Dermi Sub-Processors

Last Updated: May 25, 2026

Dermi Inc. engages the following third-party entities ("Sub-Processors") to process personal data. These providers support the Dermi website, the Dermi Portal, the Dermi Atlas Cloud Demo, the Dermi Atlas Companion iOS application, and administrative functions of Dermi Atlas Professional (including license verification, updates, and account notifications).

Amazon Web Services (AWS)

Entity: Amazon.com, Inc.
Purpose: Cloud Infrastructure
Data Processed: Account data, usage logs, license information, email addresses, administrative request metadata (IP, User Agent, Timezone, confirmation tokens).
Location: U.S. / Canada

MongoDB Atlas

Entity: MongoDB, Inc.
Purpose: Database Hosting
Data Processed: Account data, license information, email addresses
Location: U.S.

Stripe

Entity: Stripe, Inc.
Purpose: Payment Processing
Data Processed: Billing information (payment methods are tokenized; Dermi does not store full card numbers)
Location: U.S.

Postmark

Entity: ActiveCampaign, LLC
Purpose: Transactional Email Delivery
Data Processed: Email addresses, email contents (used for account verification, confirmation emails, and notification emails).
Location: U.S.

Apple

Entity: Apple Inc.
Purpose: App Store distribution of the Dermi Atlas Companion iOS application, including hosting, delivery, receipts, and platform-level diagnostics where the End-User opts in at the iOS level.
Data Processed: Apple Account identifiers (received by Apple, not by Dermi), App Store download metadata, optional iOS-level analytics and crash data (only where the End-User has opted in via iOS Settings).
Location: United States and Apple's global infrastructure.

Vercel

Entity: Vercel Inc.
Purpose: Hosting of the dermi.ai marketing website and Vercel Web Analytics (cookieless, first-party page analytics).
Data Processed: Anonymized visitor hash, page path, referrer, country, User-Agent class. No raw IP retained at rest.
Location: U.S.

---

Note: Health Information (including U.S. Protected Health Information, Canadian Personal Health Information, and Australian "sensitive information" (including "health information") as defined under the Privacy Act 1988 (Cth) and applicable state and territory health records legislation) stored in Dermi Atlas Professional remains on your local infrastructure and is never transmitted to these sub-processors.

Cross-Border Transfer Safeguards

All sub-processors listed above (with the exception of certain AWS infrastructure located in Canada) process personal data in the United States or in Apple's global infrastructure as applicable. Dermi maintains written data processing agreements (DPAs) or equivalent contractual protections with each sub-processor where commercially available. These agreements require each sub-processor to maintain safeguards for personal data that are comparable to the protections required under PIPEDA, including obligations regarding data security, confidentiality, and incident notification.

For Australian users, Dermi takes reasonable steps in accordance with Australian Privacy Principle 8.1 to ensure that overseas recipients of personal information handle that information in a manner consistent with the Australian Privacy Principles, and identifies Canada and the United States as the destination countries for such transfers.

Personal data processed in the United States is subject to U.S. jurisdiction, including lawful access by U.S. courts, law enforcement, or national security authorities.

Updates

We will provide 30 days notice of any new Sub-Processors via our website or email. Objections may be sent to privacy@dermi.ai.

If an objection is raised, Dermi will respond within 15 business days with information about the measures taken to address the concern. If the objection cannot be resolved to your reasonable satisfaction, you may terminate your subscription and receive a pro-rata refund for any prepaid, unused portion of the subscription term.