The third parties we work with

About This List

SRS Web Solutions, Inc. (“SRS,” “we”) maintains this Sub-Processor List to give our customers, prospects, and the public a clear, current view of the third parties we use. We update this list when we add, replace, or remove a sub-processor.

This document is published as a companion to our Privacy Policy and Cookie Policy, which describe what personal information we collect, how we use it, and your privacy rights. Capitalized terms not defined here have the meanings given in the Privacy Policy.

Two scoping points to keep in mind as you read:

• This list covers our marketing and website operations — the data flows that arise when someone visits one of our websites, requests a demo, applies for a job, or otherwise interacts with us as a prospect.
• It does not cover the third parties that handle Customer Data inside our products. Those are listed in the BAA Schedule we provide to each customer and updated under the BAA notification process. See Section 4.

How We Use Sub-Processors

We use sub-processors only where doing so is necessary to operate our business. Each sub-processor is selected through our vendor-review process, contractually bound to confidentiality and data-protection obligations appropriate to the data they handle, and limited to processing data for the purposes we direct.

2.1 What sub-processors can and cannot do

• Can: process the data we send them strictly to deliver the contracted service to SRS (for example, sending a demo confirmation email, generating analytics reports, recording a cookie preference).
• Cannot, except as expressly permitted under contract or as disclosed in our Privacy Policy and Cookie Policy: use that data for their own marketing, sell it, share it with other clients, or combine it with information from other sources to identify individuals.

2.2 Cross-context behavioral advertising sub-processors

A small number of our sub-processors—currently Meta Platforms, Inc. (Meta Pixel) and HubSpot, Inc.—may use the data we send them in ways that constitute “sharing” for cross-context behavioral advertising under California and similar state privacy laws. These are clearly identified in Section 3, and California residents and other consumers with applicable rights may opt out through the methods described in our Privacy Policy and Cookie Policy, including by clicking “Do Not Sell or Share My Personal Information” in the footer of mconsent.net or caretap.net.

2.3 Hosting regions

Most of our sub-processors are U.S.-based companies that process data on servers located in the United States. Several (Google, Microsoft, Meta, HubSpot, Zoho) operate globally and may process data on servers located in other regions of the United States or, in limited cases, abroad. SRS itself is a U.S. company, and our marketing websites are intended for use in the United States.

Marketing & Website Sub-Processors

The current sub-processors handling website-visitor and marketing data are listed below, organized by function. The deployment status indicates which of our domains each provider is currently active on. Each card links to the provider’s privacy policy so you can review their practices directly.

Customer Data Sub-Processors

The categories of Customer Data sub-processors we engage include:

• Cloud infrastructure and hosting — the cloud platforms on which our production environments operate, encrypted at rest and in transit, with role-based access controls.
• Database and storage — managed database and object-storage services that hold Customer Data within our production environment.
• Email and SMS delivery — transactional and customer-directed messaging that the customer enables through the Services (for example, appointment reminders, intake-form invitations).
• Payment processing — PCI-DSS-validated payment processor used by mPayr to handle card and ACH transactions. SRS does not store full primary account numbers (PANs).
• AI and speech services — the AI providers underlying Zaha AI’s automated speech recognition, natural language understanding, and large language model components, used only on Customer Data under the direction of the practice customer.
• E-prescribe — iCoreConnect, Inc. provides the underlying e-prescribing platform that mConsent’s E-prescribe feature integrates with. iCoreConnect is responsible for compliance with federal and state e-prescribing regulations, including DEA EPCS where applicable.
• EVV aggregator integrations — for Caretap, the state Medicaid program’s designated EVV aggregator or system of record receives EVV data under section 12006 of the 21st Century Cures Act, only at the customer’s direction.
• Customer-success and support tooling — ticketing, knowledge base, and customer-communications platforms used by SRS support staff.

4.1 How customers obtain the full list

The current, named Customer Data sub-processor list is maintained as a schedule to each customer’s Business Associate Agreement and Services Agreement. Existing customers can request the current list at any time by contacting privacy@srswebsolutions.com. Prospective customers conducting due diligence may request the list under a mutual non-disclosure agreement.

4.2 BAA-governed change notifications

Material changes to the Customer Data sub-processor schedule (for example, adding a new sub-processor that will handle PHI) are communicated to existing customers through the BAA’s change-notification process, with reasonable advance notice and, where applicable, an opportunity to object.

Onboarding & Removal

5.1 Onboarding a new sub-processor

Before SRS engages a new sub-processor that will handle personal information, we conduct a vendor review proportionate to the sensitivity of the data and the role of the vendor. The review typically covers:

• the vendor’s privacy and security posture (including SOC 2, ISO 27001, HIPAA, or other certifications, where relevant);
• the vendor’s contractual data-protection commitments, including any data-processing addendum or Business Associate Agreement;
• the data categories that will be processed, the purpose, and the geographic scope of processing; and
• the operational fit and our ability to oversee, monitor, and terminate the engagement.

5.2 Removing a sub-processor

When we remove a sub-processor (for example, because we are migrating to a different vendor or because a service is being decommissioned), we:

• terminate or wind down the data flow to that vendor;
• request return or deletion of any data the vendor still holds, in accordance with the contract;
• update this list and the Privacy Policy to reflect the removal; and
• retain a record of the removal in our internal vendor register.

Notification of Changes

We update this Sub-Processor List when we add, replace, or remove a sub-processor in scope. The mechanism for notifying you depends on whether you are a customer or a member of the public.

6.1 For customers

For customers under an executed Master Services Agreement and Business Associate Agreement, material changes to the Customer Data sub-processor schedule are communicated through the BAA’s change-notification process, as described in Section 4.2. Material changes to the marketing/website sub-processors listed in Section 3 are communicated through updates to this list and the Privacy Policy.

6.2 For visitors and prospects

The most current version of this list is always available at srswebsolutions.com/sub-processors. Changes are reflected in the “Last Updated” date at the top, in the Recent Changes log in Section 7, and in the version number.

Recent Changes

The log below tracks material changes to this Sub-Processor List. The most recent change is at the top.

Contact

For questions about this Sub-Processor List, to request the Customer Data sub-processor schedule, or to subscribe to update notifications, contact us using any of the channels below.

Mailing Address

SRS Web Solutions, Inc.
Attn: Privacy Contact
6885 139th LN NW, Suite 100
Ramsey, MN 55303
United States