Dermi Sub-Processors
Third-party service providers used by Dermi
Dermi Inc. engages the following third-party entities ("Sub-Processors") to process personal data. These providers support the Dermi website, the Dermi Portal, the Dermi Atlas Cloud Demo, the Dermi Atlas Companion iOS application, and administrative functions of Dermi Atlas Professional (including license verification, updates, and account notifications).
Amazon Web Services (AWS)
Entity: Amazon Web Services, Inc. and Amazon Web Services Canada, Inc.
Purpose: Cloud Infrastructure
Data Processed: Account data, usage logs, license information, email addresses, administrative request metadata (IP, User Agent, Timezone, confirmation tokens).
Location: U.S. / Canada
MongoDB Atlas
Entity: MongoDB, Inc.
Purpose: Database Hosting
Data Processed: Account data, license information, email addresses
Location: U.S.
Stripe
Entity: Stripe, Inc. and its affiliates, including Stripe Payments Canada, Ltd.
Purpose: Payment Processing
Data Processed: Billing information (payment methods are tokenized; Dermi does not store full card numbers)
Location: U.S. / Canada
Postmark
Entity: ActiveCampaign, LLC
Purpose: Transactional Email Delivery
Data Processed: Email addresses, email contents (used for account verification, confirmation emails, and notification emails).
Location: U.S.
Cloudflare
Entity: Cloudflare, Inc.
Purpose: Bot protection and abuse prevention (Cloudflare Turnstile) on sign-in, registration, and password-recovery pages of the cloud-hosted Services.
Data Processed: IP address, browser and device characteristics, and challenge tokens used to distinguish human visitors from automated traffic. Turnstile does not use advertising cookies and is not used for cross-site profiling.
Location: U.S. (global edge network)
Apple
Entity: Apple Inc.
Purpose: App Store distribution of the Dermi Atlas Companion iOS application, including hosting, delivery, receipts, and platform-level diagnostics where the End-User opts in at the iOS level.
Data Processed: Apple Account identifiers (received by Apple, not by Dermi), App Store download metadata, optional iOS-level analytics and crash data (only where the End-User has opted in via iOS Settings).
Location: United States and Apple's global infrastructure.
Vercel
Entity: Vercel Inc.
Purpose: Hosting of the dermi.ai marketing website and Vercel Web Analytics (cookieless, first-party page analytics).
Data Processed: Anonymized visitor hash, page path, referrer, country, User-Agent class. No raw IP retained at rest.
Location: U.S.
Entity: Google LLC
Purpose: Advertising and conversion measurement (Google Ads via the Google tag) on the dermi.ai marketing website.
Data Processed: Online identifiers (advertising cookies where advertising storage is permitted), IP address, browser and device information, page and referrer URLs. Advertising storage defaults to denied for visitors in the European Economic Area, the United Kingdom, Switzerland, and Quebec, and for browsers that send a Global Privacy Control signal.
Location: United States and Google's global infrastructure.
Note: Health Information (including U.S. Protected Health Information, Canadian Personal Health Information, Australian "sensitive information" (including "health information") as defined under the Privacy Act 1988 (Cth) and applicable state and territory health records legislation, New Zealand "health information" as defined by the Health Information Privacy Code 2020, and Swiss personal data concerning health) stored in Dermi Atlas Professional remains on your local infrastructure and is never transmitted to these sub-processors.
Cross-Border Transfer Safeguards
All sub-processors listed above (with the exception of certain AWS infrastructure located in Canada and Stripe's Canadian affiliate) process personal data in the United States or, in the case of Apple, Cloudflare, and Google, on U.S.-based and global infrastructure as applicable. Dermi maintains written data processing agreements (DPAs) or equivalent contractual protections with each sub-processor where commercially available. These agreements require each sub-processor to maintain safeguards for personal data that are comparable to the protections required under PIPEDA, including obligations regarding data security, confidentiality, and incident notification.
For Australian users, Dermi takes reasonable steps in accordance with Australian Privacy Principle 8.1 to ensure that overseas recipients of personal information handle that information in a manner consistent with the Australian Privacy Principles, and identifies Canada and the United States as the destination countries for such transfers.
For New Zealand users, sub-processors that act solely on Dermi's behalf hold personal information as agents of Dermi under section 11 of the Privacy Act 2020 (New Zealand), and Dermi remains responsible for the security of that information. Where a sub-processor also uses personal information for its own purposes (such as Stripe, Apple, or Google), the disclosure is made on the basis that the recipient is required, including under its agreement with Dermi, to protect the information in a way that, overall, provides comparable safeguards to those in that Act.
For Swiss users, personal data is disclosed to recipients in Canada, a jurisdiction recognized by Switzerland as providing an adequate level of data protection for private-sector entities, and to sub-processors in the United States on the basis of certification under the Swiss-U.S. Data Privacy Framework or standard contractual clauses recognized by the Federal Data Protection and Information Commissioner, with the adaptations required for transfers subject to Swiss law, as applicable.
Personal data processed in the United States is subject to U.S. jurisdiction, including lawful access by U.S. courts, law enforcement, or national security authorities.
Updates
We will provide 30 days notice of any new Sub-Processors via our website or email. Objections may be sent to privacy@dermi.ai.
If an objection is raised, Dermi will respond within 15 business days with information about the measures taken to address the concern. If the objection cannot be resolved to your reasonable satisfaction, you may terminate your subscription and receive a pro-rata refund for any prepaid, unused portion of the subscription term.
Need clarification?
Contact us if you have questions about this document