Last Updated: May 4, 2026
CounselorAI LLC (“CounselorAI,” “we,” “us”) uses a small number of third-party service providers (“subprocessors”) to help us operate the CounselorAI Service. This page lists our current subprocessors that process Customer Data, the purpose of each, the location where data is processed, and what categories of data each handles.
This page is incorporated by reference into our Terms of Service, our Privacy Policy, our Google API Services Disclosure, and any Business Associate Agreement we have signed with you.
1. Subprocessor Commitments
For each subprocessor listed below:
- We have a written agreement in place that requires the subprocessor to protect Customer Data with safeguards at least as protective as those we provide.
- The subprocessor is contractually prohibited from using Customer Data for any purpose other than providing services to CounselorAI.
- Where the subprocessor may process protected health information (PHI) on our behalf, we have executed a HIPAA Business Associate Agreement with the subprocessor.
- The subprocessor is contractually prohibited from using Customer Data — including any Google Workspace Data — to develop, improve, or train any artificial intelligence or machine learning model, including any generalized, foundation, multi-tenant, or non-personalized model.
2. Current Subprocessors
2.1 Amazon Web Services, Inc. (AWS)
| Purpose | Cloud infrastructure hosting, application hosting, encrypted data storage, AI model access via AWS Bedrock |
| Categories of data processed | All Customer Data, including Google Workspace Data and protected health information |
| Processing location | United States (AWS US regions) |
| HIPAA BAA in place | Yes |
| No-AI-training commitment | Yes |
| Website / Security info | aws.amazon.com/compliance |
2.2 Anthropic, PBC
| Purpose | Large language model (LLM) inference for AI-generated content, accessed via AWS Bedrock |
| Categories of data processed | Specific Customer Data content transmitted only as necessary to generate the user-facing AI output you request (for example, a demand letter draft for a specific case). May include Google Workspace Data and protected health information. |
| Processing location | United States (via AWS Bedrock US regions) |
| HIPAA BAA in place | Yes (where applicable) |
| No-AI-training commitment | Yes — Anthropic is contractually prohibited from using your data to train or improve its foundation models |
| Website / Security info | anthropic.com/legal |
2.3 Sendinblue SAS (Brevo)
| Purpose | Transactional email delivery (account password resets, invoices, account notifications) |
| Categories of data processed | Recipient name and email address, and the content of the transactional email itself (account, billing, and notification messages). No protected health information, no case content, and no Google Workspace Data is sent to Brevo. |
| Processing location | European Union (primarily France and Germany) |
| HIPAA BAA in place | Not applicable — no PHI is transmitted to Brevo |
| No-AI-training commitment | Yes |
| Website / Security info | brevo.com/legal |
3. Data Residency
CounselorAI processes Customer Data — including all case content, medical records, generated work product, and Google Workspace Data — in the United States (within AWS US regions).
The only Customer Data processed outside the United States is the limited set of transactional email metadata and content described in Section 2.3 (account/billing notifications), which is processed by Brevo in the European Union. No protected health information, case content, or Google Workspace Data is processed outside the United States.
4. Updates to This List
We may add, remove, or replace subprocessors from time to time as our Service evolves.
4.1 Notification
We will provide reasonable advance notice of any new subprocessor that will process Customer Data by:
- Updating this page and updating the “Last Updated” date at the top
- For Customers with an executed Business Associate Agreement or order form requiring direct notice, sending an email to your designated notice contact at least 30 days before the new subprocessor begins processing Customer Data, except where a shorter period is required to address a security, legal, or operational emergency
4.2 Right to Object
Customers with an executed Business Associate Agreement may object to a new subprocessor on the basis of a documented HIPAA-related concern. If we cannot resolve the concern in good faith, your sole remedy is to terminate the affected portion of the Service without penalty.
4.3 Subscribe to Updates
To receive email notifications when this list changes, send a request to [email protected] with the subject line “Subprocessor Updates.”
5. Subprocessor Categories We Do NOT Use
For transparency, the following categories of subprocessors are not part of our processing chain at this time:
- Advertising networks or ad-tech providers — we do not use Customer Data for advertising
- Data brokers — we do not sell or transfer Customer Data to data brokers
- Generalized AI training providers — we do not transfer Customer Data to any provider for the purpose of training generalized or foundation AI models
- Web analytics providers — we do not use Google Analytics, Mixpanel, or similar third-party analytics on pages or screens that contain Customer Data
- Third-party error tracking or monitoring providers — we use only AWS-native logging and monitoring (covered by our AWS Business Associate Agreement) and do not transmit application errors, stack traces, or request payloads to any third-party error tracking service
- Third-party payment processors — we invoice Customers directly on a business-to-business basis and do not transmit payment card or bank account information to any payment processor
6. Contact
For questions about our subprocessors or to request additional information:
CounselorAI LLC Legal: [email protected] Privacy: [email protected] Mailing address: 100 Spectrum Center Dr #900, Irvine, CA 92618