Subprocessors
LAST UPDATED: 28 MAY 2026
Legal pages
Contents
Infrastructure & Database
Contents
Infrastructure & Database
To support the delivery of our Services, ClinicQuest engages third-party service providers ("Subprocessors") that may process data on our behalf. We ensure that all Subprocessors meet strict security, privacy, and compliance standards aligned with UK GDPR.
Storage versus inference. ClinicQuest separates data at rest from data in transit for AI inference. Account, educational, portfolio, and anonymised
clinical-content data at rest is stored in UK-hosted infrastructure: primarily Supabase
(London) for the relational store, with a self-hosted SurrealDB instance (London, UK — OVH
data centre) for the AKT clinical knowledge graph, per-user AKT performance edges, and the
personal-document vector index. AI inference is handled by external model providers —
prompts are processed in volatile memory at the model endpoint and not used for training.
Most chat / fact-check / leaflet / RAG paths run through an AI Gateway under a Zero Data
Retention contract; speech-to-text routes through Cloudflare Workers AI Speech (ZDR),
Deepgram with mip_opt_out=true (retained only for processing duration), or Groq with
ZDR enabled in Data Controls. Cross-border transfers for inference are covered by the UK Extension
to the EU-US Data Privacy Framework and Standard Contractual Clauses, as detailed per provider
below. Cloudflare Workers AI inference uses the nearest available point of presence (typically
UK/EU PoPs for our user base) and is not contractually pinned to a region on the current plan.
Infrastructure & Database
Core hosting, edge protection, authentication, and database services powering ClinicQuest.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | Edge Routing, WAF, & DDoS Protection | Global Edge Network |
| Supabase (Database, Auth, Storage) | Authoritative relational store for account, educational, portfolio, and anonymised clinical-content data at rest (chats, portfolio, notebooks, tasks, AKT sessions and attempts, and the AKT remedial-question queue) | Europe West (London) — UK only |
| SurrealDB (self-hosted, on OVH UK) | AKT clinical knowledge graph, per-user AKT performance edges (which entities you have been confused by, are weak at, or have demonstrated strength in), and the per-user vector index for the personal-document RAG | London, UK (OVH Limited data centre) — UK only. Operated by ClinicQuest as Data Processor. |
| OVH Limited | Underlying virtual-machine and network host for the SurrealDB instance above | London, UK — UK only |
Authentication & Bot Protection
Sign-in identity provision and bot-protection challenges on the signup and password-reset forms. These processors receive only the data necessary to verify identity or distinguish humans from bots — no clinical content, message history, or portfolio data is sent.
| Subprocessor | Purpose | Region & Transfer Mechanism | Data Retention |
|---|---|---|---|
| Google (OAuth identity provider) | Optional sign-in via "Continue with Google". When you choose this, Google
authenticates you and returns your email, name, and avatar URL to ClinicQuest. Scope
is limited to openid email profile — we do not request access to Gmail, Drive,
Calendar, or any other Google service. | Global (primarily US). UK Extension to the EU-US Data Privacy Framework + SCCs. | Per Google's account/identity terms (independent controller of your Google account) |
| Cloudflare Turnstile | Bot-protection challenge on the signup and password-reset forms. Turnstile receives your IP address, User-Agent, and browser challenge metadata to score the likelihood that you are a human. It does not receive your email, password, or any clinical content. | Cloudflare global edge. UK Extension to the EU-US Data Privacy Framework + SCCs. | Transient — used for the challenge only |
* Email-and-password sign-in is handled by Supabase Auth (listed under Infrastructure & Database) — no additional processor is involved for that path.
