blankit

Sub-processors

Every third party that touches blankit data.

Blankit Health Inc. operates inside AWS, primarily in AWS Canada (Montreal, ca-central-1). The list below is the complete inventory of third parties that process any personal information on behalf of blankit, the purpose of that processing, and how it complies with Quebec Law 25 and PIPEDA cross-border disclosure obligations. Where a sub-processor operates outside Canada, that is stated explicitly.

Amazon Web Services Canada (storage + lightweight AI)

Active
Location
Canada (ca-central-1, Montreal)
Purpose
Hosting, database (RDS PostgreSQL), object storage (S3), secrets management (KMS), and routine AI inference via Bedrock (Claude Haiku)
Categories
All client data at rest. Lightweight AI inference (chatbot routing, bulk text extraction) runs here.
Transfer mechanism
Application servers, database, object storage, backups, and routine AI inference all stay in Canada. AWS Canadian Customer Agreement governs.

Amazon Web Services Bedrock (cross-region inference)

Active
Location
Entry point in ca-central-1; inference may run in any AWS region with capacity (in practice US)
Purpose
Heavy AI extraction via Claude Sonnet 4.x and Opus 4.x through AWS `global.*` inference profiles — used for renewal PDF parsing, claims experience parsing, booklet comparison, and document-difference analysis
Categories
Booklet PDF content, claims experience document content, renewal PDF content, and any other document content the platform sends to Sonnet/Opus models
Transfer mechanism
AWS publishes no `ca.*` inference profile for Claude Sonnet 4.x or Opus 4.x; only `us.*` (US regions only) and `global.*` (any region with capacity). We use `global.*`. All inference is covered by the AWS Customer Agreement + AWS DPA. Anthropic does not see the data. Switching to a `ca.*` profile the moment AWS publishes one is a single-line code change.

Stripe Payments Canada

Active
Location
Canada with US data processing
Purpose
Subscription billing for firms that subscribe to blankit
Categories
Firm billing contact identity only — no plan-sponsor or plan-member data
Transfer mechanism
Stripe DPA + PCI DSS Level 1 controls. Plan-sponsor and plan-member data is never sent to Stripe.

Resend

Active
Location
United States
Purpose
Outbound transactional email — password resets, daily firm-facing notification digests
Categories
Recipient email address and the body of the operational email
Transfer mechanism
Resend DPA. Health information is never sent by email; only operational metadata (e.g. "you have 3 new Critical Illness enrolment requests in the dashboard").

Anthropic PBC

Standby / fallback
Location
United States
Purpose
Claude AI inference, when AWS Bedrock is unavailable (fallback only)
Categories
None in current production. Retained as a disaster-recovery path.
Transfer mechanism
Anthropic Commercial Terms + DPA. Production routes 100% of AI traffic through AWS Bedrock in ca-central-1; the Anthropic API is reachable from staging but disabled in production by the `USE_BEDROCK=true` task setting.

Notification of change

We tell you before adding a sub-processor.

Firms that subscribe to blankit are notified at least 30 days before a new sub-processor is added to the production data path. Notification is emailed to the firm's billing and security contact and posted to this page.

A firm that objects to a new sub-processor within the 30-day window may terminate the subscription without penalty.

Privacy Officer: Chris Gory · chris@blankit.ca

Last reviewed 2026-05-14. The internal source of truth is the Records of Processing Activities document (Blankit Health Inc., Section 3) — any change there is mirrored here in the same release.

See also: Privacy policy · Trust & security