Vendor graph
Single-owner rule
Every vendor has exactly one canonical service that owns the integration. Other services call that service via SDK; they don’t call the vendor directly.
This rule:
- Centralizes credential management (one SST Secret per vendor, in the owning service’s namespace)
- Centralizes circuit breakers + retries
- Makes vendor outages observable from one place
- Keeps vendor-API surface knowledge in one team
What goes wrong without this rule
- Two services both holding Stripe API keys → key rotation becomes a synchronized dance
- Multiple circuit breakers around the same vendor → no shared state, useless under load
- Vendor outage debugging requires checking every consumer
BAA scope
Vendors that hold PHI (under HIPAA’s definition):
- WorkOS — BAA signed
- AWS (Aurora, S3, CloudWatch) — BAA signed
- Postmark — BAA signed for clinical email
- Twilio — partial (depending on message content)
- Stripe — NOT BAA; payment metadata is limited to non-PHI
For non-PHI vendors (OpenAI, Anthropic, Recharge, BigCommerce) we don’t send PHI through them.