AI Infrastructure
AI inference is performed by external model providers. Anonymised clinical-content workloads are routed through a Zero Data Retention (ZDR) gateway: prompts and responses are processed in volatile memory at the model endpoint and discarded immediately. No clinical content from anonymised clinical-content AI workloads is stored at rest by any AI provider. The named providers below may change as we upgrade to more capable, secure, and compliant models — the data-handling guarantees in this table do not.
| Subprocessor | Purpose | Region & Transfer Mechanism | Data Retention |
|---|---|---|---|
| Vercel AI Gateway (provider router) | Routes anonymised clinical-content prompts to model endpoints under contractual ZDR | US (primary). UK Extension to the EU-US Data Privacy Framework + Standard Contractual Clauses. | Zero (transient, in memory) |
| Google (Gemini family — via Gateway) | Clinical chat, fact-checking, document processing, AI drafting | Global (primarily US). UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (ZDR contract) |
| Google (Gemini API — direct) | Notebook and AKT Teacher educational features; AKT remedial study planning; medicine information leaflet analysis (public content only); chat-tool leaflet metadata extraction (public leaflet content only) | Global (primarily US). UK Extension to the EU-US Data Privacy Framework + SCCs. | Up to 30 days |
| OpenAI (via Vercel AI Gateway) | Classifier intent routing on every chat turn (lightweight intent + last user message + 5-message conversation summary); structured-output flows for Lumina flashcard generation and document routing metadata | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| DeepSeek (via Vercel AI Gateway) | Clinical chat for the Pro tier (DeepSeek V4 Pro) — clinical reasoning, drafting, and fact-checking. Routed exclusively through the Vercel AI Gateway under the gateway's ZDR contract. Direct DeepSeek API access is not used. | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| xAI (Grok) | Reserved alternative provider for educational features only — not currently active | US. SCCs apply when activated. | Up to 30 days (if configured) |
| OpenRouter (model router) | Routes selected chat composites, the chat fallback model, and the transient
learning-agent fallback for Notebook Agent, AKT Teacher, AKT remedial generation,
and AKT-tagged flash-card generation. Hosts the Qwen text embedding model (via the
Nebius backend) used to embed user document chunks for personal RAG and to embed AKT
knowledge-graph entity descriptions. Learning-agent fallback calls enforce provider.zdr=true; embedding calls are pinned to providers with data_collection: 'deny'. | US. SCCs apply. | Zero (ZDR / contractual deny) |
| Nebius (via OpenRouter routing only) | Sub-host for the Qwen text-embedding model accessed through OpenRouter. Used for
personal-document RAG and AKT knowledge-graph entity embeddings. Reachable only via
the OpenRouter routing layer with data_collection: 'deny' in effect. | European Union (Finland). UK GDPR adequacy applies. | Zero (contractual deny via OpenRouter) |
| Anthropic (Claude — via Vercel AI Gateway) | Alternative clinical chat composite (Claude Sonnet family) — selectable per tier as an alternate provider for clinical reasoning, drafting, and chat. Routed exclusively through the Vercel AI Gateway under the gateway's ZDR contract; direct Anthropic API access is not used. | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| Moonshot AI (Kimi — via Vercel AI Gateway) | Alternative clinical chat composite (Kimi K2 family) — selectable per tier as an
open-weights alternate for clinical reasoning. Routed exclusively through the Vercel
AI Gateway under the gateway's ZDR contract with preferred hosts (bedrock, fireworks, together); direct Moonshot API access is not
used. | US (via Gateway hosting partners). UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| MiniMax (M2 — via Vercel AI Gateway) | Alternative clinical chat composite (MiniMax M2 family) — selectable per tier as an
open-weights alternate. Routed exclusively through the Vercel AI Gateway under the
gateway's ZDR contract with preferred Western hosts (fireworks, together, parasail, nebius, deepinfra); direct MiniMax API access is not used. | US / EU (via Gateway hosting partners). UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| Zhipu AI (GLM — via Vercel AI Gateway) | Alternative clinical chat composite (Zhipu GLM family) — selectable per tier as an
open-weights alternate. Routed exclusively through the Vercel AI Gateway under the
gateway's ZDR contract with preferred Western hosts (fireworks, deepinfra); direct Zhipu API access is not used. | US (via Gateway hosting partners). UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
| Alibaba (Qwen chat — via Vercel AI Gateway) | Alternative clinical chat composite (Qwen3 family — distinct from the Qwen text embedder above) — selectable per tier as an open-weights alternate for clinical chat. Routed exclusively through the Vercel AI Gateway under the gateway's ZDR contract; direct Alibaba API access is not used. | US (via Gateway hosting partners). UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero (gateway ZDR contract) |
No AI provider engaged by ClinicQuest — whether accessed via our zero-retention gateway or directly — is permitted to use submitted data to train AI models. This prohibition is contractually enforced with every provider, irrespective of data retention period.
