Last Updated: April 13, 2026
This page lists the third-party vendors ("subprocessors") that Wren Clinical LLC uses in connection with the Wren Clinical platform. It identifies each vendor's role, the data they may access, and their HIPAA Business Associate Agreement (BAA) status.
Role: Cloud infrastructure — AI processing via AWS Bedrock (routing requests to Anthropic's Claude models), compute (Lambda), file storage (S3), database (DynamoDB), event scheduling (EventBridge), and email delivery (SES).
Data Accessed: Protected Health Information (PHI), including session transcripts, chat content, and saved clinical documents, processed transiently through Bedrock and stored in S3 and DynamoDB.
BAA Status: BAA executed. AWS is covered under a signed HIPAA Business Associate Agreement. Under this agreement, neither AWS nor Anthropic retains data processed through Bedrock, and neither uses that data to train AI models.
Role: Speech-to-text transcription of session audio captured through the Wren web app's in-app recorder or the Wren Recorder browser extension. Uses the Universal-2 model with speaker diarization.
Data Accessed: Session audio and resulting transcripts, transmitted over TLS. Audio is transmitted to AssemblyAI only during transcription and deleted immediately from AssemblyAI's systems upon successful transcription. The generated transcript is deleted immediately from AssemblyAI's systems once is is uploaded to Wren Clinical.
BAA Status: BAA executed. AssemblyAI is covered under a signed HIPAA Business Associate Agreement. Under this agreement, AssemblyAI does not retain audio or transcripts after transcription completes and does not use Customer Data to train AI models.
Role: Subscription billing, embedded checkout, customer portal, and recurring payment processing.
Data Accessed: Billing information only — name, email, practice name, and payment method (stored and tokenized by Stripe). Wren Clinical also stores Stripe customer and subscription identifiers, billing period dates, and subscription status in its own systems for billing reconciliation. No clinical content, session data, Client information, or other PHI is transmitted to Stripe.
BAA Status: Not required. Stripe does not process PHI. Stripe does not offer a HIPAA BAA; Wren Clinical has documented that PHI does not flow through Stripe in any form.
Role: Frontend hosting and delivery of the Wren Clinical web application at app.wrenclinical.com.
Data Accessed: Non-PHI only. Vercel serves static assets and client-side JavaScript. All PHI flows directly from the user's browser to Wren Clinical's AWS Lambda infrastructure and does not transit Vercel's server-side infrastructure.
BAA Status: Not required. Vercel does not create, receive, maintain, or transmit PHI in connection with the Wren Clinical platform.
Role: Authentication and identity management. Clerk manages user login, session tokens, and multi-tenant organization structures.
Data Accessed: Therapist identity data only — name, email address, practice name, and authentication tokens. Clerk does not access Client information, session audio, transcripts, clinical notes, or any PHI.
BAA Status: Not required. Clerk stores only therapist authentication data with no client linkage.
Wren Clinical may update this list at any time by posting a revised version at wrenclinical.com/legal/subprocessors. For material changes involving subprocessors that process PHI, Wren Clinical will provide at least 30 days' notice by email to the address associated with your account. Non-material changes such as clarifications or corrections take effect upon posting.