CASO Comply uses the third-party services below to deliver its platform. This page documents each subprocessor's purpose, the data categories they can access, and their status in the HIPAA Business Associate Agreement chain.
For HIPAA-covered workflows, the on-premise Docker agent runs entirely inside the customer's infrastructure. Documents containing PHI never reach any of the cloud subprocessors below. CASO does not receive, store, or process PHI, so no BAA with CASO is required. HIPAA-flagged tenants are blocked from the cloud API at the authentication layer.
These services are part of the hosted casocomply.com cloud deployment. They are not used by the on-premise Docker agent.
United States (global edge network)
Hosting the casocomply.com web application (Next.js). Serves marketing pages, dashboard, and API routes.
Data categories
Note: The hosted cloud deployment is not inside the HIPAA boundary. HIPAA-flagged tenants are blocked from uploading documents to cloud endpoints at the API layer.
United States (AWS us-east-1)
Postgres database (tenants, leads, documents metadata, billing), authentication, and file storage (reports, intake uploads).
Data categories
Note: Supabase offers a paid HIPAA add-on with BAA for future expansion. Current deployment does not use the HIPAA add-on; HIPAA workflows use the on-premise Docker agent instead.
United States
Hosting the Python FastAPI backend (caso-comply-api) that handles PDF analysis, remediation, and veraPDF validation.
Data categories
Note: Render's business tier supports HIPAA with BAA but is not currently used. HIPAA-flagged tenants are blocked from the Render-hosted cloud API.
United States
AI tag verification and alt-text generation. Receives page-level images, never full documents.
Data categories
Note: The consumer Gemini API used here does NOT have a BAA. HIPAA workflows route through the on-premise Docker agent, which can run in local-only mode with AI disabled. See /security for details.
United States
Payment processing for self-serve subscriptions and usage-based billing. NET30 invoicing is handled separately (no card data stored).
Data categories
Note: Stripe never touches document content. Payment data is tokenized and never stored on CASO systems.
United States
Transactional email delivery: account confirmations, scan reports, lead notifications, invoices, managed-intake delivery links.
Data categories
Note: Email content can include document filenames and scan summaries but never includes document content. HIPAA customers should not upload PHI via email.
Third-party libraries and services used inside the PDF remediation pipeline. The on-premise Docker agent uses only the local components listed here — it never calls Adobe or any other external service.
United States
Initial PDF structure detection and automatic tag assignment. Called only by the cloud API, not by the on-premise Docker agent.
Data categories
Note: HIPAA workflows do NOT call Adobe Auto-Tag. The on-premise Docker agent uses its own bundled engine (pikepdf + veraPDF) and never transmits documents to Adobe.
Customer infrastructure (on-prem) or US (cloud)
Open-source PDF/UA validation. Runs entirely locally — bundled inside the Docker agent for on-prem deployments and inside our Render container for cloud deployments.
Note: No network calls, no data transmission. Runs in-process within the CASO runtime.
CASO Comply will provide at least 30 days advance notice before engaging a new subprocessor or replacing an existing one, unless the change is required for security or legal reasons in which case we will notify you as soon as practicable.
Notifications are sent to the primary billing contact on file for each tenant and posted to this page. Enterprise customers may additionally subscribe to subprocessor change alerts via their dedicated Slack channel or email distribution list.
If a customer objects to a new subprocessor, they may terminate their agreement for convenience during the 30-day notice window with a prorated refund of any prepaid fees.
All subprocessors listed above are located in the United States. CASO Comply does not currently operate in jurisdictions requiring standard contractual clauses (SCCs) or an EU Data Protection Addendum. When we expand to EU customers, we will publish an updated subprocessor list with SCC and GDPR Article 28 DPA details before onboarding any EU-resident data.
Data in transit between CASO services and subprocessors is protected with TLS 1.2 or higher. Data at rest within each subprocessor is protected by that provider's documented controls (AES-256 for Supabase Storage, AWS KMS-managed keys for underlying RDS/S3, and equivalent at Vercel and Render).
Procurement teams can request a current subprocessor list as part of our security package, including contract copies and audit reports where applicable.
Last updated: 2026-04-10