<aside> 🚧 We've designed this page for people who have a background in Information Governance or data protection. It's quite heavy in legal language.

This page is shared on a confidential in confidence basis. Thank you.

</aside>

What is a Sub-processor

A sub-processor is a third party organisation that:

• we depend on to help deliver the Healthtech-1 software service
• who will potentially have access to or process personal data of Healthtech-1 users, or their patients.

Healthtech-1 engages different types of sub-processors to perform different functions in our service.

In the rest of this document, we explain our approach to assuring and engaging them generally, and then we set out the sub-processors currently used, and for what function.

Due Diligence

Healthtech-1 undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process Service Data.

An International Transfer Risk Assessment has been undertaken for any sub-processor that transfers data out of the UK. This can be found here.

Contractual Safeguards

Healthtech-1 generally requires its sub-processors to satisfy equivalent obligations as those required from Healthtech-1 (as a Data Processor) as set forth in Healthtech-1's Data Processing Agreement, including but not limited to the requirements to:

• Process Personal Data in accordance with data controller’s documented instructions (as communicated in writing to the relevant sub-processor by Healthtech-1);
• In connection with their sub-processing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
• Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
• Implement and maintain appropriate technical and organisational measures (including measures consistent with those to which Healthtech-1 is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on Healthtech-1's behalf);
• Promptly inform Healthtech-1 about any actual or potential security breach; and