Sub-processors

Last updated: 30 April 2025

A sub-processor is a third-party vendor that processes personal data on behalf of a data controller or processor to deliver specific services. Our sub-processors are contractually bound to handle data in accordance with data protection laws including the UK GDPR, EU GDPR, the UK Data Protection Act 2018, and HIPAA, as applicable.

All sub-processors listed below have undergone risk assessment and are subject to appropriate safeguards, including Data Processing Agreements (DPAs) and, where required, Standard Contractual Clauses (SCCs) and/or Binding Corporate Rules (BCRs) for any international transfers.

Amazon Web Services (AWS)

Role: Cloud hosting and region-specific data storage. 

Compliance & Certifications:

  • HIPAA (Business Associate Agreement in place), UK/EU GDPR, UK Data Protection Act 2018

  • ISO 27001, ISO 27701, ISO 27017, ISO 27018,  SOC 2 Type II, HITRUST r2

  • Cyber Essentials Plus, NHS DSP Toolkit (Standards Exceeded), BSI C5

  • Participant in EU–U.S. Data Privacy Framework and UK extension

  • Registered with the UK Information Commissioner’s Office (ICO)

Snowflake

Role: Data warehousing and analytics.

Snowflake works within our AWS infrastructure to enable data warehousing, security, and analytics.

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (Business Associate Addendum in place)

  • ISO 27001, ISO 27701, SOC 2 Type II, HITRUST r2

  • Cyber Essentials Plus, NHS DSP Toolkit (Standards Exceeded), BSI C5

  • Participant in EU–U.S. Data Privacy Framework and UK extension

  • Registered with the UK ICO

Freshworks (Freshdesk)

Role: Email support ticketing platform

Freshdesk is used to manage support emails. Region-specific storage is used. Support threads are restricted and resolved threads are pseudonymised or deleted at least quarterly. 

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, SOC 2 Type II

  • Participant in EU–U.S. Data Privacy Framework and UK extension

  • Registered with the UK ICO

ServiceNow

Role: Internal workflow management and email ticketing

Used for support workflows, including support email ticketing. Support threads are restricted and pseudonymised or deleted on resolution. While region-specific storage is available for UK and EU data, helpdesk support email interactions may involve temporary processing in the US. This is governed by a Data Processing Addendum incorporating SCCs. ServiceNow also participates in the EU-U.S. Data Privacy Framework and the UK extension. We aim to transition our UK and EU email support ticketing to ServiceNow in H1 2025. 

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II

  • EU–U.S. Data Privacy Framework and UK extension participant

  • SCCs applied to any temporary U.S. processing

  • Cyber Essentials Plus, NHS DSP Toolkit (Standards Exceeded), BSI C5

Twilio

Role: SMS delivery (e.g. reminders, 2FA)

PHI in messages (if any) is minimized. Data such as phone numbers and message content (e.g. myrecovery app user first name and a procedure date) is temporarily processed in the U.S. All message bodies and phone numbers are redacted after delivery; only anonymized logs are retained.

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, SOC 2 Type II

  • Binding Corporate Rules and SCCs in place for U.S. processing

  • Registered with UK ICO

Mailgun

Role: Email delivery (e.g. user registration, reminders)

Region-specific storage. PHI in messages (if any) is minimized, and all messages are purged after 3 days.

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, SOC 2 Type II

Google Workspace

Role: Internal productivity tools (email, documents)

Usage limited to internal communications and documentation, no PHI is stored.

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, SOC 2 Type II, HITRUST

  • Registered with UK ICO and NHS DSP Toolkit

Microsoft Office (365)

Role: Internal productivity tools (email, documents)

Usage limited to internal communications and documentation, no PHI is stored.

Compliance & Certifications:

  • UK/EU GDPR, HIPAA (BAA in place)

  • ISO 27001, SOC 2 Type II, HITRUST

  • Registered with UK ICO and NHS DSP Toolkit

Sendbird (some US pathways only)

Role: In-app communication tool between dashboard and patient app (only available on some US pathways)

Any data exchanged through the app is encrypted and securely stored in region-specific environments.

Compliance & Certifications:

  • HIPAA (BAA in place), UK/EU GDPR

  • ISO 27001, SOC 2 Type II

  • Registered with UK ICO and NHS DSP Toolkit

Strata Health (some UK pathways only)

Role: Secure data sharing for NHS self-referrals.

For UK patients who self-refer to certain self-management pathways in the myrecovery app, sharing data with the local NHS team may involve Strata, a UK-based provider specializing in secure data flow and system integration.

Strata enables coordinated delivery of care by linking myrecovery data to NHS systems. The processing of patient data via Strata is carried out under Article 6(1)(e) – performance of a task carried out in the public interest, and Article 9(2)(h) – provision of health or social care or treatment or the management of health or social care systems and services. This basis reflects the role of Strata in supporting continuity of care, in partnership with the NHS, where data is transferred solely for legitimate, clinically relevant purposes. No international data transfer.

Compliance & Certifications:

  • UK GDPR, UK Data Protection Act

  • ISO 27001, ISO 27017, ISO 27018, ISO 9001