Security

Subprocessor list

UNMIRI's current subprocessors. This page is the canonical subprocessor list and is updated within 10 business days of any material change. Covered-entity customers receive email notification of changes that affect their PHI.

Last updated: April 21, 2026Contact: compliance@unmiri.com← Back to Security

Subprocessor	Purpose	Data category	Region	BAA status
Vercel	Application hosting and edge delivery	Application traffic; PHI transits edge	US (iad1, sfo1)	Yes
AWS RDS Postgres	UNMIRI's architecture is built on AWS RDS as the primary relational store for structured clinical data, variant annotations, and audit logs.	Application state; structured clinical data; PHI-minimized metadata	US (us-east-1), Multi-AZ	Yes via AWS BAA
AWS S3 (primary encrypted storage)	Primary encrypted document storage for source NGS reports and generated outputs. SSE-KMS, access logging, versioning, and US-only region pinning.	PHI documents and generated artifacts	US (us-east-1)	Yes via AWS BAA
AWS Textract	PDF extraction for incoming NGS reports.	Source reports (PHI during extraction only)	US (us-east-1)	Yes via AWS BAA
AWS S3 (transient Textract input)	Transient input bucket for AWS Textract — separate from the primary storage bucket. Objects are auto-deleted by an S3 Lifecycle rule after extraction completes.	Source reports (PHI, present only during the extraction step)	US (us-east-1)	Yes via AWS BAA
Anthropic	LLM API — narrow use (extraction edge cases, long-tail variant fallback).	De-identified variant data only; no PHI identifiers in prompts	US inference zones (contractual)	Yes (HIPAA-ready API tier)

Vercel

Purpose: Application hosting and edge delivery
Data category: Application traffic; PHI transits edge
Region: US (iad1, sfo1)
BAA status: Yes

AWS RDS Postgres

Purpose: UNMIRI's architecture is built on AWS RDS as the primary relational store for structured clinical data, variant annotations, and audit logs.
Data category: Application state; structured clinical data; PHI-minimized metadata
Region: US (us-east-1), Multi-AZ
BAA status: Yes via AWS BAA

AWS S3 (primary encrypted storage)

Purpose: Primary encrypted document storage for source NGS reports and generated outputs. SSE-KMS, access logging, versioning, and US-only region pinning.
Data category: PHI documents and generated artifacts
Region: US (us-east-1)
BAA status: Yes via AWS BAA

AWS Textract

Purpose: PDF extraction for incoming NGS reports.
Data category: Source reports (PHI during extraction only)
Region: US (us-east-1)
BAA status: Yes via AWS BAA

AWS S3 (transient Textract input)

Purpose: Transient input bucket for AWS Textract — separate from the primary storage bucket. Objects are auto-deleted by an S3 Lifecycle rule after extraction completes.
Data category: Source reports (PHI, present only during the extraction step)
Region: US (us-east-1)
BAA status: Yes via AWS BAA

Anthropic

Purpose: LLM API — narrow use (extraction edge cases, long-tail variant fallback).
Data category: De-identified variant data only; no PHI identifiers in prompts
Region: US inference zones (contractual)
BAA status: Yes (HIPAA-ready API tier)

Change notification policy

This list is updated within 10 business days of any material change to UNMIRI's subprocessor relationships. Covered-entity customers with active Business Associate Agreements receive email notification of changes that affect their PHI, with sufficient notice to object before the change takes effect.

To request notification updates or a signed statement of current subprocessors, email compliance@unmiri.com.