ClaimNorth Inc. uses the following third-party services as sub-processors of customer data. Customers are notified at least 30 days in advance via our release-notes page before any new sub-processor is added.
| Sub-processor | Purpose | Data shared | Region | SOC 2 / Equivalent | DPA |
|---|---|---|---|---|---|
| Stripe, Inc. Privacy |
Payment processing | Tokenized payment intents only. ClaimNorth never receives the full PAN. | USA | SOC 2 Type II | ✓ |
| Cloudflare, Inc. Privacy |
CDN, WAF, DDoS protection, DNS | All inbound TLS-terminated request metadata; encrypted payloads passthrough. | Global edge | SOC 2 Type II + ISO 27001 | ✓ |
| Internet Security Research Group / Let's Encrypt Privacy |
TLS certificate issuance | Domain validation challenge only — no customer data shared. | USA | ISO 27001 (parent ISRG) | n/a |
| Anthropic, PBC / OpenAI, LLC Anthropic Privacy · OpenAI Privacy |
AI Job Coach LLM (used by /ai/coach endpoint) | Estimate text submitted to the AI coach. Customers are warned at first use not to include PII. | USA | SOC 2 Type II (both) | In review |
| US Bureau of Labor Statistics Privacy |
Producer Price Index data feed (public API, used by pricing-trends resolver) | None — public API; no data sent. | USA | Federal government | n/a |
| Gordian / RSMeans (Fortive) Privacy |
Construction cost data subscription (pending) | License query only — no customer data shared. | USA | SOC 2 Type II | Pending subscription |