Sub-processors

This register lists the categories of third-party processors engaged by Cogent Clinic Ltd to deliver the service, together with the processing location and the safeguards in place, with the currently-named sub-processor identities provided to customers under the Data Processing Agreement and on request at [email protected]. Material changes to the named list are communicated to customers in advance.

Active sub-processor categories

Primary cloud infrastructure

Purpose: Compute, database, object storage, secrets management, scheduled jobs, and backups. Hosts the Cogent Clinic application and all customer account data and audit logs. Location of processing: United Kingdom. Data categories: Stream A (clinician account data, audit logs, subscription metadata). Stream B (de-identified, tokenised clinical content at rest, and ciphertext of session transcripts that the provider cannot read). Safeguards: Data Processing Addendum in place. ISO 27001, SOC 2 Type II, and Cyber Essentials Plus certifications held by the provider. Provider does not access customer content except to provide the service. Audit-plane logging enabled. IAM principle of least privilege enforced. Onward transfers: None for clinical content. Account metadata may transit to provider support channels in limited support cases, governed by the provider's DPA.

AI inference (large-language-model provider, via cloud-hosted inference service)

Purpose: Provides the large-language-model inference used to generate draft clinical documentation, folder-scoped reflective-thinking chat replies, formulation-suggestion proposals, and documentation-completeness checks. Location of processing: United Kingdom. Data categories: Tokenised, de-identified clinical content only. Patient-identifying details are replaced with placeholders on the clinician's device before transmission, so no direct patient identifiers reach the inference path in the normal course of operation. Safeguards: Inference-only contractual posture: customer content is not used to train or fine-tune any model. Model provider holds ISO 27001:2022 and ISO 42001 certifications; SOC 2 Type I and II. Provider's Data Processing Addendum is in force, incorporating UK IDTA v B.1.0 for UK GDPR transfers and EU SCCs Modules 2/3 for EU transfers; 48-hour breach notification from provider to customer; 15-day objection period for new sub-processors; annual audit rights; 30-day data deletion on termination. Cloud-hosted inference-service DPA remains the primary instrument for the processor relationship; model-provider DPA is defensive documentation. Onward transfers: None.

Live session speech-to-text

Purpose: Converts a clinical session's audio to text in real time, so the clinician can capture a transcript without leaving the browser. Diarisation (speaker separation) is enabled on every session. Location of processing: European Union. Data categories: Audio stream containing speech from the clinician and (with client consent) the client. Audio is streamed directly from the clinician's browser to the service over a WebSocket, using a short-lived streaming token minted per session from Cogent Clinic's server-side API key. Audio does not transit Cogent Clinic's infrastructure. Safeguards: Provider's Data Processing Addendum executed (click-through acceptance incorporated into their Terms of Service at signup). UK GDPR transfers are covered by the UK Addendum to the EU Standard Contractual Clauses, being the ICO template laid before Parliament on 2 February 2022, as completed by Exhibit D of the provider's DPA. Cogent Clinic Ltd's contractual opt-out from using customer audio or transcripts for model training, benchmarking, fine-tuning, or de-identified model development was processed and confirmed in writing by the provider on 2026-04-23 under the relevant section of their Terms of Service. With the opt-out in force, the provider's zero-data-retention controls apply to streaming: audio and transcripts are not retained beyond the WebSocket session; only certain metadata is kept for logging and billing. Short-lived streaming tokens are minted per session: tokens expire in 10 minutes (the provider's maximum), and a single WebSocket session is bounded to 30 minutes by the max_session_duration_seconds parameter on mint. The returned text transcript is held in the clinician's browser and, at the clinician's choice, saved under the client folder as ciphertext encrypted with the clinician's key; the ciphertext is stored by Cogent Clinic in the UK and cannot be read by Cogent Clinic. SOC 2 Type II and ISO 27001 attestations held; reports available via the provider's Trust Center under NDA. Onward transfers: None material to customer data. US support-access paths, where they occur, are covered by the same DPA framework (Exhibit D UK Addendum to the EU SCCs) and confirmed in writing by the provider.

