Other ways to sign in
Last reviewed: 2026-06-16
MedLegal101 engages the third-party services listed below to provide our platform. Each entry shows what the service does, where it processes data, what category of data it can access, and a link to its privacy policy.
We give firm-tenant administrators at least 30 days' advance notice before adding a new sub-processor or materially changing an existing sub-processor's scope. See our Privacy Policy for the full data-handling overview.
| Sub-processor | Purpose | Region | Data access | HIPAA BAA | Privacy policy |
|---|---|---|---|---|---|
| Amazon Web Services | Cloud infrastructure: compute, managed database, cache, object storage, load balancing, secrets, logging, and container registry. All HIPAA-eligible AWS services. | United States (us-east-1) | Customer data | ✓ Signed | View policy |
| Google Cloud (Vertex AI / Gemini) | AI processing for case-summary generation, demand-letter drafting, document classification, and intake triage. HIPAA BAA signed 2026-03-16. Data not retained for model training. | United States | Customer data | ✓ Signed | View policy |
| Metrobank / Cobalt | Payment processing for client invoicing and platform subscriptions. Currently sandbox-only; production cutover pending. | United States | Customer data | Not applicable | View policy |
| Retell AI | Voice calls + SMS for client intake and follow-up. HIPAA-compliant, BAA in place. Supports 31+ languages. | United States | Customer data | ✓ Signed | View policy |
| RingCentral | Inbound and outbound fax for medical records and legal filings. HIPAA BAA in place. | United States | Customer data | ✓ Signed | View policy |
| SendGrid (Twilio) | Transactional email delivery for password resets, notifications, case updates, and DSAR responses. | United States | Operational | Not applicable | View policy |
| Twilio | SMS delivery for two-factor authentication codes only. Being phased out in favor of Retell AI for non-auth SMS. | United States | Operational | Not applicable | View policy |
| Vimeo | Hosting for educational and training videos used inside the platform. | United States | Public data only | — | View policy |
| CourtListener (Free Law Project) | Read-only ingestion of public case law and court opinions. Public-domain data only; no customer data sent to vendor. | United States | Public data only | — | View policy |
| OpenStates | Read-only ingestion of state legislative bills and statutes. Public-domain data only; no customer data sent to vendor. | United States | Public data only | — | View policy |
| Apify | Proxy-based web scraping of public state-legislature sites that block direct AWS egress. Public data only; no customer data sent. | European Union (Czech Republic) | Public data only | — | View policy |
Electronic signature is handled by a self-hosted DocuSeal instance running on MedLegal101's own infrastructure (esign.medlegal101.com); it is not a third-party sub-processor.
Enterprise customers and firm-tenant administrators can request to be notified by email whenever this page changes. Email media@medlegal101.com to subscribe. You will receive at least 30 days' notice before any change takes effect.
This list is maintained as part of our GDPR Article 28 sub-processor obligations and is reviewed at every quarterly compliance cycle. Material changes are communicated to firm-tenant administrators via our 30-day advance-notice process.