Trust, data use & subprocessors
How NamedClearly handles health information, which vendors may process it, and our commitment not to train AI models on your PHI.
How we use data
- NamedClearly processes account, practice management, therapeutic, and safety-check data you or your clients submit. Covered entities remain responsible for their designated record set, BAAs, and minimum-necessary disclosures.
- PHI and sensitive content are encrypted in transit (TLS) and protected at rest with AES-256-class storage where PHI is persisted. Access to practice and portal PHI is logged in HIPAA-oriented audit trails.
- We do not sell member journals, Safety Check threads, or portal messages to advertisers. Product email and SMS use transactional providers under operator-configured contracts.
No training on your PHI
- NamedClearly does not use your Safety Check threads, portal messages, clinical notes, or other PHI to train public foundation models.
- AI features route to host-configured inference vendors under API terms that exclude training on customer API data by default; operators map which vendors may receive PHI per environment.
- Account-level AI context sharing is a product policy for linked households and partners — not a license for NamedClearly to publish or train on your content.
Subprocessors & infrastructure
Covered entities should maintain their own Article 30 / vendor register. This table summarizes common NamedClearly integrations; your executed BAA and DPA list the authoritative subprocessors for your deployment.
| Vendor | Purpose | Typical data | Notes |
|---|---|---|---|
| Cloud hosting & database | Application runtime, encrypted PostgreSQL, backups | Account, practice, portal, and therapeutic data at rest | — |
| Cloudflare | CDN, DNS, edge TLS, tunneling | HTTP metadata; no application PHI at rest | — |
| Resend | Transactional email (reminders, invoices, support) | Email addresses, message bodies when mail is sent | Product mail is Resend-only; Gmail delegation is for documented read/alert paths. |
| Telnyx | SMS reminders and MFA when enabled | Phone numbers, SMS content | — |
| Stripe | Portal invoice checkout when enabled | Payment metadata; card data stays with Stripe | — |
| Stedi | Eligibility, claims (837), remittance (835), status (277) | Billing identifiers, claim metadata, ERA summaries | — |
| Daily | Telehealth video rooms when enabled | Session metadata; media flows through Daily | — |
| AI inference vendors (host-configured) | Optional AI assists (notes, chat, Safety Check analysis) | Prompt excerpts per feature policy; vendor list varies by deployment | See Privacy Policy and operator BAAs for which models receive PHI. |
Business Associate Agreement
- NamedClearly offers a Business Associate Agreement template for covered entities and practice customers who need a signed BAA before processing PHI on the platform.
- Executing a BAA does not by itself make an organization HIPAA compliant — you still need workforce training, risk analysis, subprocessors under BAAs, and retention policies aligned to your state and payer rules.
- Download the current BAA template and review security practices on our Compliance page.
This page is a plain-language summary for diligence and onboarding. It does not replace legal agreements, your own risk analysis, or environment-specific operator documentation.