TOM MMS

Effective April 19, 2026 ยท version 2026-04-19-v1

Subprocessor Registry

This is the canonical list of third parties that TOM Pharmacy Consulting, LLC ("TOM") uses to operate the TOM MMS platform. Some process Protected Health Information ("PHI") as our subcontractors and are covered by HIPAA Business Associate Agreements; others handle no PHI and are listed for transparency.

This page is referenced from ยง2.4 of the Business Associate Agreement as the authoritative subprocessor list.

Last updated: 2026-04-19

What is a subprocessor?

Under HIPAA, a "subcontractor" is any person or entity that creates, receives, maintains, or transmits PHI on behalf of a Business Associate. When TOM engages a subcontractor to help deliver TOM MMS, that subcontractor is a PHI subprocessor and is required to sign a downstream Business Associate Agreement (BAA) with us, imposing obligations at least as protective as our BAA with you.

Vendors that do not handle PHI โ€” for example, the marketing email tool that sends a monthly newsletter to opted-in readers โ€” are also listed here for transparency even though they are not HIPAA subprocessors.

Current subprocessors

| Name | Service provided | Data processed | Region | HIPAA status | |---|---|---|---|---| | Supabase, Inc. | Managed PostgreSQL database, authentication, storage | PHI + account data | United States | HIPAA BAA โ€” pending customer confirmation of execution | | Vercel, Inc. | Web application hosting, edge runtime | Request metadata, logs, short-lived in-memory request/response state | United States | Infrastructure-only; no PHI stored at Vercel layer (all PHI lives in Supabase) | | Stripe, Inc. | Subscription billing, payment processing | Owner billing data (name, email, payment method); no PHI | United States | PCI DSS attested; no PHI exchanged | | Resend | Transactional email (security alerts, cancellation confirmations) | Recipient email address, email subject and body | United States | HIPAA BAA โ€” pending customer confirmation of execution | | MailerLite | Marketing email (opt-in newsletter, lead drips) | Email addresses of newsletter subscribers; no PHI | Lithuania / EU | Not a HIPAA subprocessor โ€” marketing only | | Formspree | Marketing website contact forms | Lead data submitted on tompharmacy.com; no PHI | United States | Not a HIPAA subprocessor โ€” marketing only | | Google Workspace | Customer support email, internal operations | Support correspondence (may contain PHI in customer-initiated threads) | United States | HIPAA BAA available under Google Cloud HIPAA compliance โ€” customer to confirm execution | | Anthropic, PBC | AI-assisted document parsing (policies, invoice OCR) | Document text sent ephemerally at request time; no training use | United States | Document text may contain PHI; BAA status pending customer confirmation | | Sentry | Runtime error monitoring | Error traces with PHI fields scrubbed server-side before upload | United States | Scrubbed before transmission; non-PHI telemetry |

Subprocessor change policy

TOM provides Covered Entities (Customers) at least thirty (30) days' advance notice before engaging any new subprocessor that will process PHI, as required by the BAA. Notice goes to the billing email on file and is reflected in an updated effective_date on this page.

During the notice period, a Customer may object in writing (to privacy@tompharmacy.com). If the concern cannot be resolved through discussion or an alternative arrangement, the Customer may terminate the Services Agreement without penalty, treating the objection as a material breach per BAA ยง2.4.

Non-PHI subprocessors (marketing tools, analytics on public pages) may be added without the 30-day notice period. Any change to their scope that would begin to involve PHI automatically triggers the notice requirement.

How to read the "HIPAA status" column

  • "HIPAA BAA โ€” pending customer confirmation of execution" โ€” TOM's administrative position is that the BAA is available and expected to be in place. Some commercial BAAs require customer-specific acceptance before they take effect at the account level. If you are a procurement reviewer evaluating this list, ask us for the executed BAA copies relevant to your account; we will provide them.
  • "Infrastructure-only; no PHI stored at Vercel layer" โ€” Vercel's role is edge routing and server-side rendering. Application data persists only in Supabase. Request logs at Vercel include URLs and timestamps but do not contain request-body PHI (our routes never include PHI in URL or log fields).
  • "Not a HIPAA subprocessor" โ€” the tool does not handle PHI at any time; listed here for completeness.

Changes to this page

The effective_date in the frontmatter reflects the most recent material change. We publish minor corrections (fixing typos, updating vendor region if it's genuinely the same company) without an effective-date bump.

Questions

Contact privacy@tompharmacy.com with any questions about a specific subprocessor, or to request the executed BAA between TOM and that subprocessor.