Last updated: April 17, 2026
What this is
A subprocessor is a third-party company that Wiebe Consulting engages to help deliver our services, and which may process data on our behalf. This page lists every subprocessor we currently use, what they do, and the data they may touch. Under our Data Processing Agreement you have the right to object to new subprocessors.
| Service | Purpose | Data Categories | Location | Status |
|---|---|---|---|---|
Vercel Vercel Inc. | Website hosting, CDN, serverless functions, edge analytics | Pseudonymous usage data (cookie IDs, truncated IPs), request metadata | United States (global edge network) | DPA + SCCs |
Google Workspace Google LLC | Business email, document storage, calendar scheduling, shared drives | Client contact details, meeting notes, documents, email content | United States | DPA in place; BAA in place or available where required for PHI |
Zoom Zoom Video Communications, Inc. | Video meetings, call recordings, transcripts | Voice, video, meeting metadata, transcripts, chat messages | United States | DPA in place; BAA in place or available where required for PHI |
Resend Resend, Inc. | Transactional email delivery (booking confirmations, calculator results, notifications) | Recipient email address, name, message content, delivery metadata | United States | DPA |
OpenAI OpenAI, L.L.C. | AI tooling for content drafting, analysis, and workflow automation (non-PHI only) | Prompts and outputs relating to de-identified business operations; NEVER PHI. Where AI is used on PHI under a BAA, we use only HIPAA-eligible enterprise tiers that are separately disclosed to the client. | United States | DPA, zero-retention where available |
Anthropic Anthropic PBC | AI tooling for content drafting, analysis, and workflow automation (non-PHI only) | Prompts and outputs relating to de-identified business operations; NEVER PHI. Where AI is used on PHI under a BAA, we use only HIPAA-eligible enterprise tiers that are separately disclosed to the client. | United States | DPA, zero-retention where available |
Google Analytics 4 Google LLC | Aggregate website analytics, conversion tracking | Pseudonymous usage data (cookie IDs, truncated IPs), page views, events | United States | Standard DPA |
Google Ads Google LLC | Advertising and conversion measurement | Pseudonymous event data, ad interaction metadata | United States | Standard DPA |
Meta (Facebook/Instagram) Meta Platforms, Inc. | Advertising and conversion measurement via Meta Pixel | Pseudonymous event data, hashed identifiers where used, browser metadata | United States | Standard DPA |
We never feed PHI to consumer AI tools.
OpenAI and Anthropic are used only for de-identified business operations (drafting SOPs, analyzing marketing copy, summarizing public-information research). Where a client has executed a BAA and Wiebe needs AI assistance on PHI-containing workflows, we use only HIPAA-eligible enterprise tiers that are themselves covered by a BAA and are identified in writing to the client.
Most of our subprocessors are located in the United States. Where we transfer Personal Data to the US from the EU, EEA, or UK, we rely on the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914) or the UK International Data Transfer Addendum, as applicable, together with supplementary measures described in our Data Processing Agreement.
We update this page when we add, replace, or remove a subprocessor. For clients with an active DPA, we also provide at least thirty (30) days' advance written notice, where practicable, of any new subprocessor that will process their Personal Data. To receive notifications, email ben@wiebe-consulting.com with "Subprocessor Updates" in the subject line.
Clients with an active DPA may object to a new subprocessor on reasonable data-protection grounds within the notice period. If the objection cannot be resolved through good-faith discussion (for example, by implementing additional safeguards or substituting an alternative vendor), the client may terminate the affected portion of the engagement without penalty. This is the client's sole and exclusive remedy for objections to a new subprocessor.
The subprocessors listed above may themselves engage sub-subprocessors (e.g., Google Workspace relies on Google Cloud infrastructure; Vercel relies on AWS). We evaluate each subprocessor's own data-protection program and flow-down obligations before onboarding, and each of our subprocessor agreements requires substantially equivalent protections to those in our DPA, including flow-down of security and breach-notification obligations where applicable.
Questions about our subprocessors, their certifications, or their data-handling practices?
Wiebe Consulting Inc.
Email: ben@wiebe-consulting.com
For the Clinic OS Pro SaaS platform, see the separate subprocessor list at clinicospro.com/legal/subprocessors.