SEHTAK SUB-PROCESSORS
Last updated: 2026-05-21 (reconciled to the B.3 cloud decision: du Cloud + Moro Hub replace OCI Abu Dhabi as the primary PHI cloud).
This list is published at sehtak.ae/legal/sub-processors. It identifies the third parties that process personal data on Sehtak's behalf when we deliver the Sehtak platform to clinics, pharmacies, and patients.
Under PDPL Article 26 and our customer Data Processing Agreements (DPAs), we will give at least 30 days' advance notice of any addition or removal of a sub-processor.
How to read this list
- Tier 1 processors touch PHI (Protected Health Information). All Tier 1 processors host data within UAE infrastructure where technically possible.
- Tier 2 processors process only operational metadata (no PHI) — billing, support, analytics, error tracking.
- Tier 3 processors are optional integrations enabled per-customer (Entrust IDV — formerly Onfido — for identity verification, ElevenLabs for AI receptionist, etc.).
Tier 1 — PHI processors (UAE-resident)
| Processor | Service | Data location | Purpose |
|---|---|---|---|
| Moro Hub (Digital DEWA) | PHI database (Postgres) + Blob/object storage for patient files | UAE — Dubai (Moro Tier-III sovereign cloud) | Hosts all clinical records, prescriptions, lab files, telehealth recordings (when consented). |
| du Cloud | Compute, Redis, GPU (vLLM Qwen 72B + Whisper) for AI Scribe, self-hosted LiveKit for telehealth real-time media | UAE | API + non-PHI data stores. AI inference runs entirely on UAE-resident GPU; no cloud LLM endpoint. |
| Self-hosted PostHog | Product analytics | UAE (du Cloud) | User behaviour analytics. Self-hosted so no data leaves UAE. |
Tier 1 — PHI-adjacent (note routing constraints)
| Processor | Service | Data location | Purpose & residency notes |
|---|---|---|---|
| Unifonic (UAE office, Riyadh HQ) | WhatsApp Business API | KSA / UAE regional infra; ISO 27001/27017/27018, SOC 2 II | Outbound WhatsApp messages. Message metadata routes via Etisalat. No clinical content is sent in message body — only appointment time, doctor name, payment link. Replacing Twilio per PDPL audit 2026-05-14. |
| Twilio (US) | SMS (UAE alphanumeric sender SEHTAK) and Voice | Twilio US infra, terminates via UAE telcos | Outbound SMS and inbound/outbound voice. No PHI in SMS body — only short transactional content. Voice calls are transient (not recorded by Twilio). |
Tier 2 — Operational processors (no PHI in payload)
| Processor | Service | Data location | Purpose |
|---|---|---|---|
| Resend (US/EU) | Transactional email | EU/US infra | Email notifications. No PHI in email body — clinic name + appointment time only. |
| Tap Payments (UAE) | Payment processor (primary) | UAE | Subscription billing, patient payment links. No PHI sent — billing email + amount + invoice reference. |
| Mamo Pay (UAE) | Payment processor (secondary) | UAE | As above. Optional per-facility. |
| Sentry (US) — to migrate to self-hosted GlitchTip Phase 3 | Error tracking | US | Application error tracking. PII scrubbing aggressively configured — no patient identifiers in error reports. |
| GitHub (US) | Source-code hosting (no PHI) | US | Source code only. No customer data. |
Tier 3 — Optional integrations (per-customer or per-feature)
| Processor | Service | Data location | Purpose |
|---|---|---|---|
| Entrust IDV — Onfido Ltd (UK), an Entrust company | Identity verification: Emirates ID for UAE residents and passport for non-residents, plus liveness face match in both flows | UK (UK GDPR adequacy framework) | Enabled when a user verifies identity via document + selfie. Document scan and face image are deleted after 30 days. UAE residents may alternatively use UAE Pass SOP3 (no data ever reaches Entrust IDV when UAE Pass is used). |
| ElevenLabs (US) | AI receptionist voice synthesis | US | Outbound clinic receptionist calls. No patient-history-aware calls route through ElevenLabs in Phase 1 — only generic appointment reminders + FAQ. Re-evaluated when a UAE-resident TTS alternative is available. |
| Daily.co (US) | Legacy telehealth video — being deprecated | Daily.co global infra | NOT USED IN PRODUCTION as of 2026-05-14. Retained for internal smoke testing only until self-hosted LiveKit migration completes. |
| NABIDH / Malaffi / Riayati (UAE government HIE) | Health Information Exchange | UAE (UAE government infra) | HIE message submission for facilities that have completed per-facility SIT and (for Malaffi/Riayati) where the patient has provided explicit opt-in consent. NABIDH operates on opt-out for Dubai. |
| DHPO eClaimLink / Shafafiya (UAE government) | Insurance eClaim submission | UAE (UAE government infra) | Enabled per-facility for clinics and pharmacies with DHPO/Shafafiya registration. |
| UAE Pass (UAE government) | Digital identity authentication | UAE (UAE government infra) | OIDC SSO for UAE residents. Strict SOP3 verification required for clinical-data access. |
| Meta WhatsApp Business (US — global Meta infra) | Underlying WhatsApp messaging protocol | Meta global infra (US-routed metadata) | Unifonic and Twilio both route message metadata through Meta. No clinical content is sent in WhatsApp body to mitigate this. Long-term plan: Meta On-Premise BSP or wait for Meta UAE Local Storage region. |
Internal sub-processing controls
- Encryption. PHI is AES-256-GCM encrypted at rest. All sub-processor connections use TLS 1.3.
- DPAs in place. Every sub-processor listed above has a written Data Processing Agreement with Sehtak.
- Sub-processor change procedure. Material changes (adding a new sub-processor, removing one, or changing the data category they handle) are notified in-app to clinic and pharmacy admins, on email to designated DPOs, and through this public page, at least 30 days before the change takes effect.
- Right to object. Customers (clinics and pharmacies) may object to a new sub-processor for legitimate data-protection reasons. If unresolved within 30 days, the customer may terminate without penalty.
Contact
Questions about sub-processors: privacy@sehtak.ae or dpo@sehtak.ae.