Payment processing and subscription billing

Entity: Stripe Payments UK, Ltd. Purpose: Processes subscription payments, stores payment instruments, generates invoices, manages subscription lifecycle events. Location of processing: United Kingdom and European Economic Area primarily; limited US transfers for operational support, governed by UK IDTA and EU SCCs as applicable. Data categories: Clinician name, email address, Stripe customer and subscription identifiers, payment card tokens (Stripe-held, Cogent Clinic does not see card data), invoice metadata, VAT information. No clinical content. Safeguards: Stripe Data Processing Agreement in place. PCI DSS Level 1 service provider. UK IDTA for transfers outside the UK. Onward transfers: Stripe uses its own sub-processor chain for payment networks (Visa, Mastercard, banks). Customer-facing chain published by Stripe. (Stripe is named here because it appears on customer invoices and is therefore already customer-facing.)

Authentication

Approach: Self-hosted. Cogent Clinic's authentication layer runs inside the application and writes to the primary UK-resident database. There is no third-party authentication-as-a-service sub-processor. Purpose: Authenticates clinician accounts, enforces mandatory time-based one-time-password (TOTP) two-factor authentication, manages session tokens. Location of processing: United Kingdom. Same location as the primary database. Data categories: Email, hashed credentials, TOTP secrets, session metadata. No clinical content. Safeguards: Strong password hashing; TOTP mandatory; short sessions (8h absolute, 30min idle) with rotation; per-user rate limits on login, signup, password reset, and TOTP verification.

Transactional email

Purpose: Sends account verification, password reset, billing notifications, and other operational email. Location of processing: European Union. Data categories: Recipient email address, email content relating to account operation. No clinical content in email. Safeguards: Provider's standard Data Processing Addendum. TLS in transit. Content retained only for operational delivery, per the provider's retention policy. Onward transfers: None material to customer data.

Error tracking

Purpose: Records application errors to support debugging and reliability. Location of processing: European Union. Data categories: Error metadata only (stack traces, timestamps, user ID, browser context). Scrubbing rules strip request or response bodies before transmission. Safeguards: Provider's Data Processing Agreement. Scrubbing rules reviewed before each release where error handling changes. Onward transfers: None material to customer data.

Product analytics (metadata only)

Purpose: Aggregate product-usage metrics to support product decisions. Used on the authenticated application for feature-level usage patterns only; not for marketing analytics. Location of processing: European Union. Data categories: Non-content event metadata (feature use, doc type selected, timestamps, user id). No draft bodies, no chat messages, no transcript content, no patient-identifying content. Safeguards: Provider's Data Processing Agreement. EU-region instance (content kept in-region). We never send content payloads. Onward transfers: None material to customer data.

DNS and marketing-site CDN

Purpose: DNS resolution for cogent.clinic and static hosting for the marketing site. Not deployed on the authenticated application domain. Location of processing: Global edge, EU-biased routing. Data categories: Public-site request metadata only (IP, User-Agent, request path). No clinical content. Safeguards: Provider's Customer Data Processing Addendum. Standard-contractual-clause transfer safeguards where applicable. Onward transfers: Inherent to global CDN operation; the provider publishes its own sub-processor chain.

Named list, on request

The current named list of sub-processor entities, their specific legal-entity details, their precise processing regions, and the copies of each executed Data Processing Addendum are provided to customers:

• in the customer's signed Data Processing Agreement with Cogent Clinic Ltd, and
• on request at [email protected] (we'll respond within two working days).

Prospective customers doing procurement diligence can request the same information under a short NDA.

Deferred sub-processors (not engaged at launch)

• Customer support tooling: deferred until launch. Email support via the transactional email provider is sufficient at initial scale.
• Infrastructure monitoring beyond the error-tracking provider: deferred. The cloud infrastructure provider's built-in monitoring is sufficient at initial scale.
• Log aggregation tooling: deferred.
• Customer data warehouse (for business intelligence): deferred; not engaged until operational need arises.

Any addition triggers an update to this register, the DPIA, the Article 30 register, and customer notification.

Change policy

Material changes (new sub-processor, removal, substitution, change of processing region) are communicated to customers at least 30 days in advance via in-application notice and email. Customers with objections may terminate the contract under the standard DPA terms.