Data Sub-Processors — Vendor Transparency

SPM Health Tech LLC is committed to full transparency about every third-party vendor that handles data on behalf of PANDAS Tracker families. This page lists all current sub-processors, their roles, and their relevant privacy certifications.

Our sub-processor principles

Every vendor that touches family health data must: (1) have a signed Business Associate Agreement (BAA) if they handle protected health information; (2) provide data encryption at rest and in transit; (3) hold recognized security certifications (SOC 2, ISO 27001, or equivalent); (4) commit to not selling or sharing data with third parties.

Core infrastructure sub-processors

Google Firebase (Google Cloud Platform): Primary database and authentication provider. SOC 2 Type II, ISO 27001, FedRAMP certified. BAA in place. Location: United States.
Resend: Transactional email delivery for account notifications. No health data transmitted via email. Location: United States.