Legal
Subprocessors
Last updated: May 15, 2026
These are every third party we use to deliver Dia AI. We BAA (Business Associate Agreement) with every vendor that processes Protected Health Information. We will update this page at least 30 days before adding or replacing any subprocessor that handles PHI, and we will email Pro-tier customers when we do.
| Vendor | Purpose | Data processed | Region | BAA / status |
|---|---|---|---|---|
| Anthropic | Claude Sonnet Vision — meal photo analysis | Meal photos (24h TTL), prompt + response | US | Yes |
| AWS | Primary application hosting + database | User account, log data, encrypted health records | US-East-1 (default) / Frankfurt (EU) | Yes (BAA available) |
| Cloudflare R2 | Meal photo object storage (24h TTL) | Meal photos (encrypted at rest) | Global edge / EU on request | Yes (BAA available) |
| Apple | Sign in with Apple, App Store subscriptions, APNS | Apple ID, subscription state, push tokens | US | N/A |
| RevenueCat | StoreKit wrapper, entitlement management, paywall A/B | Apple ID, subscription events. No PHI. | US | N/A |
| Superwall | Onboarding paywall experiments | Anonymous device ID, paywall events. No PHI. | US | N/A |
| Sentry | Crash reporting + performance monitoring | Stack traces, device metadata. PHI scrubbed pre-send. | US | Yes (BAA available) |
| PostHog | Product analytics + feature flags (self-hosted EU) | Anonymous device ID, feature events. No PHI. | EU (self-hosted) | Self-hosted |
| Postmark | Transactional email — waitlist welcome, account | Email address, message body | US | Yes (BAA available) |
What "BAA" means
A Business Associate Agreement is the contract HIPAA requires between a covered entity (or a HIPAA-aligned company like us) and any vendor that processes Protected Health Information. If a vendor here is marked Yes, we have a BAA in place. BAA available means the vendor offers a BAA on the plan we're on, and we will sign it before processing any PHI through them in production.
Cross-border transfers
For EU users, we host production data in AWS Frankfurt and use Cloudflare R2's EU region for image storage. Where data must cross borders (e.g. for AI inference at Anthropic), we rely on Standard Contractual Clauses and equivalent transfer mechanisms.
Why we publish this
Diabetes data is some of the most sensitive personal health information a person carries. You deserve to know exactly which companies touch it, what they do with it, and where it lives. Transparency is a feature.