Dermi Sub-Processors

Last Updated: February 10, 2026

Dermi Inc. engages the following third-party entities ("Sub-Processors") to process personal data. These providers support the Dermi Portal, Dermi Atlas Cloud Demo, and administrative functions of Dermi Atlas Professional (including license verification, updates, and account notifications).

Amazon Web Services (AWS)

Entity: Amazon.com, Inc.
Purpose: Cloud Infrastructure
Data Processed: Account data, usage logs, license information, email addresses, administrative request metadata (IP, User Agent, Timezone, confirmation tokens).
Location: U.S. / Canada

MongoDB Atlas

Entity: MongoDB, Inc.
Purpose: Database Hosting
Data Processed: Account data, license information, email addresses
Location: U.S.

Stripe

Entity: Stripe, Inc.
Purpose: Payment Processing
Data Processed: Billing information (payment methods are tokenized; Dermi does not store full card numbers)
Location: U.S.

Postmark

Entity: ActiveCampaign, LLC
Purpose: Transactional Email Delivery
Data Processed: Email addresses, email contents (used for account verification, confirmation emails, and notification emails).
Location: U.S.

---

Note: Health Information (including U.S. Protected Health Information and Canadian Personal Health Information) stored in Dermi Atlas Professional remains on your local infrastructure and is never transmitted to these sub-processors.

Cross-Border Transfer Safeguards

All sub-processors listed above (with the exception of certain AWS infrastructure located in Canada) process personal data in the United States. Dermi maintains written data processing agreements (DPAs) or equivalent contractual protections with each sub-processor. These agreements require each sub-processor to maintain safeguards for personal data that are comparable to the protections required under PIPEDA, including obligations regarding data security, confidentiality, and incident notification.

Personal data processed in the United States is subject to U.S. jurisdiction, including lawful access by U.S. courts, law enforcement, or national security authorities.

Updates

We will provide 30 days notice of any new Sub-Processors via our website or email. Objections may be sent to privacy@dermi.ai.

If an objection is raised, Dermi will respond within 15 business days with information about the measures taken to address the concern. If the objection cannot be resolved to your reasonable satisfaction, you may terminate your subscription and receive a pro-rata refund for any prepaid, unused portion of the subscription term.