DictaFlow Medical Subprocessor List
Last updated: May 19, 2026. This page summarizes production subprocessor categories for Medical customers. Specific BAA copies, settings screenshots, and contract evidence are available through customer/vendor review rather than posted publicly.
BAA status: DictaFlow Medical enables PHI-bearing provider routes only for providers covered by the required BAA or downstream business associate terms and reviewed retention/training settings.
| Vendor / category | Service | Data role | Medical controls |
|---|---|---|---|
| Railway and Google Firebase / Firestore | Backend hosting, database, authentication support, and operational infrastructure. | May store account, configuration, usage, audit, disclosure, and operational metadata. | Medical backend mode, restricted admin access, audit/disclosure records, and BAA-covered deployment review. |
| Deepgram | Speech transcription when enabled by Medical backend configuration. | Receives audio and approved keyterm hints only for requested transcription work. | Provider allowlist enforcement, BAA coverage, and Medical disclosure metadata. |
| OpenAI | Transcription or formatting routes when enabled by Medical backend configuration. | Receives audio or text only when the selected model route is allowlisted. | Provider allowlist enforcement, BAA coverage, and no direct client-side Medical bypass. |
| Groq | Transcription fallback and formatting routes when enabled by Medical backend configuration. | Receives audio or text only when a Groq-backed route is allowlisted. | Provider allowlist enforcement, BAA coverage, and Medical disclosure metadata. |
| Resend / Postmark | Transactional, lifecycle, support, and reviewed customer communications. | May process account identifiers and support messages. Users should not send PHI through ordinary email unless an approved support workflow is in place. | Medical support guidance, PHI warning copy, and BAA-covered workflow review where PHI or PHI-linked metadata may be present. |
| Stripe | Payments, checkout, billing portal, and subscription status. | Payment data only. Patient information should not be included in checkout metadata, invoices, receipts, or billing support notes. | Payment-only use; Medical policies prohibit PHI in Stripe metadata and billing messages. |
Provider allowlist
The Medical backend is configured to fail closed when BAA-provider enforcement is enabled. PHI-bearing audio or text should only be routed through providers present in the production allowlist after BAA and retention/training settings are reviewed.
Change notice
Material subprocessor changes are reviewed before production use and can be communicated to customers according to the applicable customer agreement or BAA.