<h1>Sub-processors</h1>When providing software services to you, for the patient data you enter within the platform, you are the Data Controller and we are the Data Processor.To deliver our service, there are occasions where we use sub-contractors (known as sub-processors). Sub-processors may potentially have access to or process personal data of patients you've interacted with when using the Hero platform.This page sets out the Sub-processors we use, for what function/s we use them, and how they help us to deliver our services.Please note, this webpage should not be taken as a binding agreement. The information provided here is to illustrate our engagement process for sub-processors and the actual list of third party sub-processors.<h1>Selecting our sub-processors</h1>We evaluate the security practices of our Sub-processors that will or may process Personal Data to ensure they have acceptable security, privacy and confidentiality practices.Our Sub-processor contracts ensure that Sub-processors will:<ul class="accent-bullets"><li>Implement and maintain technical and organisational measures to protect Personal Data</li><li>Provide regular training in security and data protection to personnel to whom they grant access to Personal Data</li></ul><ul class="accent-bullets"><li>Promptly inform us about any actual or potential security breach</li><li>Co-operate with us to respond to requests from data controllers, data subjects or data protection authorities on your instructions</li></ul><h1>Updating our sub-processors</h1>From time to time we may update or add suppliers to our list of sub-processors. As per the DPA, we will give you 14 days notice for you to object to your Personal Data being processed by the proposed changes to our sub-processors list.<h2>Our standard sub-processors (last updated 11th October 2024)</h2>The list of sub-processors we engage to help us deliver services to NHS and private providers. We may process patient identifiable data through these providers:<table style="min-width: 100px"><colgroup><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"></colgroup><tbody><tr><td colspan="1" rowspan="1">Sub-processor</td><td colspan="1" rowspan="1">Purpose of Processing Personal Data</td><td colspan="1" rowspan="1">Server Geography</td><td colspan="1" rowspan="1">Applicable Features</td></tr><tr><td colspan="1" rowspan="1">Amazon Web Services, Inc.</td><td colspan="1" rowspan="1">Cloud hosting</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Entire app</td></tr><tr><td colspan="1" rowspan="1">FireText Communications Ltd</td><td colspan="1" rowspan="1">Clinician to patient SMS</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Messaging, Batch messaging</td></tr><tr><td colspan="1" rowspan="1">Microsoft 365</td><td colspan="1" rowspan="1">Clinician to patient email</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Messaging, Batch messaging</td></tr><tr><td colspan="1" rowspan="1">Egress Software Technologies Ltd.</td><td colspan="1" rowspan="1">Secure clinician to patient email</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Messaging</td></tr><tr><td colspan="1" rowspan="1">Whereby Ltd.</td><td colspan="1" rowspan="1">Video consultations</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Video</td></tr><tr><td colspan="1" rowspan="1">Papertrail (SolarWinds Worldwide, LLC)</td><td colspan="1" rowspan="1">Log management</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Entire app</td></tr><tr><td colspan="1" rowspan="1">Heroku (Salesforce, Inc.)</td><td colspan="1" rowspan="1">Cloud platform as a service (PaaS) that supports several programming languages</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Hosting services</td></tr><tr><td colspan="1" rowspan="1">New Relic, Inc.</td><td colspan="1" rowspan="1">Software analytics company providing insights into application performance</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Production monitoring tools</td></tr><tr><td colspan="1" rowspan="1">Kinde</td><td colspan="1" rowspan="1">Secure sign-in service</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Admin Sign-in</td></tr><tr><td colspan="1" rowspan="1">Google, Inc.</td><td colspan="1" rowspan="1">Web analytics service</td><td colspan="1" rowspan="1">EEA</td><td colspan="1" rowspan="1">Marketing/Analytics</td></tr><tr><td colspan="1" rowspan="1">Vercel</td><td colspan="1" rowspan="1">Cloud hosting</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Hosting services</td></tr><tr><td colspan="1" rowspan="1">Rollbar</td><td colspan="1" rowspan="1">Error logging</td><td colspan="1" rowspan="1">EU</td><td colspan="1" rowspan="1">Production monitoring tools</td></tr><tr><td colspan="1" rowspan="1">CloudGateway</td><td colspan="1" rowspan="1">HSCN connectivity</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Networking infrastructure</td></tr><tr><td colspan="1" rowspan="1">Posthog</td><td colspan="1" rowspan="1">App monitoring</td><td colspan="1" rowspan="1">EU</td><td colspan="1" rowspan="1">Production monitoring tools</td></tr></tbody></table><h2>Our private practice sub-processors (last updated 18th March 2024)</h2>The list of additional sub-processors we engage to help us deliver our services to only our private providers. We may process patient identifiable data through these providers:<table style="min-width: 100px"><colgroup><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"></colgroup><tbody><tr><td colspan="1" rowspan="1">Sub-processor</td><td colspan="1" rowspan="1">Purpose of Processing Personal Data</td><td colspan="1" rowspan="1">Server Geography</td><td colspan="1" rowspan="1">Applicable Features</td></tr><tr><td colspan="1" rowspan="1">Twilio Inc. [Optional]</td><td colspan="1" rowspan="1">Clinician to patient SMS and automated SMS</td><td colspan="1" rowspan="1">US</td><td colspan="1" rowspan="1">Messaging, Batch messaging, Invoicing</td></tr><tr><td colspan="1" rowspan="1">Signature Healthcare services Limited</td><td colspan="1" rowspan="1">Electronic prescription service</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Private Prescribing</td></tr></tbody></table><h2>Our processors (last updated 26th April 2024)</h2>Where Hero Doctor Limited is the Data Controller, we work with additional sub-processors. These sub-processors won't have visibility of patient identifiable data.These sub-processors may be able to see data for which Hero Doctor is the data controller. This could include a limited set of data on Hero administrators or practitioners. Example use cases would be where we store identifiable data to manage our customer relationships or understand how our services are used. The list of processors is: ​<table style="min-width: 100px"><colgroup><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"><col style="min-width: 25px"></colgroup><tbody><tr><td colspan="1" rowspan="1">Sub-processor</td><td colspan="1" rowspan="1">Purpose of Processing Personal Data</td><td colspan="1" rowspan="1">Server Geography</td><td colspan="1" rowspan="1">Applicable Features</td></tr><tr><td colspan="1" rowspan="1">Intercom UK Ltd.</td><td colspan="1" rowspan="1">Customer messaging platform</td><td colspan="1" rowspan="1">EU</td><td colspan="1" rowspan="1">User engagement/ customer support</td></tr><tr><td colspan="1" rowspan="1">Attio</td><td colspan="1" rowspan="1">Customer management and data visualisation</td><td colspan="1" rowspan="1">UK</td><td colspan="1" rowspan="1">Customer support, Commercial</td></tr><tr><td colspan="1" rowspan="1">Metabase</td><td colspan="1" rowspan="1">Data analytics</td><td colspan="1" rowspan="1">EU</td><td colspan="1" rowspan="1">Support/Analytics</td></tr></tbody></table>

