Skip to main content

Privacy & Security: Accurx sub-processors

This page describes the approach we use to assure sub-processors, and the sub-processors that the Accurx platform uses.

Sameera avatar
Written by Sameera
Updated over 3 weeks ago

We've designed this page for people who have a background in Information Governance or data protection. It's quite heavy in legal language.

If you want to read more basic information about security and privacy first, you can go here.

What is a Sub-processor

A sub-processor is a third party organisation that:

  • we depend on to help deliver the Accurx software service

  • who will potentially have access to or process personal data of Accurx users, or their patients.

Accurx engages different types of sub-processors to perform different functions in our service.

In the rest of this article, we explain our approach to assuring and engaging them generally, and then we set out the sub-processors currently used, and for what function.

Due Diligence

Accurx undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Service Data.

Contractual Safeguards

Accurx generally requires its sub-processors to satisfy equivalent obligations as those required from Accurx (as a Data Processor) as set forth in Accurx's Data Processing Agreement, including but not limited to the requirements to:

  • Process Personal Data in accordance with data controller’s documented instructions (as communicated in writing to the relevant sub-processor by Accurx);

  • In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;

  • Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;

  • Implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Accurx is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Accurx's behalf);

  • Promptly inform Accurx about any actual or potential security breach; and

  • Cooperate with Accurx in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

This page any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Accurx's engagement process for sub-processors as well as to provide the actual list of third party sub-processors and content delivery networks used by Accurx as of the date of this policy (which Accurx may use in the delivery and support of its Services).

Process to Engage New Sub-processors:

For all Subscribers who have executed Accurx's standard DPA, Accurx will provide notice via this policy of updates to the list of sub-processors that are used to deliver its Services. Accurx undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Accurx platform. IG Leads or Data Protection Officers, or anyone else who works for an Accurx customer may subscribe to receive notifications of updates to this policy by selecting the option in this form.

Accurx also commits to updating our catalogue listing on NHS Digital's Digital Care Service Catalogue website whenever we add a new sub-processor involved in any service covered by a relevant Call Off Agreement.

Pursuant to the DPA, a customer may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe customer's legitimate reason(s) for objection. If customers do not object during such time period the new sub-processor(s) shall be deemed accepted.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

The following table provides an up-to-date list of the names and locations of Accurx sub-processors.


Platform specific sub-processors

These sub-processors are involved in the delivery of the Accurx software platform. The tables below explain which features these are used for.

Name

Nature and purpose

Geographical Location

Applicable features

International data transfer mechanism

Tandem Health Ltd.

Accurx Scribe enables healthcare professionals to just listen to their patient instead of typing, drafting documents and letters during consultations. We use Tandem Health to provide this feature which listens and transcribes the conversation a clinician has with their patient during the consultation; summarises the consultation; and generates content based on the transcription such as clinical notes, referral and, or patient letters The audio recording is not retained after the transcription is generated.

EEA

Accurx Scribe

Adequacy decision

Microsoft Azure

Accurx controls access to the infrastructure that we use to store and process the data on the platform. We use Microsoft Azure's secure cloud hosting service to securely store and process patient data. The Azure regions used are exclusively located in the UK, for both live and backup environments.

UK

All of Accurx

N/A

FireText Communications Ltd.

Accurx enables users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Accurx server uses to send these messages.

UK

Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video

N/A

BT Ltd

Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video

UK and EEA

Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video

Adequacy decision

Vonage

Accurx enables users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Accurx server uses to send these messages.

Vonage is also a secure voice communications provider that Accurx uses to set up voice conversations between healthcare staff and their patients. No content of the call is recorded by Accurx, Vonage or any other service. Technical logs are created to ensure Accurx and Vonage can monitor services and investigate any quality or technical issues. These are retained for a maximum of 90 days.

UK and EEA

Any Accurx messaging using SMS: SMS Plus, Florey Plus, Batch and Appointment Reminders, Video.

Patient Call (select pilot practices only)

Adequacy decision

NHS Mail

Accurx uses secure NHS Mail accounts to send emails between healthcare professionals using the accuMail feature.

UK

Accurx messaging using email: Accurx - email patients, accuMail

N/A

Whereby Ltd.

Whereby is a secure meeting room service that Accurx uses to host video consultations between healthcare and/or social care staff and their patients.

No content of the call is recorded or retained by Accurx, Whereby or any other service.

Technical logs are created to ensure Accurx and Whereby can monitor services. They are retained to allow Accurx and Whereby to investigate any issues with the service for up to 90 days.

EEA

Video

Adequacy decision

Sendgrid Inc.

Sendgrid is an email campaign service provider used within Accurx to send automated account emails to Accurx users only. This means Sendgrid only has access to email addresses of staff who use Accurx. No patient data is processed using Sendgrid.

US

All of Accurx

UK Extension to the EU-US Data Privacy Framework (DPF)

Intercom Inc.

Intercom provides a live chat, phone, and email communication platform that we use to interact with users whose patients exercise their data subject rights (e.g., data deletion requests). In these instances, it is the data controllers (our users) who provide us with the necessary information and instruct us on how to process it in order to fulfill the patient’s request. Importantly, while patient data may be processed by Intercom in such cases, it does not include health data. Instead, it consists only of patient identifiers required to effectively process the request.

US

None product feature

UK Extension to the EU-US Data Privacy Framework (DPF)

Processors used when providing support

These processors are used when Accurx provides support to its user base, and are dependent on them to deliver the high standard of live support we provide. Please see our Privacy Policy for more information about how we process your data when you reach out to us.

Name

Nature and purpose

Geographical Location

International Data Transfer Mechanism

Intercom UK Ltd.

Intercom provides a live chat, phone call and email communications platform that we use to speak to users who are seeking help using our products. It is available in our product or on our public-facing website. Intercom queries our user database to ensure the user is logged in and which organisation they are affiliated with.

US

UK Extension to the EU-US Data Privacy Framework (DPF)

ActiveCampaign

ActiveCampaign is an email campaign service provider that we use to send out mass emails to our users only to inform them of changes in the product. No patient data is processed using ActiveCampaign.

US

UK Extension to the EU-US Data Privacy Framework (DPF)

TeamViewer UK Ltd.

TeamViewer provides a software service that allows Support specialists to connect and remotely view Accurx users' screens to provide technical support. This is only used when the live or email conversation has not resolved the problem, and only with the permission of the Accurx user (they have to install TeamViewer themselves in order to proceed).

Before connection, the Accurx Support specialist will advise the user to hide any personally identifiable information that's not pertinent to the support query. No content of the viewing session is retained beyond the end of it.

EEA

Adequacy decision

Aircall SAS

Aircall offers a cloud-based calling system that includes call handling integrated with Intercom that we use to speak and provide support to patients who are seeking help using our products

EEA

Adequacy decision

Google LLC

Google is Accurx's email provider. All requests we receive or address via @accurx.com email addresses are processed through their services.

EEA

Adequacy decision

If you still have any questions or concerns, feel free to chat with us using the green message bubble in the bottom right-hand corner of this page. 👉

Did this answer your question?