HIPAA · BAA
BAA subprocessors
Effective date: May 18, 2026 · Last updated: May 18, 2026 · Version: 1.0
NOT LEGAL ADVICE — placeholder copy
This page is a placeholder pending review by licensed counsel. Final language will be posted before any production data is collected. If you are evaluating BrainMeBack and need final terms, email shavoni@me.com.
This page lists the third-party service providers that may create, receive, maintain, or transmit Protected Health Information (PHI) on behalf of BrainMeBack in the BrainMeBack patient mobile application and clinician dashboard. It is incorporated by reference into the BrainMeBack template Business Associate Agreement and into any executed BAA Schedule A.
The marketing website at brainmeback.com does not process PHI; for the marketing-site subprocessor list, see brainmeback.com/privacy/subprocessors.
Current production subprocessors
| Subprocessor | Purpose | Region | BAA in place |
|---|---|---|---|
| Supabase, Inc. | Managed PostgreSQL data hosting (clinician dashboard + sync backend), authentication, and storage | United States (us-east region) | Yes (Supabase HIPAA-covered plan) |
| Railway Corp. | Container hosting for the clinician dashboard reference (demo / non-PHI) environment only. No Protected Health Information is processed on Railway. | United States | N/A — Railway is not used for PHI. Production hospital deployments use dedicated VPC infrastructure with an executed BAA prior to any PHI processing. |
| Sentry (Functional Software, Inc.) | Application error monitoring (PHI scrubbed via Sentry beforeSend hook before transmission) | United States | Yes |
Production hospital deployments may use dedicated VPC infrastructure with a customer- chosen cloud account, in which case the cloud provider becomes the deployment-specific subprocessor and is identified in the deployment’s BAA Schedule A rather than this general list.
Notice of changes
Pursuant to 45 CFR §164.504(e)(1)(ii) and our template BAA, we will provide each Covered Entity with no less than 30 days’ advance written notice before adding or substituting a subprocessor that creates, receives, maintains, or transmits PHI on our behalf. Within that notice period, the Covered Entity may object and request a reasonable alternative or terminate the BAA with respect to the affected services without penalty.
Questions
For subprocessor questions or to receive notice of changes: shavoni@me.com.