* Direct Google Gemini access (30-day retention) is used only for educational and
public-content features: the Notebook and AKT Teacher educational features, the AKT
remedial study planning feature, standalone medicine information leaflet analysis, and the
chat-mode search_leaflets tool's leaflet-metadata extraction step. These features
process educational and public content only — they do not process patient-identifiable information.
Search & Retrieval (RAG)
Two distinct surfaces send small amounts of clinical-query text outside ClinicQuest's UK infrastructure: web search tools attached to the chat assistant (used when the assistant elects to fetch current external evidence), and retrieval & reranking services that score relevance over your personal document chunks. None of these providers receive patient identifiers; they receive only the synthesised query text the assistant constructs and, for reranking, your own document chunks that have already been embedded.
| Subprocessor | Purpose | Region & Transfer Mechanism | Data Retention |
|---|---|---|---|
| Parallel.ai | Web-search backend for the chat assistant's web_search tool. Receives
short topical clinical queries synthesised by the assistant (e.g. "UK GP primary
care guideline reference: topic") to fetch current guideline/evidence
summaries. | US. UK Extension to the EU-US DPF + SCCs. | Per Parallel API terms; no training on API submissions |
| Perplexity | Web-search backend powering the fact-check feature (/api/fact-check),
used to ground claims against current external sources. | US. UK Extension to the EU-US DPF + SCCs. | Per Perplexity API terms; no training on API submissions |
| Tavily | Search backend powering the assistant's medicine-information leaflet lookup tool. | US. SCCs apply. | Per Tavily API terms; no training on API submissions |
| Voyage AI | Reranker for AKT clinical-knowledge-graph queries (de-identified clinical taxonomy terms — drug names, conditions, guidelines). Personal document retrieval uses cosine-only ranking and is not routed through Voyage. ZDR via org-level opt-out in the Voyage dashboard (no per-request mechanism exists). | US. SCCs apply. | No training on API submissions; transient inference |
| Jina AI | Fallback reranker for AKT clinical-knowledge-graph queries (de-identified clinical taxonomy). Personal document retrieval is not routed through Jina. No dedicated DPA in place; GDPR compliance relies on EU/Berlin jurisdiction (Germany). | Germany / European Union. UK GDPR adequacy applies — no SCC required for UK→EU. | No training on API submissions; transient inference |
| Cohere | Alternative text-embedding provider for the personal-document RAG, selectable via
the EMBEDDER configuration. Receives only chunks of your own documents to
produce embedding vectors; never receives chat or clinical content unrelated to the documents
you have uploaded for RAG. | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | No training on API submissions; transient inference |
* Web search and reranking happen on the assistant's behalf during a single request — no query content is retained by ClinicQuest beyond the message persistence rules in the Privacy Policy. The patient-identifiable information prohibition and anonymisation duty in Terms §4 apply to anything the assistant might quote into a search query.
