Vendors by Category
Organized by vendor type and function
Vendors are organized by function and impact level. Review the detailed information for each service to understand what data they process and their security certifications.
Infrastructure Providers
Core infrastructure services that host and store JourneyLoop data. These vendors have direct access to database and application infrastructure.
-
Heroku (Salesforce)
- BAA Status
- Available
- Purpose
- Application hosting and deployment (PaaS)
- Data Processed
- All application data, database, file storage, runtime environment
- Certifications
- SOC 2 Type II, ISO 27001, PCI DSS Level 1
- Compliance
- View Details →
-
Supabase
- BAA Status
- Upgrade Required
- Purpose
- Primary PostgreSQL database
- Data Processed
- User accounts, coaching sessions, client profiles, metadata
- Encryption
- AES-256 at application level
- HIPAA Status
- Upgrade planned Q1 2026 →
-
Redis Cloud
- BAA Status
- Not Required
- Purpose
- Caching and background task queue (RQ/django-rq)
- Data Processed
- Metadata only (IDs, function names) - no PHI
- Security
- TLS encryption, password auth, auto-expiration
- Details
- View Security →
-
Google Cloud Storage
- BAA Status
- Available
- Purpose
- Object storage for files, transcripts, and media
- Data Processed
- Session transcripts, uploaded documents, audio files
- Security
- Server-side encryption, access control, audit logging
- Compliance
- View HIPAA Details →
AI Processing Services
Artificial intelligence and machine learning services that power coaching insights, content generation, and transcription.
-
OpenAI
- BAA Status
- Available
- Purpose
- NLP for session analysis and coaching insights (GPT-4o)
- Data Processed
- Session transcripts and coaching notes
- Training Policy
- Enterprise tier - no customer data used for training
- Privacy
- View Enterprise Privacy →
-
Google AI (Gemini)
- BAA Status
- Available
- Purpose
- Text-to-speech synthesis for audio content
- Models
- Gemini 2.5 Flash TTS, Gemini 2.5 Pro TTS
- Data Processed
- Text content for voice synthesis
- Compliance
- View Compliance →
-
RecallAI
- BAA Status
- HIPAA Compliant
- Purpose
- Session recording and transcription platform
- Data Processed
- Audio/video recordings, AI-generated transcripts
- Usage
- Optional feature with explicit per-session opt-in
- HIPAA Status
- View Compliance →
Email & Communication
Services used for sending transactional emails and notifications. These services do not receive PHI.
-
Make.com
- BAA Status
- Not Required
- Purpose
- Workflow automation for email routing and delivery
- Data Processed
- Email subject lines, recipient addresses, notification content
- PHI Protection
- Email backend filters sensitive data - no PHI included
- Security
- View Security Details →
Payment Processing
Payment processing services handle billing and subscription management. No PHI is shared with payment processors.
-
Stripe
- BAA Status
- Not Required
- Purpose
- Payment processing, subscription management, billing
- Data Processed
- Payment information, subscription status
- Shared Data
- User email and name only - no coaching or client data
- Certification
- PCI DSS Level 1
- Privacy
- View Privacy Policy →
Monitoring & Analytics
Application monitoring and error tracking services. Configured to exclude sensitive data from logs.
-
Sentry
- BAA Status
- Not Required
- Purpose
- Error tracking, performance monitoring, alerting
- Data Processed
- Error messages, stack traces, request metadata
- PHI Protection
- PII/PHI scrubbing configured to prevent sensitive data logging
- Security
- View Security Details →
Third-Party Integrations
Optional integrations that coaches can enable for enhanced functionality.
-
Google Calendar API
- BAA Status
- Available
- Purpose
- Calendar sync for session scheduling and reminders
- Data Processed
- Calendar events, session scheduling data, event metadata
- Authorization
- OAuth 2.0 with user consent (read/write calendar events only)
- Compliance
- View HIPAA Compliance →