Sub-processors
Last updated May 21, 2026
TidenUp uses the third-party service providers listed below to deliver the service. We publish this list so you can see exactly which vendors process which categories of data on our behalf. Each vendor has its own privacy and security posture; we have selected them with attention to encryption, access controls, and audit support.
A "Business Associate Agreement" (BAA) is a HIPAA-required contract between a covered entity / business associate and its sub-processors. TidenUp's current public posture is non-covered-entity, but we track BAA availability for every vendor so the posture can be upgraded as the product matures.
Current sub-processors
| Vendor | Role | Data processed | Location | BAA |
|---|---|---|---|---|
| Supabase | Database, authentication, storage, edge functions | All patient-entered data: stack, schedule, journal, refills, appointments, notes, sharing relationships, audit logs. | United States (us-east-1) | Pending |
| Cloudflare | CDN, web application firewall, edge Worker hosting | Request metadata (IP, user agent, URL). No application data is stored at the edge. | Global anycast | Pending |
| Resend | Transactional email delivery (account, sharing invites, clinician invites) | Recipient email address, sender display name, invite tokens. No clinical content. | United States (Amazon SES under the hood) | Pending |
| Lovable AI Gateway | Routes AI requests (Ask Pep, Build with AI, vial / doctor-note OCR) to model providers | When 'Use my protocol context' is enabled, Pep also sends a compact summary of your active stack, last-30-day side-effect entries, and next-7-day scheduled doses for that single turn. | United States | Not applicable |
| Google (Gemini via Lovable AI Gateway) | Language and vision model inference | Prompts and request inputs as described above. Per Google AI policy, gateway-routed traffic is not used to train models. | United States | Not applicable |
| Sentry | Application error reporting (when VITE_SENTRY_DSN is set) | Stack traces, browser metadata, error context. Best-effort PII scrubbing per Sentry's beforeSend hook. | United States or European Union (per project configuration) | Pending |
Changes to this list
We will update this page before adding any new sub-processor that materially changes how your data is processed. For privacy questions or to request a copy of any sub-processor's DPA, email admin@tidenup.com.