Hero Health
Hero Health
  • Docs
  • Changelog
  • Feature requests
  • Support portal
    • Feature requests
    • Sub-processors
    • Multi-Factor Authentication (MFA)
Docs / About the Hero platform

Sub-processors

Read about the sub-processors that we work with to deliver the Hero service.

Sub-processors

When providing software services to you, for the patient data you enter within the platform, you are the Data Controller and we are the Data Processor.

To deliver our service, there are occasions where we use sub-contractors (known as sub-processors). Sub-processors may potentially have access to or process personal data of patients you've interacted with when using the Hero platform.

This page sets out the Sub-processors we use, for what function/s we use them, and how they help us to deliver our services.

Please note, this webpage should not be taken as a binding agreement. The information provided here is to illustrate our engagement process for sub-processors and the actual list of third party sub-processors.

Selecting our sub-processors

We evaluate the security practices of our Sub-processors that will or may process Personal Data to ensure they have acceptable security, privacy and confidentiality practices.

Our Sub-processor contracts ensure that Sub-processors will:

  • Implement and maintain technical and organisational measures to protect Personal Data

  • Provide regular training in security and data protection to personnel to whom they grant access to Personal Data

  • Promptly inform us about any actual or potential security breach

  • Co-operate with us to respond to requests from data controllers, data subjects or data protection authorities on your instructions

Updating our sub-processors

From time to time we may update or add suppliers to our list of sub-processors. As per the DPA, we will give you 14 days notice for you to object to your Personal Data being processed by the proposed changes to our sub-processors list.

Our standard sub-processors (last updated 11th October 2024)

The list of sub-processors we engage to help us deliver services to NHS and private providers. We may process patient identifiable data through these providers:

Sub-processor

Purpose of Processing Personal Data

Server Geography

Applicable Features/ Use of personal data

Amazon Web Services, Inc.

Cloud hosting

UK

Entire app

FireText Communications Ltd

Clinician to patient SMS

UK

Messaging, Batch messaging

Microsoft 365

Clinician to patient email

UK

Messaging, Batch messaging

Whereby Ltd.

Video consultations

EEA

Video

Heroku (Salesforce, Inc.)

Cloud platform as a service (PaaS) that supports several programming languages

EEA

Hosting services

New Relic, Inc.

Software analytics company providing insights into application performance

EEA

Production monitoring tools

Kinde

Secure sign-in service

UK

Admin Sign-in

Vercel

Cloud hosting

UK

Hosting services

Rollbar

Error logging

EU

Production monitoring tools

CloudGateway

HSCN connectivity

UK

Networking infrastructure

Posthog

App monitoring

EU

Production monitoring tools

EMIS Health

Clinical system (EHR) integration — availability sync, booking, write-to-record

UK

Patient NHS number, EHR identifiers, clinical data transmitted for write-to-record 

TPP (SystmOne) 

Clinical system (EHR) integration — availability sync, booking 

UK 

Patient EHR identifiers, availability/slot data 

Kinde

Identity and authentication provider (admin users) 

UK

Admin user email, Kinde user/org identifiers 

NHS (PDS — Personal Demographics Service) 

Patient demographic lookups and verification 

UK (NHS Digital infrastructure) 

Patient NHS number, demographic data returned from PDS 

NHS Notify 

Patient notification delivery via NHS Notify channel (where enabled) 

UK 

Patient contact details, notification content 

GP Connect 

NHS API used solely to register patients as temporary patients in the EHR (temporary registration endpoint). No data is retrieved or stored in Hero via GP Connect; only PDS-verified patient identity data already held in Hero is transmitted outbound to the EHR. 

UK 

PDS-verified patient identity data (name, DOB, NHS number, address) transmitted outbound from Hero to the EHR for temporary registration. No inbound data stored in Hero. 

Our private practice sub-processors (last updated 18th March 2024)

The list of additional sub-processors we engage to help us deliver our services to only our private providers. We may process patient identifiable data through these providers:

Sub-processor

Purpose of Processing Personal Data

Server Geography

Applicable Features

Pharmacierge 

Online pharmacy fulfillment of e-prescriptions (private practice, where enabled) 

UK 

Patient name, address, prescription data 

Twilio Inc. [Optional]

Clinician to patient SMS and automated SMS

US

Messaging, Batch messaging, Invoicing

Signature Healthcare services Limited

Electronic prescription service

UK

Private Prescribing

Healthcode 

Insurance billing submission (private practice) 

UK 

Patient name, DOB, sex, address, insurer details, diagnosis codes, treatment details 

Chemist4U 

Online pharmacy fulfillment of e-prescriptions (private practice, where enabled) 

UK 

Patient name, address, prescription data 

Our processors (last updated 26th April 2024)

Where Hero Doctor Limited is the Data Controller, we work with additional sub-processors. These sub-processors won't have visibility of patient identifiable data.

These sub-processors may be able to see data for which Hero Doctor is the data controller. This could include a limited set of data on Hero administrators or practitioners. Example use cases would be where we store identifiable data to manage our customer relationships or understand how our services are used. The list of processors is:
​

Sub-processor

Purpose of Processing Personal Data

Server Geography

Applicable Features

ProductLane

Customer messaging platform

EU

User engagement/ customer support

Attio

Customer management and data visualisation

UK

Customer support, Commercial

Metabase

Data analytics

EU

Support/Analytics

PrevFeature requests
NextMulti-Factor Authentication (MFA)
Was this helpful?