Omi Scribe Cloud — Sub‑processors
Version: 1.6
Last updated: 14 May 2026
Provider: Omi Health B.V., Eindhoven, Netherlands
Contact: [email protected]
This page lists the sub‑processors used by Omi Health B.V. to provide Omi Scribe Cloud (Managed).
We will update this page when sub‑processors are added or changed. Customers with a DPA may subscribe to change notifications by emailing [email protected].
> Note: This list is for the managed cloud product. For customer‑managed / self‑hosted deployments, the Customer selects and controls its own infrastructure and providers; the sub‑processor list below does not apply.
The cloud Service is delivered as a single deployment in Azure Sweden Central (EU). Customer Content from all geographies is processed in the EU. Customers requiring local data residency use Omi Scribe for Mac (on‑device) or customer‑managed self‑hosted deployment.
1. Current sub‑processors (EU cloud)
| Sub‑processor (legal entity) | Service | Purpose | Data processed | Location |
|---|---|---|---|---|
| Microsoft Corporation | Microsoft Azure (compute, networking) | Hosting and operation of the Service | Customer Content and Service Data | Sweden Central (EU) |
| Microsoft Corporation | Azure Database for PostgreSQL | Primary database for sessions, transcripts, notes, audit logs, and usage | Customer Content and Service Data | Sweden Central (EU) |
| Microsoft Corporation | Azure Blob Storage | Storage of audio recordings (where enabled) | Customer Content | Sweden Central (EU) |
| Microsoft Corporation | Azure Key Vault | Secrets management | Service secrets (not Customer Content) | Sweden Central (EU) |
| Microsoft Corporation | Azure GPU VM | AI processing (in‑region) | Customer Content | Sweden Central (EU) |
| Microsoft Corporation | Azure AI Foundry (EU Data Zone Standard) | AI processing (in‑region) | Customer Content | Sweden Central (EU data zone) |
| Microsoft Corporation | Azure Communication Services (Email) | Transactional email delivery (account verification, password reset) | Service Data (recipient email address, message metadata; no clinical content) | Europe (EU) |
Notes on Microsoft AI services
- Azure AI Foundry operates under Microsoft enterprise data protection terms (https://aka.ms/DPA) and does not use customer data for model training.
- The "Data Zone Standard" deployment type keeps AI processing within the EU data zone.
Cross‑border safeguards for non‑EU Customers
For Customers established outside the EU, processing of Customer Content in the EU cloud is treated as a cross‑border situation. The following safeguards apply by default: UK government adequacy / UK IDTA / UK Addendum to the EU SCCs (UK Customers); EU Standard Contractual Clauses and (where applicable through Microsoft's certification) the EU‑US Data Privacy Framework (US Customers); Microsoft Online Services DPA commitments and APP 8 / NZ IPP 12 contractual safeguards (AU / NZ Customers). See the region‑specific Privacy Addenda for full detail.
2. Customer‑controlled integrations (not sub‑processors)
The following are typically not sub‑processors because they are selected and controlled by the Customer, and they do not process Customer Content on Omi Health’s behalf:
- Identity providers (SSO) configured by the Customer (e.g., Microsoft Entra ID / Azure AD, Google Workspace / Google Identity)
- The Customer’s EHR/EMR, storage, or internal systems connected via integration/export
- Customer-provided model endpoints (if the Customer configures the Service to call them)
These providers may receive limited user authentication data or exported content under the Customer’s own terms and policies.
3. Changes and objections
When we add or replace a sub‑processor that will process Customer Content or Service Data on our behalf, we will:
1. Update this page at least 30 days before the new sub‑processor begins processing data (unless legally required to do so sooner). (Note: the Dutch Healthcare Addendum extends this to 3 months for customers who have signed that addendum.)
2. Notify Customers who have subscribed to sub‑processor change notifications.
3. Where a DPA applies, allow Customers to object within the timeframe set out in the DPA.
4. Contact
Questions about sub‑processors: [email protected]