Skip to content

IT and security teams

IT allowlist for HCC Buddy

Some healthcare work networks block new SaaS tools, hosted checkout pages, analytics domains, or browser extensions by default. If HCC Buddy loads at home but not at work, this page gives your IT team the domains they may need to allow.

Required for core use

Web app

  • https://hccbuddy.com

Main website, login, pricing, account, and web app pages.

API

  • https://api.hccbuddy.com

HCC Buddy API for lookup, account, subscription, and extension requests.

Billing

  • https://checkout.stripe.com
  • https://billing.stripe.com

Hosted Stripe Checkout and customer billing portal. HCC Buddy does not collect card numbers directly.

Fonts

  • https://fonts.googleapis.com
  • https://fonts.gstatic.com

Web fonts used by the site. The site still loads if these are blocked, just with fallback fonts.

Chrome extension install

  • https://chromewebstore.google.com

Required only if your organization installs extensions from the Chrome Web Store.

Bot protection

  • https://challenges.cloudflare.com

Bot protection on signup (Cloudflare Turnstile). Required to complete account registration.

Optional services

Analytics and diagnostics

  • https://www.googletagmanager.com
  • https://www.google-analytics.com
  • https://*.google-analytics.com
  • https://www.google.com
  • https://va.vercel-scripts.com
  • https://vitals.vercel-insights.com

Used for product analytics and performance diagnostics. The core app should continue to work if these are blocked.

Academy video

  • https://stream.mux.com
  • https://image.mux.com

Required only for HCC Buddy Academy video playback and thumbnails.

Chrome extension permissions

The HCC Buddy Chrome extension uses Manifest V3 and connects only to https://api.hccbuddy.com. It does not request browsing history permission or broad all-site host access. Selected text is sent to HCC Buddy only when a user chooses a HCC Buddy action from the extension.

HCC Buddy is designed for deidentified coding workflows. Do not enter patient names, member IDs, SSNs, MBIs, dates of birth, or other PHI.