Procurement teams rarely accept "we use industry-standard vendors" as an answer. This page names the third parties that may process client data during a VitaCoreX engagement, their function, their jurisdiction, and the binding commitments in our standard Data Processing Addendum. Changes are notified in advance. Exhibit-form artifacts (named list, DPA text, SCCs where applicable) are sent to a named procurement contact under mutual NDA.
You're a procurement, security, or privacy reviewer doing vendor onboarding and you need a sub-processor list and DPA artifact you can file with the engagement. This page is meant to save a round of email ping-pong: almost every vendor question a reasonable procurement team asks is answered here, and what isn't is clearly marked as "on request."
Named vendors that may process client data in the course of delivering a VitaCoreX engagement. "May" because actual exposure depends on whether the engagement runs inside the operator's environment (common) or inside VitaCoreX-hosted tooling. Engagements that stay inside operator systems generally touch only the last two rows (email and billing) of this list.
| Vendor | Role | Data touched | Jurisdiction |
|---|---|---|---|
| Google Workspace Google LLC | Primary email, calendar, and document collaboration. Operator-facing correspondence and engagement coordination. | Email content, calendar metadata, shared documents when operator chooses Google Drive for transfer. | United States |
| AWS Amazon Web Services, Inc. | Hosting for VitaCoreX-operated tooling and the API layer that backs intake forms and workflow automation. | Intake form content, workflow metadata, structured engagement records. Not document storage for operator files by default. | United States (us-east-1) |
| Render Render Services, Inc. | Managed platform for the public API endpoint (vcx-api.onrender.com) that handles intake submissions and webhook routing. | Intake form submissions in transit. No document payloads. Data forwarded to CRM and durable storage within minutes. | United States |
| Stripe Stripe Payments Company | Payment processing for engagement invoicing. PCI DSS Level 1 service provider. | Billing contact name, email, and payment method metadata. VitaCoreX does not see or store raw card data — Stripe handles it directly. | United States |
| HubSpot HubSpot, Inc. | CRM and pipeline management for operator contacts, engagement status, and follow-up scheduling. | Operator contact details, engagement stage, correspondence metadata. No engagement document contents. | United States |
| DocuSign DocuSign, Inc. | Electronic signature for NDAs, engagement letters, and certificates of destruction. Used only when an operator requests e-sign. | Signer name, signer email, signed document, audit trail. Used for execution artifacts only, not for engagement working files. | United States |
| Cloudflare Cloudflare, Inc. | DNS, CDN, and edge protection for vitacorexllc.com and related subdomains. | Request metadata (IP address, user agent) for the marketing site. No form-submitted content routes through Cloudflare by default. | United States (global edge) |
| Google Analytics 4 Google LLC | Anonymized site traffic analytics for the public marketing pages only. | Page view events, referrer, device class. No personally identifying form data. IP anonymization enabled. | United States |
List current as of 2026-04-17. Sub-processor additions or substitutions that would affect operator data are notified in writing to the designated operator contact at least 30 days before the change takes effect. Exhibit-form list with DPAs attached is available on request under mutual NDA.
Our standard Data Processing Addendum binds VitaCoreX as the processor of operator-supplied data and commits us to the controls below. The DPA is available as a standalone artifact — we will sign the operator's preferred DPA template where it is reasonable, or the operator can countersign ours. Either path works.
Operator data is processed solely for the purpose of delivering the engagement scope as defined in the engagement letter. No secondary use, no training of third-party models on operator data, no enrichment against external databases without explicit written authorization.
Each sub-processor listed above is bound by its own DPA or equivalent contractual terms that require the same standard of care as VitaCoreX's DPA with the operator. Sub-processor additions are notified 30 days in advance; the operator may object, and if the objection cannot be resolved, either party may terminate the engagement without penalty.
TLS 1.2+ in transit, AES-256 at rest, role-based access with named users, MFA on all administrative accounts, activity logging for production access, encrypted backups with tested restore, and offboarding procedures for departing personnel that revoke access within one business day. See the Security & Compliance page for the full control inventory.
VitaCoreX notifies the operator without undue delay and in no case later than 72 hours of becoming aware of a personal data breach involving operator data. Notification includes scope of data affected, systems affected, initial containment actions, and a named point of contact for the remediation thread. See the incident-response posture in the Security & Compliance page for the full timeline.
VitaCoreX provides reasonable assistance to the operator in responding to data-subject access, deletion, or correction requests, including producing a list of data the operator has shared with us and deleting it on operator instruction. We do not respond to data subjects directly — the operator remains the controller of record.
Default retention is engagement duration plus 90 days, unless the operator requests extended retention in writing. Certificates of destruction are issued on completion and list what was destroyed and the method used. Operator-environment engagements require no destruction action on our side — our access is revoked at close. Full matrix is on the Security & Compliance page.
The operator may audit VitaCoreX's controls under reasonable notice (30 days) and at the operator's cost, no more than once per 12 months absent a specific triggering event. In lieu of a direct audit, VitaCoreX will respond to standardized questionnaires (SIG, CAIQ, or operator-specific) within five business days of receipt under NDA.
All sub-processors listed above are US-based. Operator data does not cross a US border as part of a VitaCoreX engagement unless the operator explicitly directs it (for example, by invoking a non-US contact during the engagement). Where SCCs or equivalent transfer mechanisms become relevant, they are attached to the DPA as an exhibit.
VitaCoreX is not a covered entity under HIPAA, not a collector under the FDCPA, not a consumer reporting agency under the FCRA, and not a law firm. Where an engagement touches regulated data (healthcare, financial, consumer credit), VitaCoreX operates under a Business Associate Agreement, information-disclosure boundary, or operator-side compliance umbrella as appropriate. See Security & Compliance, Section 5 for the full boundary map.
Procurement teams rightly want to know what happens when our vendor list changes — that's when most DPA obligations get tested. Our standing commitment:
Addition or substitution of a sub-processor that processes operator data: written notice to the named operator contact at least 30 days before the new vendor begins processing. Notice includes vendor name, role, jurisdiction, DPA status, and a one-paragraph reason for the change.
Operator objection window: 15 days from notice. If the operator objects and the objection cannot be resolved within a further 15 days (for example, by scoping the engagement around the new vendor), either party may terminate the affected engagement without penalty. Pro-rata refund applies for prepaid work not yet delivered.
Emergency substitutions (vendor failure, sudden security event): VitaCoreX may substitute a sub-processor without the 30-day window when waiting would expose operator data to greater risk than the substitution itself. In that case, notice is sent within 5 business days and the operator retains the same objection and termination rights.
The following are real artifacts we send to a named procurement contact under mutual NDA. Typical response is one to three business days.
