Sub-processor list
Last updated: April 2026
As controller (for clinic data) and processor (for patient data on behalf of the clinic), we use a small set of vetted third parties. The list below separates the processors for the marketing site from the processors for the application that handles patient data.
Marketing-site processors
These tools process visitors of the marketing site only. No patient data.
Cloudflare, Inc.
CDN and DNS, bot protection via Cloudflare Turnstile on all forms, and Cloudflare Web Analytics — cookieless, aggregated page-view statistics. Visitor IP is processed in real time and not stored.
Contentsquare SA
Session replay and heatmaps on marketing pages only — clicks, scrolls, form interactions. Activated solely after your consent on the cookie banner. No patient data is processed because Contentsquare is not installed in the application.
jsDelivr (Prospect One)
CDN delivering the flag-icons CSS library used on the marketing site. Visitor IP is processed to serve static files.
Application processors (patient data)
These tools process clinical and patient data on behalf of the clinic under a signed Data Processing Agreement (DPA, GDPR Art. 28).
Hosting provider [TODO]
Application servers, database, file storage — all patient and clinic data. The exact vendor and region will be published (e.g., Microsoft Azure West Europe or AWS Frankfurt).
Transactional email provider [TODO]
Sending transactional emails (confirmations, reminders, notifications). Recipient address and message content. Vendor will be published.
Error monitoring [TODO]
Application error monitoring — stack traces, anonymised user session, URL. No patient-record contents. Vendor will be published.
Sub-processor changes
We notify clinics 30 days before adding a new sub-processor, per the signed DPA. Customers have the right to object; if the objection cannot be resolved by reasonable means, the clinic may terminate the contract without penalty.
To subscribe to change notifications, email dpo@emaq.ba.