CareIQ sub-processors
Sub-processors used on the CareIQ platform
Janu
Last Update 7 months ago
This article is aimed at those with a background in Information Governance or data protection.
For the unfamiliar, it can feel quite heavy in legal language.
What's a Sub-processor
A sub-processor is a third-party company that helps another company (the data processor) handle and manage personal data. A sub-processor might help with tasks like data storage, analysis, or processing.
Both the data processor and the sub-processor must follow GDPR rules to protect people's personal information.
CareIQ works with a range of sub-processors to help us operate smoothly.
Read more to learn about:
- how we typically review and engage with sub-processors
- the sub-processors we currently use and what we use them for
Due Diligence
CareIQ employs a commercially reasonable process to assess the security, privacy, and confidentiality practices of potential sub-processors who might access or handle Service Data.
Safeguards
CareIQ typically asks its sub-processors to meet similar obligations as those imposed on CareIQ itself as a Data Processor, as outlined in CareIQ's Data Processing Agreement.
These requirements cover, but are not limited to:
- Process Personal Data in accordance with data controller’s documented instructions (as communicated in writing to the relevant sub-processor by CareIQ);
- Provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
- Implement and maintain appropriate technical and organisational measures (including measures consistent with those to which CareIQ is contractually committed to adhere to insofar as they are equally relevant to the sub-processor’s processing of Personal Data on CareIQ's behalf);
- Promptly inform CareIQ about any actual or potential security breach; and
- Cooperate with CareIQ in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.
This page does not establish additional rights or legal remedies and should not be interpreted as a legally binding agreement. The purpose of the information here is solely to explain CareIQ's process for engaging with sub-processors and to list the specific third-party sub-processors and content delivery networks that CareIQ is currently using for its Services as of the date of this policy (which CareIQ may employ in the delivery and support of its Services).
Process to Engage New Sub-processors:
CareIQ will provide notice via this policy of updates to the list of sub-processors that are used to deliver its Services. CareIQ undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of sub-processing associated with the CareIQ platform. IG Leads or Data Protection Officers, or anyone else who works for an CareIQ customer may subscribe to receive notifications of updates to this policy by selecting the option in this form.
CareIQ will use this article to notify you of any changes or additions to the list of sub-processors used for delivering its Services. CareIQ will maintain this list (with regular updates) to keep relevant stakeholders about sub-processing activities related to the CareIQ platform.
As per our standard Data Processing Agreement (DPA), a customer has the right to express their objection in writing if they disagree with the processing of their Personal Data by a new sub-processor. This objection must be submitted within thirty (30) days after the update of this policy, and it should outline the legitimate reasons for the objection. If customers do not raise objections during this specified timeframe, the new sub-processor(s) will be considered accepted.
Any rights related to the termination of services, as applicable and agreed upon, are exclusively outlined in the Data Processing Agreement (DPA).
Platform focused sub-processors
These sub-processors play a role in providing the CareIQ software platform. The tables below clarify the nature for which these sub-processors are utilised.
| Name | Nature and purpose | Geographical Location | Applicable features |
|---|---|---|---|
| AWS (Amazon Web Services) | CareIQ controls access to the infrastructure that we use to store and process the data on the platform. We use AWS' secure cloud hosting service to securely store and process patient data. The AWS regions used are exclusively located in the UK, for both live and backup environments. | UK | All of CareIQ |
| Ionos Cloud | CareIQ controls access to the infrastructure that we use to store and process the data on the platform. We use Ionos' secure cloud hosting service to securely store and process patient data. The Ionos regions used are exclusively located in the UK, for both live and backup environments. | UK | CareIQ Insights |
| PlanetScale | CareIQ controls access to the infrastructure that we use to store and process the data on the platform. We use PlanetScale's cloud database service managed by AWS to securely store and process patient data. The PlanetScale / AWS regions used are exclusively located in the UK, for both live and backup environments. | US | All of CareIQ |
| Vercel | CareIQ controls access to the infrastructure that we use to store and process the data on the platform. We use Vercel's secure cloud hosting service managed by AWS to securely store and process patient data. The Vercel / AWS regions used are exclusively located in the UK, for both live and backup environments. | US | Any CareIQ web application |
| Twilio Inc | CareIQ enables users to send WhatsApp and SMS messages to patients. We use third party providers for the delivery of those WhatsApp and SMS messages. They provide APIs that CareIQ servers use to send these messages. | US | Any CareIQ messaging using WhatsApp and SMS |
| Sendgrid Inc. | Sendgrid is an email campaign service provider used within CareIQ to send automated account emails to CareIQ users only. No personally sensitive information is sent over these emails. | US | All of CareIQ |
| Sentry | Sentry is an error logging platform that helps developers identify, diagnose, and resolve software issues for improved application performance. No personal, confidential, or sensitive information is stored or sent over on these logs. | US | All of CareIQ |
| Clarity by Microsoft | Clarity is a user behaviour analytics tool that helps the team understand how users interact with CareIQ web applications and mobile apps. No personal, confidential, or sensitive information is stored or sent over. | US | Any CareIQ user facing application |
Support focused sub-processors
The below sub-processors are exclusively used for CareIQ's user and patient support. Support specialists are trained to minimise personal data processing and the use of the below platforms are essential for this and vital for delivering top-notch live support. Occasionally, and only where necessary this may involve patient information when helping users communicate via CareIQ.
| Name | Nature and purpose | Geographical Location |
|---|---|---|
| Tawk.to | Tawk provides a knowledge base platform that we use to create and manage articles for users who are seeking help using our products. It is available in our product or on our public-facing website. | US |
| Google LLC | Google is CareIQ's email provider. All requests we receive or address via @careiq.health email addresses are processed through their services. | EEA |