The following sub-processors are engaged by Project Line to provide Virtual Medical Assistant (VMA). Material changes (addition or replacement) are notified to all clinics 30 days before they take effect.
| Sub-processor | Purpose | Data hosted | Region | Safeguards |
|---|---|---|---|---|
| Microsoft Azure (Microsoft Corp.) | Cloud hosting: App Service, SQL Database, Blob Storage, Key Vault | All clinic + patient records, file attachments, backups | Israel Central by default; other Azure regions per clinic contract | EU SCCs; Azure Data Protection Addendum; ISO 27001/27018; HIPAA-eligible service list |
| OpenAI, L.L.C. | LLM inference for voice agent, chat agent, image OCR | Real-time audio stream (speech-to-speech, not retained), prompts, document/card images | US; EU residency where available | SCCs; OpenAI DPA; zero-retention API tier; no model training on customer data |
| Twilio Inc. | Inbound + outbound voice + SMS; phone-number provisioning | Phone numbers, call routes, SMS bodies | US; EU regions available | SCCs; Twilio DPA; HIPAA Business Associate Agreement |
| Stripe Payments Europe Ltd. | Card tokenisation, charge, refund (PCI SAQ-A scope) | Tokenised payment methods, payment metadata; no PAN ever stored at processor | EU/UK/US | EU SCCs; Stripe DPA; PCI-DSS Level 1 |
| Meta Platforms Ireland Ltd. | WhatsApp Business Cloud API messaging | Patient phone, template body, delivery status | EU/Ireland | Meta DPA; WhatsApp Business Terms; SCCs for non-EU transfers |
| Google LLC | Google Workspace OAuth — clinic-attaches their own Drive / Gmail | Only what clinic shares; OAuth tokens stored encrypted | EU/US | SCCs; Google Workspace DPA. Optional; clinic opt-in. |
| Microsoft (Azure AD / Microsoft Graph) | Optional clinic OAuth — Outlook / OneDrive | Only what clinic shares; OAuth tokens stored encrypted | EU/US | Microsoft 365 DPA; SCCs. Optional. |
| PayPal Holdings, Inc. | Card / bank payment processing for clinic-issued invoices (clinic opt-in per processor) | Tokenised payment methods, transaction amount, invoice metadata; no PAN stored at processor (PCI-DSS SAQ-A scope) | EU/UK/US | Optional — clinic opt-in. SCCs; processor DPA; PCI-DSS Level 1. |
| Cardcom Ltd. (Israel) | Card / bank payment processing for clinic-issued invoices (clinic opt-in per processor) | Tokenised payment methods, transaction amount, invoice metadata; no PAN stored at processor (PCI-DSS SAQ-A scope) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
| Tranzila Ltd. (Israel) | Card / bank payment processing for clinic-issued invoices (clinic opt-in per processor) | Tokenised payment methods, transaction amount, invoice metadata; no PAN stored at processor (PCI-DSS SAQ-A scope) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
| PayPlus Ltd. (Israel) | Card / bank payment processing for clinic-issued invoices (clinic opt-in per processor) | Tokenised payment methods, transaction amount, invoice metadata; no PAN stored at processor (PCI-DSS SAQ-A scope) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
| Meshulam Ltd. (Israel) | Card / bank payment processing for clinic-issued invoices (clinic opt-in per processor) | Tokenised payment methods, transaction amount, invoice metadata; no PAN stored at processor (PCI-DSS SAQ-A scope) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
| GreenInvoice Ltd. (Israel) | Electronic invoice generation for Israeli tax authority (Heshbonit Mas / חשבונית מס) | Patient name, invoice line items, total, VAT (no clinical content) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
| iCount Ltd. (Israel) | Electronic invoice generation for Israeli tax authority (Heshbonit Mas / חשבונית מס) | Patient name, invoice line items, total, VAT (no clinical content) | Israel | Optional — clinic opt-in. Israeli PCI-DSS Level 1 acquirer; clinic signs vendor agreement directly with processor. |
When a sub-processor is added or replaced, Project Line creates a SubProcessorChangeRecord with at least 30-day notice. A broadcast email goes to every clinic. Clinics that object may terminate the Service Agreement before the effective date (DPA §5).
To object to a sub-processor, email emil.mamadov@projectlineil.com before the effective date specified in the notice.