tinyguard
← Privacy Policy
tinyguard
← Privacy Policy
The third parties that process TinyGuard® customer or end-user data on our behalf. Grouped by purpose, with BAA status per provider. This page is the single source of truth — our BAA §3.3 and our Privacy Policy §8 mirror what's here.
Your facility (the Center) is the data controller. TinyGuard is the data processor. Consent collection, signage, and operational compliance sit with the Center; TinyGuard provides the infrastructure, the audit log, and the compliance dashboard. The subprocessors listed below are sub-processors in that chain — TinyGuard contracts them on your behalf, and each is enumerated here for your transparency and your downstream-BAA review.
Two vertical stacks, separate at the data layer. Childcare facilities operate under our DPA (TG-DPA-001). Elder care facilities operate under the BAA (TG-BAA-E-001) — HIPAA path, not a DPA. We do not reuse childcare patterns for elder PHI; the two stacks remain isolated end-to-end. See the four covenants for the architectural decisions that shape this list.
Customer-impact rule: TinyGuard will not transmit PHI to a subprocessor marked 🟡 or 🔴 without an executed BAA at the time of transmission, per 45 CFR 164.502(e)(1)(ii) and 164.314(a)(2). We give customers 30 days' notice of material changes to this list.
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Intuition Security, Inc. (hCaptcha) | CAPTCHA fraud/bot detection on public auth and signup forms when HCAPTCHA_SECRET is configured | Visitor IP address + browser user-agent fingerprint. Sent to api.hcaptcha.com/siteverify per form submission. No PHI. GDPR Art. 28 sub-processor disclosure. | ⚪ N/A — no PHI; visitor identifiers only |
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Cloudflare, Inc. | Edge compute (Workers), R2 object storage, Cloudflare Tunnel, Cloudflare Calls SFU | All ePHI stored or processed on Cloudflare infrastructure; video segments | 🟡 In progress — Cloudflare BAA on Enterprise plan; required before first HIPAA-regulated facility goes live |
| Neon, Inc. | Serverless PostgreSQL — primary system of record | All platform data. Tenant isolation enforced via Row-Level Security (FORCE on every facility-scoped table) | 🟡 In progress — required before first HIPAA-regulated facility goes live |
Only one AI provider serves a given request. Customers can pick the provider per AI feature in their facility settings; default routing distributes requests across Anthropic and OpenAI by feature. Google Gemini is restricted to non-PHI surfaces until the Vertex AI BAA path is contracted.
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Anthropic, PBC | Claude API — care summaries, daily reports, observation analysis, support chat | Care summaries, incident analyses, parent communications. Prompts may contain child/resident names, care events, health observations. Zero Data Retention available on commercial enterprise terms. | 🟡 In progress — Anthropic offers a HIPAA BAA; required before any PHI traverses this provider in production |
| OpenAI, L.L.C. | gpt-4o-mini — same care-summary, daily-report, observation, parent-comms, and support-chat flows as Anthropic | Same PHI categories as Anthropic | 🟡 In progress — OpenAI Healthcare BAA via direct sales engagement (BAA-request sent 2026-05-22). Zero Data Retention must be confirmed on production runtime keys. |
| Google LLC (Gemini API / Vertex AI) | Tertiary AI provider for the same flows when configured by the facility | Same PHI categories as Anthropic | 🔴 Blocked for PHI — public Gemini API does not sign BAAs. Vertex AI BAA path required (Google Cloud Healthcare). For HIPAA-regulated facilities, Gemini is restricted to non-PHI surfaces (e.g., unauthenticated landing-page support chat) until Vertex contract is in place. |
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Stripe, Inc. | Subscription + tuition payment processing | Billing identifiers and payment methods only; no clinical PHI | 🟢 Available — PHI handling limited to non-clinical billing identifiers |
| Dwolla, Inc. | ACH bank transfer processing (parent → facility tuition) | Verified bank account references | ⚪ N/A — financial identifiers only, no PHI |
| Plaid, Inc. | Bank account verification | Bank credentials passed to Dwolla; not stored by TinyGuard | ⚪ N/A — bank verification only, no PHI |
| Lago, Inc. (getlago.com) | Usage-based billing metering — per-facility AI consumption and plan-tier events posted to api.getlago.com/api/v1 | Per-facility usage events keyed by facilityId (AI units consumed, plan tier, billing cycle). No clinical PHI; facility identifier only. | ⚪ N/A — billing metering only, no PHI |
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Resend, Inc. | Transactional email (daily reports, billing notifications, invitations) | Email addresses and message content (may include child names in daily reports) | 🟡 In progress — required before first HIPAA-regulated facility goes live |
| Twilio, Inc. | SMS notifications (pickup alerts, EVV reminders, two-factor) | Phone numbers and limited message text | 🟡 In progress — required before first HIPAA-regulated facility goes live. A2P 10DLC registration pending in our Twilio Console. |
| Subprocessor | Service | Data category | BAA status |
|---|---|---|---|
| Google Analytics / GTM | Marketing-site visitor analytics on tinyguard.co and vertical landing pages | Page views, anonymized visitor data. No app or device data is sent. | ⚪ N/A — no PHI; restricted to public marketing surfaces |
| Open-Meteo GmbH (open-meteo.com) | Weather data for facility dashboard contextual features (queried from the browser via api.open-meteo.com) | Facility latitude/longitude transmitted per weather query. No PHI. Open-Meteo is GDPR-compliant by design: no API key required, no personal data stored server-side. | ⚪ N/A — location data only, no PHI |
If this list changes — a subprocessor added, removed, or BAA status moved — we update this page first, then propagate to BAA §3.3, Privacy Policy §8, and the BAA template. Material additions or removals get a 30-day advance notice by email to facility administrators. The most-recent effective date is at the bottom of this page.
Effective date: May 25, 2026 (updated — added hCaptcha, Lago, Open-Meteo) · Questions: privacy@tinyguard.co