Book a Demo

Transparency

Subprocessors

PathwAI uses a small, deliberately scoped set of third-party vendors to deliver the platform. This page lists every subprocessor, who they are, what they do for us, where they operate, and whether they are covered by a Business Associate Agreement, so your compliance and procurement teams can review them accurately.

Our approach to subprocessors

We believe subprocessor transparency is a basic expectation for any vendor operating in health and wellness. We limit our subprocessor list to what is strictly necessary to deliver the product reliably and securely. We do not add new subprocessors casually, and where subprocessors handle patient data we require appropriate data-handling terms and HIPAA business associate agreements with flow-down obligations.

Minimal footprint

We keep the list short. Every core vendor is there for a specific, necessary purpose, not general-purpose tooling that could be avoided.

Customer notification

For Enterprise customers with BAAs, we provide advance notice of material changes to this list, typically 30 days before a new subprocessor accesses PHI.

Flow-down obligations

Where subprocessors handle PHI, we have written sub-processor agreements that flow down the same HIPAA obligations PathwAI carries under your BAA.

Core subprocessors (platform)

These vendors deliver the PathwAI platform (flows, the conversion data platform, and audience activation) and are engaged for every customer of the relevant service. Last updated: June 2026.

Vendor
Purpose
Location
BAA
Website
Amazon Web Services
Core hosting, compute, storage, and eventing (ingest, fan-out, delivery, operational state).
US
Yes
Link
Railway
Application hosting for the admin application and flow runner.
US
Yes
Link
Cloudflare
Edge delivery, web application firewall, and DDoS mitigation.
Global
Yes
Link
MongoDB Atlas
Primary data store for configuration, profiles, and definitions.
US
Yes
Link
Tinybird
Event analytics and segment evaluation.
US
Yes
Link
Twilio
SMS and voice for patient communications, where enabled.
US
Yes
Link
Stripe
Billing and subscription management.
US / Global
Limited scope
Link

Customer-connected integrations

These are integrations a customer connects at its own discretion, using its own account and credentials with the third party. They are enabled per customer need rather than provided to every customer by default, and are not treated as default subprocessors of the base service. Advertising platforms do not sign BAAs; only hashed, consent-gated, allowlisted identifiers are transmitted to them, at the customer's direction. The customer controls what data is sent and is responsible for the lawful use of these connections.

Vendor
Purpose
Location
BAA
Website
Meta
Advertising destination (Conversions API, Custom Audiences), connected at the customer's discretion.
Global
No (hashed, consent-gated, allowlisted data only)
Link
Google
Advertising destination (Enhanced Conversions, Customer Match), connected at the customer's discretion.
Global
No (hashed, consent-gated, allowlisted data only)
Link
TikTok
Advertising destination (Events API, Audiences), connected at the customer's discretion.
Global
No (hashed, consent-gated, allowlisted data only)
Link

Marketing site

Our public marketing site at pathwai.care does not process patient data. It uses Cloudflare for edge delivery and security, and limited first-party analytics. Patient data is processed only within the platform, by the core subprocessors listed above. See our Cookie Policy for details on cookies used on the marketing site.

Changes to this list

When we add, remove, or materially change a subprocessor, we update this page and notify Enterprise BAA customers in advance. If you would like to be notified of changes, contact [email protected] and ask to be added to the subprocessor update list.

If a new subprocessor would be objectionable for your compliance program, Enterprise customers can raise an objection within the notice period and we will work with you to address it before the change takes effect.

HIPAA overview Security Trust hub