Service Providers and Sub-processors

Regenemm Healthcare may use service providers and sub-processors to operate, secure, monitor, support, and improve the Regenemm platform.

Healthcare data requires stronger provider governance than ordinary SaaS data. Providers that may process sensitive platform data should be reviewed for purpose, data class, region, security posture, retention, contractual safeguards, incident notification, and clinical data exposure before operational reliance.

Provider Governance Position

Regenemm's intended provider governance posture is:

providers must be recorded before production use;
clinical data exposure must be declared;
MHR-linked data requires stricter approval;
agentic workflow data requires runtime and retention review;
credentials and integration secrets require separated handling;
telemetry and analytics providers should not receive identifiable patient information or clinical payloads by default;
provider approval must be specific to environment, data class, and service purpose.

Provider Categories

Providers may support:

cloud hosting;
database and storage services;
authentication;
email and communications;
payment processing;
AI model services;
transcription;
embeddings or vector stores;
analytics;
logging and observability;
security tooling;
support tooling;
interoperability services;
Edge Connector support;
backup and disaster recovery.

Data Classes

Provider review should consider whether a provider may process:

clinical source data;
Regenemm Link patient-controlled data;
MHR-linked data;
interoperability data;
Edge ingestion data;
agentic workflow data;
audit and provenance data;
credentials and secrets;
billing data;
website analytics data;
non-sensitive operational data.

Register Fields

Regenemm should maintain a service-provider register that identifies:

provider name;
service purpose;
product or service used;
data classes processed;
clinical data exposure;
region or hosting location;
retention profile;
encryption posture;
access controls;
contract or data processing terms status;
BAA status where applicable;
Australian residency impact where applicable;
MHR-linked impact where applicable;
approved environments;
owner;
review date;
next review date;
approval status.

AI Runtime Providers

AI runtime providers require additional review because prompts, outputs, traces, retrieval context, and tool calls may contain clinical context.

AI provider review should assess retention, training posture, logging, telemetry, region, access controls, contractual terms, incident notification, and whether identifiable patient data may be processed.

Identifiable patient data is not intended to be used for foundation model training by default.

Service Providers and Sub-processors

Regenemm Healthcare may use service providers and sub-processors to operate, secure, monitor, support, and improve the Regenemm platform.

Provider Governance Position

Regenemm's intended provider governance posture is:

providers must be recorded before production use;

clinical data exposure must be declared;

MHR-linked data requires stricter approval;

agentic workflow data requires runtime and retention review;

credentials and integration secrets require separated handling;

telemetry and analytics providers should not receive identifiable patient information or clinical payloads by default;

provider approval must be specific to environment, data class, and service purpose.

Provider Categories

Providers may support:

cloud hosting;

database and storage services;

authentication;

email and communications;

payment processing;

AI model services;

transcription;

embeddings or vector stores;

analytics;

logging and observability;

security tooling;

support tooling;

interoperability services;

Edge Connector support;

backup and disaster recovery.

Data Classes

Provider review should consider whether a provider may process:

clinical source data;

Regenemm Link patient-controlled data;

MHR-linked data;

interoperability data;

Edge ingestion data;

agentic workflow data;

audit and provenance data;

credentials and secrets;

billing data;

website analytics data;

non-sensitive operational data.

Regenemm should maintain a service-provider register that identifies:

provider name;

service purpose;

product or service used;

data classes processed;

clinical data exposure;

region or hosting location;

retention profile;

encryption posture;

access controls;

contract or data processing terms status;

BAA status where applicable;

Australian residency impact where applicable;

MHR-linked impact where applicable;

approved environments;

owner;

review date;

next review date;

approval status.

AI Runtime Providers

AI runtime providers require additional review because prompts, outputs, traces, retrieval context, and tool calls may contain clinical context.

Identifiable patient data is not intended to be used for foundation model training by default.