Speech-to-Text
Voice dictation is processed by transcription providers selected per subscription tier. Audio is processed transiently — no recordings are retained, and no provider uses audio or transcripts for model training. The specific providers may change to preserve medical terminology accuracy, latency, and the retention controls described below.
| Subprocessor | Tier | Region & Transfer Mechanism | Data Retention |
|---|---|---|---|
| Cloudflare Workers AI Speech | Free | Cloudflare's global edge network — Workers AI runs the request at the nearest available point of presence (PoP). UK and EU PoPs are typical for ClinicQuest's traffic, but a specific region is not contractually guaranteed on the current plan. See note †. | Zero Data Retention |
| Groq (Whisper Large v3 Turbo) | Pro | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | Zero Data Retention enabled in Groq Data Controls; no training on API submissions. See note ‡. |
| Deepgram (Nova-3 Medical) | Max | US. UK Extension to the EU-US Data Privacy Framework + SCCs. | mip_opt_out=true on every request; retained only for processing duration |
† Cloudflare Workers AI residency. ClinicQuest is hosted on Cloudflare Workers and the Workers AI binding routes inference to the nearest PoP. In practice this means UK or EU regions for almost all of our user base, but Cloudflare's standard plan does not contractually pin Workers AI inference to a specific region. Strict UK/EU-only processing for STT would require a Cloudflare Enterprise plan with the data-residency add-on; we do not currently hold that contract.
‡ Groq retention. Groq's public data docs say inference customer data is not retained by default, except for limited reliability/abuse monitoring unless Zero Data Retention is enabled. ClinicQuest has enabled Groq ZDR in Data Controls for STT inference, so Groq does not retain customer audio/transcript data for that monitoring path.
* In all cases, audio is sent over TLS, processed transiently, and is not used for model training.
Portfolio Sync
ClinicQuest integrates with FourteenFish via its official API so trainees can push completed portfolio entries to their RCGP e-portfolio. Sync is always user-initiated.
| Subprocessor | Purpose | Location | Role |
|---|---|---|---|
| FourteenFish | Receives completed portfolio entries, capability mappings, and reflections via the official FourteenFish API when the user clicks "Sync" | United Kingdom | Independent Controller of the user's FourteenFish portfolio (post-transfer) |
* No data is transferred to FourteenFish unless the user explicitly clicks the sync action on a draft entry. Once transferred, the data is governed by FourteenFish's own privacy policy and acceptable-use terms (see fourteenfish.com/privacypolicy). FourteenFish is the user's primary RCGP e-portfolio provider; ClinicQuest acts as a processor only up to the moment the user authorises the push.
Analytics & Error Monitoring
We collect account-linked product analytics and operational error telemetry to understand feature usage, AI model and credit consumption, diagnose failures, and monitor system performance. Analytics may include account identifiers such as user ID and email so events can be linked to the signed-in account. Both providers are configured with content scrubbing — message content, transcripts, notebook content, portfolio text, request bodies, query strings, cookies, auth headers, and identifiers such as patient names, NHS numbers, and dates of birth are redacted before any event leaves the server.
| Subprocessor | Purpose | Location |
|---|---|---|
| PostHog | Account-linked product analytics (no clinical content) | European Union (EU Region) |
| Sentry | Error monitoring & performance tracing (with content scrubbing) | Germany / European Union |
Payments
We use PCI-DSS compliant providers for all subscription and billing processes.
| Subprocessor | Purpose | Region & Transfer Mechanism |
|---|---|---|
| Stripe | Payment processing (no clinical content). Includes Stripe Sync Engine, which replicates subscription, invoice, and customer metadata into ClinicQuest's Supabase database. No clinical content is included. | United States / Global. UK/EU SCCs under Stripe's DPA at stripe.com/legal/dpa. |
Email & Communications
Providers used for delivering transactional emails and essential service communications. Cloudflare Email Service may process assistant-composed email content, including clinical or referral drafts, only when a signed-in user explicitly asks ClinicQuest to email that content to their registered address. Brevo reminder and alert emails do not contain clinical narrative.
| Subprocessor | Purpose | Region & Transfer Mechanism |
|---|---|---|
| Cloudflare Email Service | Transactional assistant emails sent only on user request to the user's registered address, including assistant-composed content such as referral drafts when the user chooses to email them | Cloudflare global edge. UK Extension to EU-US DPF + SCCs apply. |
| Brevo | Portfolio reminder emails and operational alerts | European Union (France). UK GDPR adequacy applies — no SCC required for UK→EU transfers. |