Sub-processors
When providing software services to you, for the patient data you enter within the platform, you are the Data Controller and we are the Data Processor.
To deliver our service, there are occasions where we use sub-contractors (known as sub-processors). Sub-processors may potentially have access to or process personal data of patients you've interacted with when using the Hero platform.
This page sets out the Sub-processors we use, for what function/s we use them, and how they help us to deliver our services.
Please note, this webpage should not be taken as a binding agreement. The information provided here is to illustrate our engagement process for sub-processors and the actual list of third party sub-processors.
Selecting our sub-processors
We evaluate the security practices of our Sub-processors that will or may process Personal Data to ensure they have acceptable security, privacy and confidentiality practices.
Our Sub-processor contracts ensure that Sub-processors will:
Implement and maintain technical and organisational measures to protect Personal Data
Provide regular training in security and data protection to personnel to whom they grant access to Personal Data
Promptly inform us about any actual or potential security breach
Co-operate with us to respond to requests from data controllers, data subjects or data protection authorities on your instructions
Updating our sub-processors
From time to time we may update or add suppliers to our list of sub-processors. As per the DPA, we will give you 14 days notice for you to object to your Personal Data being processed by the proposed changes to our sub-processors list.
Our standard sub-processors (last updated 11th October 2024)
The list of sub-processors we engage to help us deliver services to NHS and private providers. We may process patient identifiable data through these providers:
Sub-processor | Purpose of Processing Personal Data | Server Geography | Applicable Features |
Amazon Web Services, Inc. | Cloud hosting | UK | Entire app |
FireText Communications Ltd | Clinician to patient SMS | UK | Messaging, Batch messaging |
Microsoft 365 | Clinician to patient email | UK | Messaging, Batch messaging |
Egress Software Technologies Ltd. | Secure clinician to patient email | EEA | Messaging |
Whereby Ltd. | Video consultations | EEA | Video |
Papertrail (SolarWinds Worldwide, LLC) | Log management | EEA | Entire app |
Heroku (Salesforce, Inc.) | Cloud platform as a service (PaaS) that supports several programming languages | EEA | Hosting services |
New Relic, Inc. | Software analytics company providing insights into application performance | EEA | Production monitoring tools |
Kinde | Secure sign-in service | UK | Admin Sign-in |
Google, Inc. | Web analytics service | EEA | Marketing/Analytics |
Vercel | Cloud hosting | UK | Hosting services |
Rollbar | Error logging | EU | Production monitoring tools |
CloudGateway | HSCN connectivity | UK | Networking infrastructure |
Posthog | App monitoring | EU | Production monitoring tools |
Our private practice sub-processors (last updated 18th March 2024)
The list of additional sub-processors we engage to help us deliver our services to only our private providers. We may process patient identifiable data through these providers:
Sub-processor | Purpose of Processing Personal Data | Server Geography | Applicable Features |
Twilio Inc. [Optional] | Clinician to patient SMS and automated SMS | US | Messaging, Batch messaging, Invoicing |
Signature Healthcare services Limited | Electronic prescription service | UK | Private Prescribing |
Our processors (last updated 26th April 2024)
Where Hero Doctor Limited is the Data Controller, we work with additional sub-processors. These sub-processors won't have visibility of patient identifiable data.
These sub-processors may be able to see data for which Hero Doctor is the data controller. This could include a limited set of data on Hero administrators or practitioners. Example use cases would be where we store identifiable data to manage our customer relationships or understand how our services are used. The list of processors is:
โ
Sub-processor | Purpose of Processing Personal Data | Server Geography | Applicable Features |
Intercom UK Ltd. | Customer messaging platform | EU | User engagement/ customer support |
Attio | Customer management and data visualisation | UK | Customer support, Commercial |
Metabase | Data analytics | EU | Support/Analytics |