What this is. A subprocessor is a third party that handles any personal data on Nemora's behalf to deliver NHS Performance Intelligence. UK GDPR Article 28 requires us to disclose every subprocessor, give notice when the list changes, and bind each one to obligations equivalent to our Data Processing Agreement. Because the Platform holds no patient data, subprocessors only ever handle professional user data and any aggregate figures your organisation uploads.
Current subprocessors
| Provider | Service | Data they may process | Region |
|---|---|---|---|
| Cloudflare, Inc. | Application hosting (Workers and D1 database), website hosting (Pages), CDN and DDoS protection | User name, work email, role, organisation; Peer Exchange profiles and messages; organisation-uploaded figures; server access logs | Global edge network; UK/EU where available. UK Addendum / SCCs |
| Resend, Inc. | Transactional email (Peer Exchange notifications, trial and enquiry emails) | Recipient name, work email, message content | US. UK Addendum / SCCs |
Analytics: Platform usage analytics are first-party and aggregate. No third-party advertising or cross-site tracking service is used. This website loads fonts from Google Fonts, which involves your browser requesting font files from Google (your IP address is visible to Google in that request, as with any web resource).
Public data sources (not subprocessors)
The Platform's performance statistics come from national open-data publications. These publishers see no user data (they are not subprocessors), but we list the kinds of sources for completeness:
- NHS England statistical publications (RTT, A&E, cancer, diagnostics, discharge, workforce, beds, and others)
- The NHS England public data gateway (official league table and Oversight Framework segmentation)
- The Care Quality Commission (ratings, via its syndication service)
- Other national public bodies publishing under the Open Government Licence (for example, estates and cost collections)
- Official Trust websites, for board and leadership records
How we choose subprocessors
- The minimum data they need to provide their service
- Their security posture (certifications, public security documentation)
- The lawful basis for any international transfer (UK IDTA / SCCs / adequacy)
- Whether they offer a Data Processing Agreement we can rely on
Notice of changes
We will give customers at least 30 days' notice before adding or replacing a subprocessor, during which you may object on reasonable data-protection grounds. Subscribe to notices by emailing [email protected].
Privacy Policy
Terms of Service
Acceptable Use
Data Processing
Accessibility
Security
© 2026 Nemora Healthcare Solutions Ltd