A subprocessor is a third-party company that ROI uses to help deliver the platform and its services — and that may receive, process, or store data about you in the course of doing so. We are committed to transparency about every vendor in our data supply chain.
This page lists every subprocessor ROI currently uses, what they do, where they are based, whether a Business Associate Agreement (BAA) is in place, and a link to their privacy information. We update this list whenever we add, remove, or significantly change a subprocessor, and we notify active subscribers of material changes at least 30 days in advance.
| Vendor | Service Provided | Data Location | BAA Status | PHI Possible? | Privacy / Security Info |
|---|---|---|---|---|---|
| Oracle Cloud Infrastructure (OCI) | Cloud hosting, database, object storage, audit logging, encryption key management | US East (Ashburn, VA) | ✅ BAA Signed (March 19, 2026) | Yes — consulting data may be stored here | Oracle Privacy Policy |
| Stripe | Payment processing and subscription billing | US / Global | N/A — no PHI | No — PHI must never be submitted to Stripe | Stripe Privacy Policy |
| Clerk.dev | User authentication, login management, MFA (planned — Phase 2) | US | ⏳ BAA to be obtained before launch | Possible — auth data for users who access consulting tools | Clerk Privacy Policy |
| Google Fonts | Web font delivery (typography only) | Global CDN | N/A — no user data | No — font files only, no user data transmitted | Google Fonts Privacy FAQ |
| Google Analytics (GA4) | Aggregated, anonymized website usage analytics (page views, traffic sources, session behavior). No PHI is collected or transmitted. IP anonymization is enabled. | US / Global (Google infrastructure) | N/A — no PHI transmitted | No — analytics data is aggregated and anonymized; PHI must never be submitted | Google Privacy Policy |
| Google Workspace | Business email (hello@roithatworks.com, compliance@roithatworks.com) and internal communications | US (Google data centers) | ✅ HIPAA BAA Signed (March 31, 2026) | Possible — compliance@ inbox may receive PHI-related correspondence from consulting clients | Google Workspace Data Processing Terms |
Last reviewed: March 31, 2026. Subscribers will be notified before any new subprocessor that may receive PHI is added.
If you are a consulting client operating under a Business Associate Agreement with ROI, you may object to the addition of a new subprocessor that would handle PHI by emailing compliance@roithatworks.com within 30 days of receiving notice. We will work with you in good faith to address the concern.
Standard platform subscribers (Basic, Pro, Premium) who object to a new subprocessor may cancel their subscription before the change takes effect and receive a prorated refund for any prepaid subscription period.