Subprocessors
Provider: Max Output LLC | North Carolina | founders@maxoutput.ai Service: Cora | https://cora.getmaxoutput.com Document Version: SP-v1.1-2026-05-10 Effective Date: May 10, 2026
The following third-party service providers ("subprocessors") process customer data in connection with the Cora platform. Each subprocessor is bound by written agreements imposing confidentiality and security obligations.
For details on how customer data is handled, see our Privacy Policy and Trust Center.
Change log v1.1 (2026-05-10): Cohere, Inc. removed as a direct subprocessor. Reranking now runs on Cohere Rerank 3.5 hosted natively on AWS Bedrock (
cohere.rerank-v3-5:0in us-west-2). Document chunks are processed entirely within the AWS plane; Cora no longer sends customer data to Cohere directly.
AI Infrastructure
| Vendor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| AWS Bedrock (Amazon Web Services, Inc.) | Hosts and executes AI models for answer generation, grounding verification, text embeddings, and reranking | Protocol text chunks and user queries sent to AWS Bedrock for inference (us-east-1) and reranking (us-west-2) | US (us-east-1, us-west-2) | SOC 2 Type II, ISO 27001, HIPAA eligible |
| Anthropic PBC (via AWS Bedrock) | Provides Claude language models used for answer generation and grounding verification | Same data as AWS Bedrock; no direct API relationship with Anthropic; governed by AWS Bedrock service terms | US (via AWS) | Governed by AWS Bedrock terms |
| Amazon (via AWS Bedrock) | Provides Nova models used for query expansion and text embeddings | Protocol text chunks and user queries processed through AWS Bedrock | US (via AWS) | Governed by AWS Bedrock terms |
| Cohere (via AWS Bedrock) | Provides Cohere Rerank 3.5 model for reranking search results | Query text and protocol text chunks processed through AWS Bedrock; no direct API relationship with Cohere | US (via AWS) | Governed by AWS Bedrock terms |
Data Storage
| Vendor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Supabase, Inc. | Database hosting (PostgreSQL), vector storage (pgvector), encrypted file storage, authentication | All persistent data: account information, protocol documents, text chunks, vector embeddings, query audit logs, feedback | US | SOC 2 Type II, HIPAA ready |
Hosting and Compute
| Vendor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Railway Corp. | Backend API hosting and execution | Customer data (queries, protocol text chunks, AI responses) transits Railway infrastructure during request processing | US | US-based infrastructure |
| Vercel, Inc. | Frontend hosting and request proxying | Static assets and proxied API requests | US | SOC 2 Type II |
Billing
| Vendor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment card information, billing email, organization name; card data is collected directly by Stripe and never touches our servers | US | PCI DSS Level 1, SOC 2 Type II, ISO 27001 |
Communications and Monitoring
| Vendor | Purpose | Data Processed | Location | Certifications |
|---|---|---|---|---|
| Postmark (ActiveCampaign, LLC) | Transactional email delivery | Email addresses, email content (system notifications, onboarding, billing communications) | US | US-based infrastructure |
| Sentry (Functional Software, Inc.) | Application error tracking | Error stack traces and request metadata; configured with send_default_pii=False to exclude personal information | US | SOC 2 Type II |
Notes
- All data is stored and processed on infrastructure located within the United States.
- Plausible Analytics is used for privacy-first website analytics. It collects no personal data, uses no cookies, and stores only aggregated page view counts. It is not classified as a subprocessor.
- RxNorm (National Institutes of Health) is a public API used for drug name normalization. No authentication or data storage is involved. It is not classified as a subprocessor.
- LiteLLM is an open-source Python library used to route API calls to AWS Bedrock. It runs entirely within our own backend infrastructure and does not transfer data to any external system.
- UptimeRobot is used for uptime monitoring. It pings public health endpoints only and collects no customer data. It is not classified as a subprocessor.
- We will notify customers of material changes to this list at least 30 days in advance.
Provider: Max Output LLC | North Carolina | founders@maxoutput.ai Service: Cora | https://cora.getmaxoutput.com Document Version: SP-v1.1-2026-05-10