Legal
Subprocessors.
Every third-party service that processes customer data on behalf of Velora Billing. Each row is the truthful posture today — BAA status reflects where the executed contract physically sits, not “we sent the redline back”.
PHI column:"Yes" = always handles PHI. "Conditional" = handles PHI only on tenants that upload PHI-bearing files (e.g. enrollment census with member SSN). "No" = never sees PHI under any code path.
| Subprocessor | Purpose | Region | PHI | BAA |
|---|
| Anthropic | Claude LLM — invoice parsing assistance + dispute drafting | US | Conditional | Required + executed |
| Reducto.ai | PDF extraction (invoice tables → structured rows) | US | Conditional | Required + pending |
| Neon (Postgres) | Primary database (us-east-1) | US | Yes | Required + executed |
| Vercel | Application hosting + edge network | US | Yes | Required + executed |
| Vercel Blob | Temporary PDF storage on the way to Reducto (auto-deleted post-parse) | US | Conditional | Required + executed |
| Resend | Transactional email + inbound dispute reply ingestion | US | Conditional | Required + pending |
| Upstash (Redis) | Rate limiting for API + auth routes | US | No | Not required (no PHI) |
| Stripe | Velora's own SaaS billing — never receives PHI or member data | US | No | Not required (no PHI) |
| GitHub | Source control, CI/CD | US | No | Not required (no PHI) |
Subprocessor change notice
We notify customer tenant owners at least 30 days before adding a new subprocessor that will process their PHI. The DPA contains the objection mechanism. Notifications go to the email on file for each tenant's OWNER role.
Audit trail
This page reflects the production list as of the last-updated date below. Historical revisions are available on request — email hello@hellovelora.com.
Last updated: 2026-04-29