We've designed this page for people who have a background in Information Governance or data protection. It's quite heavy in legal language.
If you want to read more basic information about security and privacy first, you can go here.
What is a Sub-processor
A sub-processor is a third party organisation that:
we depend on to help deliver the Accurx software service
who will potentially have access to or process personal data of Accurx users, or their patients.
Accurx engages different types of sub-processors to perform different functions in our service.
In the rest of this article, we explain our approach to assuring and engaging them generally, and then we set out the sub-processors currently used, and for what function.
Due Diligence
Accurx undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Service Data.
Contractual Safeguards
Accurx generally requires its sub-processors to satisfy equivalent obligations as those required from Accurx (as a Data Processor) as set forth in Accurx's Data Processing Agreement, including but not limited to the requirements to:
Process Personal Data in accordance with data controller’s documented instructions (as communicated in writing to the relevant sub-processor by Accurx);
In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Accurx is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Accurx's behalf);
Promptly inform Accurx about any actual or potential security breach; and
Cooperate with Accurx in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This page any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Accurx's engagement process for sub-processors as well as to provide the actual list of third party sub-processors and content delivery networks used by Accurx as of the date of this policy (which Accurx may use in the delivery and support of its Services).
Process to Engage New Sub-processors:
For all Subscribers who have executed Accurx's standard DPA, Accurx will provide notice via this policy of updates to the list of sub-processors that are used to deliver its Services. Accurx undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Accurx platform. IG Leads or Data Protection Officers, or anyone else who works for an Accurx customer may subscribe to receive notifications of updates to this policy by selecting the option in this form.
Accurx also commits to updating our catalogue listing on NHS Digital's Digital Care Service Catalogue website whenever we add a new sub-processor involved in any service covered by a relevant Call Off Agreement.
Pursuant to the DPA, a customer may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe customer's legitimate reason(s) for objection. If customers do not object during such time period the new sub-processor(s) shall be deemed accepted.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following table provides an up-to-date list of the names and locations of Accurx sub-processors.
Platform specific sub-processors
These sub-processors are involved in the delivery of the Accurx software platform. The tables below explain which features these are used for.
Name | Nature and purpose | Geographical Location | Applicable features |
Microsoft Azure | Accurx controls access to the infrastructure that we use to store and process the data on the platform. We use Microsoft Azure's secure cloud hosting service to securely store and process patient data. The Azure regions used are exclusively located in the UK, for both live and backup environments. | UK | All of Accurx |
FireText Communications Ltd. | Accurx enables users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Accurx server uses to send these messages. | UK | Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video |
BT Ltd. | Accurx enables users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Accurx server uses to send these messages. | UK and EEA | Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video |
Vonage | Accurx enables users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Accurx server uses to send these messages. | UK and EEA | Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video. |
NHSMail | Accurx uses secure NHS Mail accounts to send emails between healthcare professionals using the accuMail feature. | UK | Accurx messaging using email: Accurx - email patients, accuMail |
Whereby Ltd. | Whereby is a secure meeting room service that Accurx uses to host video consultations between healthcare and/or social care staff and their patients. | EEA | Video |
Sendgrid Inc. | Sendgrid is an email campaign service provider used within Accurx to send automated account emails to Accurx users only. This means Sendgrid only has access to email addresses of staff who use Accurx. No patient data is processed using Sendgrid. | US | All of Accurx |
Support specific sub-processors
These sub-processors are only used when Accurx provides support to users or patient. Accurx support specialists are trained to minimise the processing of personal data across these platforms, but Accurx depend on them to deliver the high standard of live support provided. From time to time and only where necessary, this may include information about patients that the user was seeking help to communicate with via Accurx.
Name | Nature and purpose | Geographical Location |
Intercom UK Ltd. | Intercom provides a live chat and email communications platform that we use to speak to users who are seeking help using our products. It is available in our product or on our public-facing website. Intercom queries our user database to ensure the user is logged in and which organisation they are affiliated with. | US |
ActiveCampaign | ActiveCampaign is an email campaign service provider that we use to send out mass emails to our users only to inform them of changes in the product. No patient data is processed using ActiveCampaign. | US |
TeamViewer UK Ltd. | TeamViewer provides a software service that allows Support specialists to connect and remotely view Accurx users' screens to provide technical support. This is only used when the live or email conversation has not resolved the problem, and only with the permission of the Accurx user (they have to install TeamViewer themselves in order to proceed). | EEA |
Aircall SAS | Aircall offers a cloud-based calling system that includes call handling integrated with Intercom that we use to speak and provide support to patients who are seeking help using our products | EEA |
Google LLC | Google is Accurx's email provider. All requests we receive or address via @accurx.com email addresses are processed through their services. | EEA |
If you still have any questions or concerns, feel free to chat with us using the green message bubble in the bottom right-hand corner of this page. 👉