Sub-processors

Every third party that touches blankit data.

Blankit Health Inc. operates inside AWS, primarily in AWS Canada (Montreal, ca-central-1). The list below is the complete inventory of third parties that process any personal information on behalf of blankit, the purpose of that processing, and how it complies with Quebec Law 25 and PIPEDA cross-border disclosure obligations. Where a sub-processor operates outside Canada, that is stated explicitly.

Amazon Web Services Canada (storage + compute)

Active

Location: Canada (ca-central-1, Montreal)
Purpose: Hosting, database (RDS PostgreSQL), object storage (S3), and secrets management (KMS)
Categories: All client data at rest. Application servers, database, object storage, and backups.
Transfer mechanism: Application servers, database, object storage, and backups all stay in Canada. AWS Canadian Customer Agreement governs.

Amazon Web Services Bedrock (cross-region inference)

Active

Location: Entry point in ca-central-1; inference may run in any AWS region with capacity (in practice US)
Purpose: AI extraction and chatbot via Claude Haiku 4.5, Sonnet 4.5, and Opus 4.6 through AWS `global.*` inference profiles — used for renewal PDF parsing, claims experience parsing, booklet comparison, document-difference analysis, plan-member chatbot routing, and bulk text extraction
Categories: Booklet PDF content, claims experience document content, renewal PDF content, plan-member chat messages, and any other document or message content the platform sends to Claude models
Transfer mechanism: As of 2026-05-15, AWS no longer accepts on-demand invocation of any Claude 4.x model from a single region — every Haiku, Sonnet, and Opus call must route through an inference profile. AWS publishes no `ca.*` profile for Claude 4.x; only `us.*` (US regions only) and `global.*` (any region with capacity). We use `global.*`. All inference is covered by the AWS Customer Agreement + AWS DPA. Anthropic does not see the data. Switching to a `ca.*` profile the moment AWS publishes one is a single-line code change.

Stripe Payments Canada

Active

Location: Canada with US data processing
Purpose: Subscription billing for firms that subscribe to blankit
Categories: Firm billing contact identity only — no plan-sponsor or plan-member data
Transfer mechanism: Stripe DPA + PCI DSS Level 1 controls. Plan-sponsor and plan-member data is never sent to Stripe.

Resend

Active

Location: United States
Purpose: Outbound transactional email — password resets, daily firm-facing notification digests
Categories: Recipient email address and the body of the operational email
Transfer mechanism: Resend DPA. Health information is never sent by email; only operational metadata (e.g. "you have 3 new Critical Illness enrolment requests in the dashboard").

Anthropic PBC

Standby / fallback

Location: United States
Purpose: Claude AI inference, when AWS Bedrock is unavailable (fallback only)
Categories: None in current production. Retained as a disaster-recovery path.
Transfer mechanism: Anthropic Commercial Terms + DPA. Production routes 100% of AI traffic through AWS Bedrock in ca-central-1; the Anthropic API is reachable from staging but disabled in production by the `USE_BEDROCK=true` task setting.

Operator access

We're a sub-processor too — and we can't see your clients.

Blankit Health Inc. is the entity that operates the platform, so we are ourselves a processor under PIPEDA / Law 25. The platform admin role (currently held by the founder) is the operator identity that can step into a tenant for support. The relevant disclosure for your procurement review is what that role can and can't see.

The day-to-day product is single-tenant per firm — cross-firm reads are absent from the code paths your sessions touch. The exception is a read-only impersonation session the platform admin can start when a problem needs an engineer. Such sessions are:

Time-boxed to 30 minutes
Refused at the edge for any write, upload, delete, or message-send
Wrapped in a mask at the database extension that replaces client and contact names with deterministic pseudonyms (Client-XXXX), redacts emails / phone / policy numbers, and replaces document titles and free-text blobs with sentinels
Audit-logged at start and end with both operator and target identities

See Trust & security · Cross-firm access for the full mechanics and a live capture of what the operator actually sees on screen during a session.

Notification of change

We tell you before adding a sub-processor.

Firms that subscribe to blankit are notified at least 30 days before a new sub-processor is added to the production data path. Notification is emailed to the firm's billing and security contact and posted to this page.

A firm that objects to a new sub-processor within the 30-day window may terminate the subscription without penalty.

Privacy Officer: Chris Gory · chris@blankit.ca

Last reviewed 2026-05-14. The internal source of truth is the Records of Processing Activities document (Blankit Health Inc., Section 3) — any change there is mirrored here in the same release.

See also: Privacy policy · Trust & security