About the Hero platform

Read about the sub-processors that we work with to deliver the Hero service.

Sub-processors

Invite admins

Practitioners

Locations

Multi-tenancy

API keys

Introducing NHS patients to Hero

Introducing private patients to Hero

Onboarding

Send a message

View sent messages

Contact methods

Questionnaires

Questionnaire links

Questionnaire responses

Patient replies

Send an attachment

Self-booking links

Message templates

SMS fragments

What patients see

EMIS-X

Individual messaging

Send a batch message

Uploading patients

Batch messaging

Online booking

Appointment restrictions

Networks

Cross-org booking

Cross-org self-booking links

Intake forms

Video appointments

Diary view

Book an appointment

Reporting

Reminders mailers

Cancellation policy

Appointment types

Appointments

Patient submissions

Assigning admins

Teams

Respond to a patient

Inbox

Get started

Pathways

Request templates

Patient access

Schedule access

Daily limits

Page messaging

Medical device status

Testing pathways

Submit a request

Auto-assign requests

Care navigation

SMS (Firetext)

Stripe: Get started

Stripe: Invoicing

Stripe: Take payments

Stripe: Products

Stripe: Reporting

Stripe: Patient details

Stripe: Customers

Stripe: Branding

Stripe: Patients payments

Apps

Get Started

Troubleshooting

EMAS Manager

Multiple instances of EMIS Web running on the PC

.Net 3.5 required for Sidekick to function

Hero Sidekick

Getting started

Gateway PC setup

Booking configuration

Unregistered patients

Retrieve patient records

Hero hosted integration guide

SystmOne

EMIS

Patient merging

Submit a quick consult

Patients

Feature requests

Multi-Factor Authentication (MFA)

Docs

Hero Health