Trust & Compliance
Subprocessor Register
Last reviewed: June 21, 2026. Providers are core, optional, or feature-dependent. Agreement details and security documentation are available upon request where appropriate.
Merba uses subprocessors to host, store, deliver, secure, monitor, communicate, integrate, and generate requested platform outputs. Not every provider receives every category of data. Optional providers are used only when the relevant feature is enabled or configured.
This register names provider use cases and the narrow data slice each provider may process. It does not publish Merba's proprietary prompts, routing logic, quality-control methods, provider sequencing, taxonomies, or ad-production workflows.
Merba does not route PHI to AI/media providers as a permitted data category. PHI-capable data may be processed by core infrastructure or communications providers when tenants use charting, appointment, notification, or health-related workflows.
Hetzner
Core infrastructure- Used for
- Hosts the Merba application and worker runtime.
- Data processed
- Processes server requests, session metadata, and platform data needed to deliver the service.
- Access boundary
- Core infrastructure only; it does not receive separate AI prompts or payment card numbers from Merba.
Neon Postgres
Core infrastructure- Used for
- Stores Merba application records.
- Data processed
- Stores account, business, booking, client, charting, invoice, integration, audit, and platform records created inside Merba.
- Access boundary
- Core database provider; access is limited to records Merba must store to operate the product.
Backblaze B2
Core media storage- Used for
- Stores generated and uploaded media files.
- Data processed
- Stores generated ad videos, posters, clips, logos, product images, and other media assets.
- Access boundary
- Not a permitted PHI destination; do not upload chart notes, clinical files, or payment details as media assets.
Stripe
Core payments- Used for
- Processes Merba billing and tenant-owned connected-account payments.
- Data processed
- Processes billing identity, payment metadata, connected account identifiers, checkout events, disputes, refunds, and payout metadata.
- Access boundary
- Payment card data is handled by Stripe; Merba stores payment metadata and account IDs, not raw card numbers.
Twilio
Core communications- Used for
- Sends SMS notifications, verification codes, and security messages.
- Data processed
- Processes the recipient phone number, SMS message body, and delivery metadata for messages Merba sends.
- Access boundary
- Message content should stay operational; sensitive health or chart details should not be placed in SMS text.
Resend
Core communications- Used for
- Sends transactional email for account, booking, approval, invoice, support, and system workflows.
- Data processed
- Processes recipient email addresses, email message content, template variables, and delivery metadata.
- Access boundary
- Email content is limited to the transaction being delivered; chart records and payment card details are not sent as provider inputs.
Sentry
Observability- Used for
- Monitors platform errors and reliability.
- Data processed
- Processes error traces, route metadata, device/browser metadata, and scrubbed identifiers when errors occur.
- Access boundary
- Sentry is for diagnostics; Merba works to avoid sending secrets, chart contents, payment card data, or broad client data in error events.
- Used for
- Generates requested media outputs from user-defined creative prompts when media generation is enabled.
- Data processed
- Processes the prompt and the minimum business, brand, or scene context needed to create the requested media asset.
- Access boundary
- This media path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow.
OpenAI/ChatGPT
AI/media provider- Used for
- Supports requested image, creative, and language-assisted media workflows.
- Data processed
- Processes user-provided prompts and the minimum business, brand, service, or public website context needed for the requested output.
- Access boundary
- This path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow.
Claude
AI/intelligence provider- Used for
- Supports requested business intelligence and creative text workflows.
- Data processed
- Processes the user's request plus the minimum business profile, service, pricing, website, public market, or creative context needed to answer or generate the requested output.
- Access boundary
- This path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow.
- Used for
- Supports optional Google sign-in and Google Calendar sync when a user enables those features.
- Data processed
- Processes OAuth account data, calendar authorization data, and calendar event data needed to sync availability and appointments.
- Access boundary
- Used only for enabled Google account/calendar features; it is separate from AI/media generation.
Microsoft/Outlook
Optional integration- Used for
- Supports optional Outlook calendar sync when a user enables it.
- Data processed
- Processes OAuth authorization data and calendar event data needed to sync availability and appointments.
- Access boundary
- Used only for enabled Outlook calendar features.
Meta/Instagram
Optional integration- Used for
- Supports optional Instagram publishing and campaign-related social workflows when connected.
- Data processed
- Processes account authorization data, page/account identifiers, published media, captions, campaign metadata, and delivery responses.
- Access boundary
- Used only for connected social features; it does not receive chart notes, clinical records, payment tokens, or broad client lists.
HubSpot
Optional integration- Used for
- Supports optional CRM sync when a tenant connects HubSpot.
- Data processed
- Processes contact and business relationship data selected for CRM sync.
- Access boundary
- Used only when enabled by the tenant; tenants are responsible for having the consent needed to sync customer data to their CRM.
OpenFreeMap
Optional/location- Used for
- Displays map tiles for location and discovery interfaces.
