Lumen Notes
Subprocessors
Effective date: June 12, 2026
These are the third parties we use to provide Lumen Notes. Every subprocessor that touches protected health information is bound by a Business Associate Agreement or equivalent data-protection terms, and none may use customer content to train models. We notify account holders by email at least 14 days before adding or replacing a subprocessor that processes client data (see the DPA).
| Subprocessor | Purpose | Region | Handles PHI? |
|---|---|---|---|
| Vercel | Application and website hosting; edge network and CDN. | United States (global edge for static marketing pages) | Transits app infrastructure; protected by BAA-equivalent terms |
| Neon | Primary Postgres database — notes, client records, workspace data. | United States (AWS us-east) | Yes — stored encrypted at rest |
| Deepgram | Speech-to-text transcription of session audio. | United States | Yes — transient processing only; no retention, no training on our data |
| OpenAI | AI drafting of structured notes from transcripts. | United States | Yes — API processing with zero data retention; no training on our data |
| Polar | Merchant of record — checkout, subscriptions, invoicing, tax. | United States / European Union | No — billing data only, never client data |
| Resend | Transactional email (sign-in, receipts, account notices). | United States | No — account email only, never client data |
What "no training on your data" means here
Transcription and drafting requests are sent to Deepgram and OpenAI under API terms with zero data retention and an explicit prohibition on using the content to train or improve models. Audio and transcripts exist with these providers only for the seconds it takes to process the request.
Change notifications
To receive subprocessor-change notices at an additional address (e.g., your compliance officer), email support@lumen.1labs.app.