dual-layer
filter (client-side + server-side).
Data retention:
Data processed via OpenAI API with zero-retention policy. API inputs and
outputs are not used to train models. Retention: 0 days (per OpenAI API Data Usage
Policy, effective March 2023).
Transfer safeguard:
OpenAI Data Processing Addendum, which incorporates EU Standard Contractual Clauses
(SCCs, Commission Implementing Decision (EU) 2021/914). Additional risk mitigation: data is de-identified
before transfer and does not constitute personal data under GDPR Art. 4(1).
DPA/BAA status:
Not required — de-identified data is not PHI;
no BAA obligation. For Enterprise deployments with identified PHI, a direct BAA with OpenAI is available (see
BAA §10).
Function:
MySQL database hosting, PHP application server, SSL/TLS termination, automated
backups.
Data received:
All CRM data including client records (names, contacts, clinical data),
User account data, session history, calendar events. Data is encrypted in transit (TLS 1.2+).
PHI status:
Contains PHI — the hosting provider stores
the MySQL database which contains identifiable client records. This is the primary PHI storage location for
SaaS deployments.
Data retention:
Data retained for the duration of the hosting agreement. Backups retained for up to 30
days. Full deletion upon account termination.
Transfer safeguard:
Standard Contractual Clauses (SCCs). TLS 1.2+ encryption for all data in transit.
Server-level access controls.
DPA/BAA status:
DPA required — the Processor maintains a
data processing agreement with the hosting provider. Migration to a HIPAA-certified hosting environment is
planned for Enterprise deployments.
Function:
User authentication and identity management. Provides secure sign-in (email/password,
OAuth) and unique User IDs (UIDs) for data isolation.
Data received:
User email address and UID only. No End Client data, no clinical data,
no PHI.
PHI status:
No PHI — Firebase receives only the User's
(therapist's) email and UID. No End Client information is transmitted to Firebase.
Data retention:
Per Google Firebase terms. User account data retained until account deletion.
Transfer safeguard:
Google Cloud DPA (includes SCCs). See Firebase Privacy and
Security.
DPA/BAA status:
DPA included — Google Cloud Data Processing
Terms apply automatically to Firebase services.
Function:
Payment processing for subscription purchases. Instant Payment Notification (IPN) for
license activation.
Data received:
User payment information only: email address, transaction ID, payment
amount, subscription plan. No clinical data, no End Client data.
PHI status:
No PHI — PayPal processes financial
transactions only. No health information is transmitted.
Data retention:
Per PayPal's data retention policy and applicable financial regulations.
Transfer safeguard:
PCI DSS Level 1 certified. PayPal User Agreement and Privacy Statement apply. SCCs for EU
data transfers.
DPA/BAA status:
Not required — no personal data processing
beyond standard payment execution.
4. Change Notification Policy
4.1. The Processor commits to maintaining this list in an accurate
and up-to-date state.
4.2. Before engaging any new subprocessor or replacing an existing
one, the Processor shall:
a) Update this Subprocessor List at
least 14 days before the new subprocessor begins processing data;
b) Send an email notification to all
active Users (Controllers) describing the change, the identity and location of the new subprocessor, and the data
it will process;
c) Allow the Controller to object
within the 14-day notice period on reasonable data protection grounds.
4.3. If the Controller objects and the Processor cannot reasonably
accommodate the objection (including by offering an alternative subprocessor or configuration), the Controller may
terminate the affected service component without penalty, as specified in DPA §6.3.
5. Change Log
Feb 20, 2026
Initial publication. Four subprocessors listed: OpenAI LLC,
Hetzner Online GmbH, Google Firebase, PayPal Holdings.
Subscribe to Updates
To receive notifications about subprocessor changes, ensure your account email is current in the Platform
settings. All change notifications are sent to the email address associated with your AITACS CRM account. You
may also check this page periodically for updates.