Back to PetCura
Subprocessors

Subprocessors

PetCura uses a small set of service providers to deliver secure clinic communication. Each provider is reviewed for purpose, data categories, region, transfer mechanism, and contract coverage before production use.

Updated

Purpose-limited vendors

Subprocessors may process personal data only under contract and only for the purposes needed to support PetCura.

Change notice

Clinic customers receive notice of material subprocessor changes as set out in the DPA.

Region confirmation pending

Final vendor regions, DPAs, transfer mechanisms, and AI provider routes must be confirmed before public launch.

Buyer Summary

  • Primary application data is designed for EU-region hosting.
  • Messaging providers may process message content and delivery metadata to send WhatsApp or SMS messages.
  • Observability tools receive limited operational, diagnostic, or product analytics data.
  • AI providers receive only the minimum necessary context for staff-facing assistance, subject to contract and product controls.
  • PetCura does not sell owner data.

Core Providers

  • Supabase

    Database, authentication, storage, and realtime infrastructure for clinic records, staff accounts, owner request data, attachments, audit logs, and AI accountability records. EU project region must be confirmed for production.

  • Vercel

    Web hosting, server-side execution, CDN, deployment logs, and web analytics. Function regions and logging configuration must be documented.

  • Twilio and Meta / WhatsApp

    WhatsApp Business and SMS delivery, delivery status, and messaging webhooks. Telecom and WhatsApp routing may involve international infrastructure and documented transfer safeguards.

  • Inngest

    Background jobs for AI tasks, reminders, delivery retries, exports, and scheduled workflows. Sensitive payloads should be minimized or encrypted where feasible.

  • AI inference provider routes

    Staff-facing intake questions, summaries, translations, category suggestions, risk flags, memory context, and reply drafts. Provider, region, retention, training, and abuse-monitoring settings are confirmed per route before publication.

Observability And Analytics

  • Sentry

    Error monitoring and application diagnostics with PII scrubbing and limited request context.

  • PostHog EU

    Product analytics and usage measurement where enabled. No owner message content; session replay requires separate approval.

  • Better Stack

    Uptime monitoring, logging, incident response, and status pages with log redaction and retention controls.

Clinic-Specific Providers

PMS export destinations, calendar integrations, or local messaging providers may be added for a clinic only when agreed with that clinic.

Subprocessor FAQ

  • Does PetCura sell owner data?

    No. PetCura does not sell owner data or use owner conversations for advertising.

  • Is PetCura EU-hosted?

    PetCura is designed for EU-region primary application data hosting. Some service providers may process limited data outside the EEA where needed to deliver messaging, hosting, observability, or AI assistance.

  • Does AI see every owner message?

    No. AI tasks should receive the minimum necessary context for the active staff workflow. AI outputs are logged for accountability and staff review.

  • Can clinics object to a new subprocessor?

    Clinic rights depend on the signed DPA. PetCura will publish notice and objection language consistent with the final legal agreement.