architectureVendor graph

Vendor graph

Single-owner rule

Every vendor has exactly one canonical service that owns the integration. Other services call that service via SDK; they don’t call the vendor directly.

This rule:

  • Centralizes credential management (one SST Secret per vendor, in the owning service’s namespace)
  • Centralizes circuit breakers + retries
  • Makes vendor outages observable from one place
  • Keeps vendor-API surface knowledge in one team

What goes wrong without this rule

  • Two services both holding Stripe API keys → key rotation becomes a synchronized dance
  • Multiple circuit breakers around the same vendor → no shared state, useless under load
  • Vendor outage debugging requires checking every consumer

BAA scope

Vendors that hold PHI (under HIPAA’s definition):

  • WorkOS — BAA signed
  • AWS (Aurora, S3, CloudWatch) — BAA signed
  • Postmark — BAA signed for clinical email
  • Twilio — partial (depending on message content)
  • Stripe — NOT BAA; payment metadata is limited to non-PHI

For non-PHI vendors (OpenAI, Anthropic, Recharge, BigCommerce) we don’t send PHI through them.