Subprocessors

Effective date: May 10, 2026Last updated: May 10, 2026

BenAsk shares information with the categories of subprocessors below so we can host the Service, authenticate you, run AI features you opt into, and autocomplete drug names. We keep this list accurate for the production deployment; if we add a material new subprocessor, we will provide at least 30 days' notice by email and an in-product banner before it begins processing consumer health data.

Subprocessor	Purpose	Data categories	Location	Retention	DPA / BAA
Clerk	Authentication, organization (“family”) management, invitations, session security.	Email, legal name where provided, Clerk user ID, org membership, MFA/session signals.	United States (Clerk data region for this deployment).	Until you delete your Clerk-connected account plus vendor rotation—see Clerk's privacy documentation.	Standard DPA available for business customers.
OpenAI	LLM chat completions, optional revision passes, document summarization/OCR-assisted workflows grounded in uploads.	Document text, onboarding/wizard-derived context, voluntary drug-name strings surfaced in concierge flows, chat messages, sanitized carrier-page excerpts you trigger.	United States API regions tied to BenAsk workspace configuration.	~30 days on standard tiers for misuse monitoring unless different enterprise terms apply directly between you and OpenAI.	No HIPAA BAA executed with BenAsk today.
Vercel	Application hosting, edge routing, serverless execution, private Blob object storage for uploads/exports.	All application traffic and stored objects needed to run BenAsk, including uploaded documents.	United States—Blob and primary compute in Vercel IAD1 region unless we publish a change.	Until you delete user-owned objects or complete account erasure, subject to log rotation described in the Privacy Policy.	Data Processing Agreement available from Vercel.
NLM RxTerms (NIH)	Drug-name autocomplete only (public reference API).	Partial drug-name query strings; no BenAsk account identifiers are intentionally attached to NIH calls.	United States (U.S. government infrastructure).	Per NIH/NLM policies; BenAsk does not maintain a separate RxTerms query archive beyond short-lived server logs.	N/A—no PII contractually required for public reference lookups.

Full privacy context lives in the Privacy Policy and AI-specific controls live under Settings → Privacy & AI.

Subprocessors

Effective date: May 10, 2026Last updated: May 10, 2026

Subprocessor	Purpose	Data categories	Location	Retention	DPA / BAA
Clerk	Authentication, organization (“family”) management, invitations, session security.	Email, legal name where provided, Clerk user ID, org membership, MFA/session signals.	United States (Clerk data region for this deployment).	Until you delete your Clerk-connected account plus vendor rotation—see Clerk's privacy documentation.	Standard DPA available for business customers.
OpenAI	LLM chat completions, optional revision passes, document summarization/OCR-assisted workflows grounded in uploads.	Document text, onboarding/wizard-derived context, voluntary drug-name strings surfaced in concierge flows, chat messages, sanitized carrier-page excerpts you trigger.	United States API regions tied to BenAsk workspace configuration.	~30 days on standard tiers for misuse monitoring unless different enterprise terms apply directly between you and OpenAI.	No HIPAA BAA executed with BenAsk today.
Vercel	Application hosting, edge routing, serverless execution, private Blob object storage for uploads/exports.	All application traffic and stored objects needed to run BenAsk, including uploaded documents.	United States—Blob and primary compute in Vercel IAD1 region unless we publish a change.	Until you delete user-owned objects or complete account erasure, subject to log rotation described in the Privacy Policy.	Data Processing Agreement available from Vercel.
NLM RxTerms (NIH)	Drug-name autocomplete only (public reference API).	Partial drug-name query strings; no BenAsk account identifiers are intentionally attached to NIH calls.	United States (U.S. government infrastructure).	Per NIH/NLM policies; BenAsk does not maintain a separate RxTerms query archive beyond short-lived server logs.	N/A—no PII contractually required for public reference lookups.

Full privacy context lives in the Privacy Policy and AI-specific controls live under Settings → Privacy & AI.