What is a Sub-processor?
A sub-processor is a third party organisation that we depend on to help deliver the Pharmlogic software service, who will potentially have access to or process personal data of Pharmlogic users, or their patients.
We engage different types of sub-processors to perform different functions in our service.
In the rest of this article, we explain our approach to assuring and engaging them generally, and then we set out the sub-processors currently used, and for what function we engage them.
Due Diligence
Pharmlogic undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to otherwise process Service Data.
Contractual Safeguards
Pharmlogic generally requires its sub-processors to satisfy equivalent obligations as those required from Pharmlogic (as a Data Processor) as set forth in Pharmlogic's Data Processing Agreement, including but not limited to the requirements to:
Process Personal Data in accordance with the Data Controller's documented instructions (as communicated in writing to the relevant sub-processor by Pharmlogic);
In connection with their sub-processing activities, only use personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
Implement and maintain appropriate technical and organisational measures (including measures consistent with those to which Pharmlogic is contractually committed to adhere to insofar as they are equally relevant to the sub-processor's processing of Personal Data on Pharmlogic's behalf);
Promptly inform Pharmlogic about any actual or potential security breach; and
Cooperate with Pharmlogic in order to deal with requests from Data Controllers, Data Subjects or Data Protection Authorities, as applicable.
This page does not create any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Pharmlogic's engagement process for sub-processors as well as to provide the actual list of third party sub-processors and content delivery networks used by Pharmlogic as of the date of this policy (which Pharmlogic may use in the delivery and support of its Services).
Process to Engage New Sub-processors
For all Subscribers who have executed Pharmlogic's standard DPA, Pharmlogic will provide notice via this policy of updates to the list of sub-processors that are used to deliver its Services. Pharmlogic undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the Pharmlogic platform. IG Leads or Data Protection Officers, or anyone else who works for a Pharmlogic customer may subscribe to receive notifications of updates to this policy by emailing [email protected].
Pharmlogic also commits to updating our catalogue listing on NHS Digital's NHS Digital Care Service Catalogue website whenever we add a new sub-processor involved in any service covered by a relevant Call Off Agreement.
Pursuant to the DPA, a customer may object in writing to the processing of its Personal Data by a new sub-processor within thirty (30) days following the update of this policy and such objection shall describe customer's legitimate reason(s) for objection. If customers do not object during such time period the new sub-processor(s) shall be deemed accepted.
Termination rights, as applicable and agreed, are set forth exclusively in the DPA.
The following table provides an up-to-date list of the names and locations of Pharmlogic sub-processors.
Platform specific sub-processors
These sub-processors are involved in the delivery of the Pharmlogic software platform. The tables below explain which features these are used for.
Name | Nature and purpose | Geographical Location | Applicable features | International data transfer mechanism |
Microsoft Azure | Pharmlogic controls access to the infrastructure that we use to store and process data on the platform. We use Microsoft Azure's secure cloud hosting service to securely store and process patient data. The Azure regions used are exclusively located in the UK, for both live and backup environments. | UK | All of Pharmlogic | N/A |
FireText Communications Ltd. | Pharmlogic enable users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Pharmlogic server uses to send these messages. | UK | Any Pharmlogic messaging using SMS: Notify, Batch, Video, Loyalty | N/A |
BT Ltd. | Pharmlogic enable users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Pharmlogic server uses to send these messages. | UK and EEA | Any Pharmlogic messaging using SMS: Notify, Batch, Video, Loyalty | |
Vonage | Pharmlogic enable users to send SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Pharmlogic server uses to send these messages. |
| Any Pharmlogic messaging using SMS: Notify, Batch, Video, Loyalty | |
Whereby Ltd. | Whereby is a secure meeting room service that Pharmlogic uses to host video consultations between healthcare and/or social care staff and their patients.
No content of the call is recorded or retained by Pharmlogic, Whereby or any other service.
Technical logs are created to ensure Pharmlogic and Whereby can monitor services. They are retained by Pharmlogic and Whereby to investigate any issues with the service for up to 90 days. | EEA | Video |
|
Intercom, Inc. | Intercom provides a live chat, phone, and email communication platform that we use to interact with users whose patients exercise their data subject rights (e.g., data deletion requests). In these instances, it is the data controllers (our users) who provide us with the necessary information and instruct us on how to process it in order to fulfill the patient’s request. Importantly, while patient data may be processed by Intercom in such cases, it does not include health data. Instead, it consists only of patient identifiers required to effectively process the request. | US | None product feature | UK Extension to the EU-US Data Privacy Framework (DPF) |
Processors used when providing support
These processors are used when Pharmlogic provides support to its user base, and are dependent on them to deliver the high standard of live support we provide. Please see our Privacy Policy for more information on how we process your data when you reach out to us.
Name | Nature and purpose | Geographical Location | International data transfer mechanism |
Intercom UK Ltd. | Intercom provides a live chat, phone call and email communications platform that we use to speak to users who are seeking help using our products. It is available in our product or on our public-facing website. Intercom queries our user database to ensure the user is logged in and which organisation they are affiliated with. | US | UK Extension to the EU-US Data Privacy Framework (DPF) |
ActiveCampaign | ActiveCampaign is an email campaign service provider that we use to send out mass emails to our users only to inform them of changes in the product. No patient data is processed using ActiveCampaign. | US | UK Extension to the EU-US Data Privacy Framework (DPF) |
TeamViewer UK Ltd. | TeamViewer provides a software service that allows Support specialists to connect and remotely view Pharmlogic users' screens to provide technical support. This is only used when the live or email conversation has not resolved the problem, and only with the permission of the Pharmlogic user (they have to install TeamViewer themselves in order to proceed).
Before connection, the Pharmlogic Support specialist will advise the user to hide any personally identifiable information that's not pertinent to the support query. No content of the viewing session is retained beyond the end of it. | EEA | |
Microsoft Ltd | Microsoft is Pharmlogic's email provider. All requests we receive or address via @pharmlogic.co.uk email addresses are processed through their services. | EEA |