Legal
Subprocessor List
The third-party services Sora LLC uses to deliver its platforms, and what each one handles.
How this list is maintained. This page is the live subprocessor list referenced in Sora LLC's Business Associate Agreement. The version current at the time a BAA is signed is captured as a snapshot in that agreement's exhibit; this page reflects the present state. Material changes are communicated to clients with advance notice as set out in the BAA.
Confirm two entries before publishing: (1) Unify — verify whether it handles PHI directly or only stores credentials to PHI-bearing systems, which changes how it must be described and classified. (2) Anthropic — confirm it appears via the AWS Bedrock subprocessor chain with no direct BAA, consistent with the PPO Genius pattern. Also confirm the "advance notice" period stated here matches the BAA (drafts reference a 30-day notice approach pending counsel confirmation).
Current subprocessors
| Subprocessor | Function | Data handled | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, storage, database, and AI model hosting (Bedrock) | Hosts PHI | United States |
| Kolla | Practice-management-system integration (Open Dental, Dentrix server, Eaglesoft) | Processes PHI in transit | [CONFIRM] |
| Stedi | Electronic remittance advice (ERA) delivery | Processes PHI in transit | [CONFIRM] |
| Unify | Credential vault for system logins | [CONFIRM: credentials only, or PHI] | [CONFIRM] |
| Anthropic | AI document and EOB extraction, accessed through AWS Bedrock | Processes PHI in transit (via Bedrock; no direct BAA) | United States |
Anticipated future subprocessors
The following are not yet in use. They are listed for transparency and will move into the table above, with notice, if and when they are activated.
| Subprocessor | Function | Activates when |
|---|---|---|
| Twilio | Patient communications | Patient billing service ships |
| Team Care / UNIO | Practice-management-system integration (platform path) | Team Care integration activated |
| Plaid | Bank reconciliation (source-of-truth, tokenized — no stored bank credential) | Plaid relationship signed |
Changes to this list
Sora LLC reviews this list as its services change. When a subprocessor that handles PHI is added or replaced, affected clients are notified in advance per the terms of their Business Associate Agreement, and may exercise any objection rights set out there.