- Data processed
- Processes map tile requests and basic request metadata needed to render maps.
- Access boundary
- Does not receive client records, chart notes, payment data, or AI prompts.
OpenStreetMap/Nominatim
Optional/location- Used for
- Geocodes addresses and location searches.
- Data processed
- Processes the address or location text submitted for geocoding plus request metadata.
- Access boundary
- Used for address/location resolution; it does not receive client files, chart notes, payment data, or AI prompts.
| Provider | Used for | Data processed | Access boundary | Status |
|---|---|---|---|---|
| Hetzner | Hosts the Merba application and worker runtime. | Processes server requests, session metadata, and platform data needed to deliver the service. | Core infrastructure only; it does not receive separate AI prompts or payment card numbers from Merba. | Core infrastructure |
| Neon Postgres | Stores Merba application records. | Stores account, business, booking, client, charting, invoice, integration, audit, and platform records created inside Merba. | Core database provider; access is limited to records Merba must store to operate the product. | Core infrastructure |
| Backblaze B2 | Stores generated and uploaded media files. | Stores generated ad videos, posters, clips, logos, product images, and other media assets. | Not a permitted PHI destination; do not upload chart notes, clinical files, or payment details as media assets. | Core media storage |
| Stripe | Processes Merba billing and tenant-owned connected-account payments. | Processes billing identity, payment metadata, connected account identifiers, checkout events, disputes, refunds, and payout metadata. | Payment card data is handled by Stripe; Merba stores payment metadata and account IDs, not raw card numbers. | Core payments |
| Twilio | Sends SMS notifications, verification codes, and security messages. | Processes the recipient phone number, SMS message body, and delivery metadata for messages Merba sends. | Message content should stay operational; sensitive health or chart details should not be placed in SMS text. | Core communications |
| Resend | Sends transactional email for account, booking, approval, invoice, support, and system workflows. | Processes recipient email addresses, email message content, template variables, and delivery metadata. | Email content is limited to the transaction being delivered; chart records and payment card details are not sent as provider inputs. | Core communications |
| Sentry | Monitors platform errors and reliability. | Processes error traces, route metadata, device/browser metadata, and scrubbed identifiers when errors occur. | Sentry is for diagnostics; Merba works to avoid sending secrets, chart contents, payment card data, or broad client data in error events. | Observability |
| Generates requested media outputs from user-defined creative prompts when media generation is enabled. | Processes the prompt and the minimum business, brand, or scene context needed to create the requested media asset. | This media path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow. | AI/media provider | |
| OpenAI/ChatGPT | Supports requested image, creative, and language-assisted media workflows. | Processes user-provided prompts and the minimum business, brand, service, or public website context needed for the requested output. | This path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow. | AI/media provider |
| Claude | Supports requested business intelligence and creative text workflows. | Processes the user's request plus the minimum business profile, service, pricing, website, public market, or creative context needed to answer or generate the requested output. | This path does not receive chart notes, clinical records, payment tokens, broad client lists, or Merba's proprietary production workflow. | AI/intelligence provider |
| Supports optional Google sign-in and Google Calendar sync when a user enables those features. | Processes OAuth account data, calendar authorization data, and calendar event data needed to sync availability and appointments. | Used only for enabled Google account/calendar features; it is separate from AI/media generation. | Optional integration | |
| Microsoft/Outlook | Supports optional Outlook calendar sync when a user enables it. | Processes OAuth authorization data and calendar event data needed to sync availability and appointments. | Used only for enabled Outlook calendar features. | Optional integration |
| Meta/Instagram | Supports optional Instagram publishing and campaign-related social workflows when connected. | Processes account authorization data, page/account identifiers, published media, captions, campaign metadata, and delivery responses. | Used only for connected social features; it does not receive chart notes, clinical records, payment tokens, or broad client lists. | Optional integration |
| HubSpot | Supports optional CRM sync when a tenant connects HubSpot. | Processes contact and business relationship data selected for CRM sync. | Used only when enabled by the tenant; tenants are responsible for having the consent needed to sync customer data to their CRM. | Optional integration |
| OpenFreeMap | Displays map tiles for location and discovery interfaces. | Processes map tile requests and basic request metadata needed to render maps. | Does not receive client records, chart notes, payment data, or AI prompts. | Optional/location |
| OpenStreetMap/Nominatim | Geocodes addresses and location searches. | Processes the address or location text submitted for geocoding plus request metadata. | Used for address/location resolution; it does not receive client files, chart notes, payment data, or AI prompts. | Optional/location |
Provider data rules: Do not send chart notes, chart approvals, chart PDFs, client notes, payment tokens, broad client lists, or clinical data to AI/media providers.
Proprietary workflow boundary: Vendor disclosure does not include prompts, model routing, compiler logic, internal taxonomies, scoring systems, or production workflow details.
Questions about subprocessors can be sent to privacy@merba.app.