Covered Services and Subprocessors

Last updated: March 3, 2026

This document identifies the SendMeDocs services and subprocessors covered under the Business Associate Agreement (BAA) for organizations subject to HIPAA. Services and delivery channels not listed below are not covered and should not be relied upon for protected health information (PHI).

Covered services

• Dashboard — web application for creating and managing document requests, viewing uploaded files, and managing organization settings.
• Upload portal — secure, token-authenticated pages where recipients upload requested documents. All uploads are encrypted in transit (TLS) and at rest (AES-256).
• REST API — programmatic interface for creating requests, downloading files, and managing document workflows. Authenticated via API keys.
• MCP protocol — Model Context Protocol endpoint for AI agent access to request management. Authenticated via API keys or OAuth 2.1.

Data beyond our network

SendMeDocs safeguards apply to data while it is within our infrastructure. Once data leaves our network, it is subject to the security practices of the receiving system. Two common cases:

• Notification delivery. Email and SMS notifications may include recipient names and secure upload links. These messages are transmitted to third-party delivery infrastructure and recipient mail servers or carriers that SendMeDocs does not control. Standard email does not guarantee end-to-end encryption between mail servers.
• AI assistants and API clients. The SendMeDocs API and MCP protocol are covered services. However, third-party AI assistants and clients that connect to these interfaces — including but not limited to Claude, ChatGPT, Microsoft Copilot, and custom agents — are independent services operated by their respective providers. SendMeDocs does not control how these services process, store, cache, or retain data retrieved from our API.

Organizations operating under a BAA are responsible for evaluating the compliance posture of any third-party service through which they access or receive data from SendMeDocs.

Support

HIPAA-related support requests must be submitted through the authenticated support portal in the SendMeDocs dashboard. Requests submitted through unauthenticated channels cannot be verified and will not be processed for matters involving protected health information.

Subprocessors

The following third-party providers process data on behalf of SendMeDocs. Only providers listed with a signed BAA handle PHI under the terms of our Business Associate Agreement.

• Amazon Web Services — S3 (document storage) and SES (email delivery). BAA signed.
• Vultr — cloud compute, networking, and database hosting. BAA signed.
• Stripe — payment processing only. No PHI is transmitted to or stored by Stripe.

This document is provided for informational purposes and may be updated as services and subprocessors change. The Business Associate Agreement governs the legal obligations between SendMeDocs and its customers. Questions about covered services may be directed to our contact form.