Doctify

Patient feedback, analytics and governance platform

Doctify allows healthcare providers to collect and publish verified patient feedback and surveys allowing patients to find the very best doctor or hospital for their needs and healthcare providers better understand their patients' experience.

Features

• Real-time reporting
• Feedback and survey collection
• Patient experience analytics
• Patient feedback publishing
• Consultant performance management
• Patient information access
• Remote access

Benefits

• Publish patient feedback
• Trust and transparency in healthcare
• Information is a determinant of healthcare outcomes
• Enhance patient experience
• Strengthen online reputation
• Improve staff morale
• Improved patient feedback collection rates
• Consultant, department, hospital, regional, national benchmarking
• Access your patients' feedback already on Doctify
• Improve online healthcare information

£499 a licence

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david@doctify.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

378197011242771

Contact

David Johnson
+44 7903 206551
david@doctify.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: We do perform planned platform upgrades and maintenance. All vendors are informed well in advance and implemented with their sign off. ; ; We have a target platform up time of 99%.; ; Planned service constraints take place overnight.
• System requirements: Web based platform accessed on current hardware

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Users during weekdays get responses within 3 minutes of contacting the support via chat.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 AAA
• Web chat accessibility testing: However we are used by patients in a daily basis and have daily user interface monitoring in place with feedback loops including monitoring user behavior, drop off and user interviews to ensure the best experience that is accessible to all patients. ; ; We monitor accessibility scores on a weekly basis and all designs are tested and deployed only once they pass an accessibility score. ; We also have voice assisted technology as part of our patient feedback journey.
• Onsite support: Onsite support
• Support levels: We have an online technical team available via phone and video and a customer support team that provide both face to face and online support.; ; All support is included in our fees.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: All Doctify users have a dedicated account manager to provide training either onsite or online, depending on your preference. Doctify users have unlimited access to their account manager. User documentation is also provided.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: All data collected from Doctify can be downloaded by CSV file at any time.
• End-of-contract process: All feedback data is shared with the client. Otherwise no actions are required to end the contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: No differences
• Service interface: Yes
• User support accessibility: WCAG 2.1 AAA
• Description of service interface: There is a live dashboard for monitoring patient feedback in real time.; ; All feedback is categorised by location, treatment and consultant.
• Accessibility standards: WCAG 2.1 AAA
• Accessibility testing: TBC
• API: Yes
• What users can and can't do using the API: The core service does not require API usage; There is an optional API service.; Users need to be authenticated to do changes to their account.; Those that wish to use it have no Limitations on user available actions.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Users can customise their profile by default they can also appoint other individuals to do so for them if required.

Scaling

• Independence of resources: We are using a global server service provider that can scale as required.

Analytics

• Service usage metrics: Yes
• Metrics types: Yes, our service provides comprehensive usage metrics to help customers monitor and optimise their use of our platform.These are accessible through our user-friendly dashboard to ensure customers have the latest information
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: None

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can request and recieve all their data by emailing dpo@doctify.co.uk
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Doctify users can guarantee availability 97% of the time. Our current up time is over 99%; ; We have a live chat function and phone helpline which is staffed during UK business hours 8am - 6pm.; ; Should Doctify fall below this amount the client may withhold a Service Credit representing 10% of the monthly service charge if any of the above Service Levels are not met within any given calendar month. Should there be 2 failures within 3 months additional service credits will be paid, representing the difference between any monthly service credits already paid during those months and such amount as represents 20% of the monthly service charges due for that 3 month period.
• Approach to resilience: This information is available upon request.
• Outage reporting: Our customer service team provides email alerts for planned and unplanned outages to clients.; ; A public dashboard will alert users to known outages.

Identity and authentication

• User authentication needed: Yes
• User authentication: Username or password
• Access restrictions in management interfaces and support channels: Our approach to restricting access in management interfaces and support channels is centered around robust authentication and granular access controls, ensuring that only authorized personnel can access sensitive functions. We utilize a separate internal authentication system integrated with Google Identity Provider, which serves as a secure method for verifying the identities of our team members. Access to management consoles is not granted automatically; instead, it must be provisionally approved, ensuring a deliberate and controlled access assignment process.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 6 months and 12 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: No
• Security governance approach: Designate a Information Security Officer - ISO; Create a comprehensive list of security policies that align with business requirements and are approved by executive level individuals.; Adopt recognized security Standards such as CIS-CAT and NIST to structure the governance of the security program; Conduct Risk Assessments; We regularly conduct risk assessments and develop mitigation strategies.; Conduct Yearly Penetration Tests and Implement Continuous Security Testing of our code ; Provide Security Awareness Training and Clearly outline security responsibilities across the organization.; Conduct Audits and Reviews; Use KPIs and KRIs to track effectiveness of the security governance program.
• Information security policies and processes: Our information security policies and processes are aligned with ISO standards, ensuring a comprehensive and systematic approach to managing sensitive company and customer information. We maintain a clear reporting structure with a dedicated Information Security Officer (ISO) overseeing policy compliance and enforcement. To ensure adherence to our policies, we conduct regular training sessions for all employees, perform continuous monitoring, and carry out periodic audits. Non-compliance is addressed through a structured remediation process, including retraining and, if necessary, disciplinary action. This framework guarantees that our information security practices are consistently applied and continuously improved.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our configuration and change management approach is centered around a Continuous Integration/Continuous Deployment (CI/CD) pipeline, augmented with rigorous security testing to ensure the integrity and security of our services throughout their lifecycle. Each component of our service is tracked from development to deployment, with version control systems documenting every change.; ; Changes undergo a review process, including an assessment of potential security impacts. This is facilitated by automated security scans and manual reviews as part of our CI/CD pipeline. Additionally, we implement an internal process where all changes are logged and managed through a ticketing system, ensuring traceability and accountability.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We continuously assess potential threats through automated scanning tools and intelligence from leading industry sources, including CVE databases and security advisories. ; Upon identifying vulnerabilities, our dedicated team evaluates the severity and potential impact on our services, prioritising patches based on risk. Critical patches are deployed within 24 hours, while less severe updates follow a scheduled maintenance window. We source our threat intelligence from reputable security research organisations (Rapid7, NCC Group Threat Intelligence) and participate in relevant security communities (OWASP London) to stay informed about emerging threats, ensuring our services remain secure against the latest vulnerabilities.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our protective monitoring strategy employs advanced detection tools and processes to swiftly identify potential security compromises. Utilizing intrusion detection systems (IDS) and continuous monitoring, we can detect anomalies and signs of unauthorised activity. Upon detection, our incident response team is immediately notified and remediate the threat. We prioritise rapid response, aiming to address critical incidents within hours of detection. This approach ensures the security and integrity of our services, minimising the impact of any potential compromise on our operations and our clients. Continuous improvement and adaptation of our monitoring processes keep us resilient against evolving threats.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our incident management process includes pre-defined protocols for common security events, ensuring swift and effective response to incidents. Users can report incidents through a dedicated support channel, accessible via email, web portal, ensuring ease of reporting and prompt action. Upon receiving an incident report, our specialised incident response team follows a structured approach to address and mitigate the issue, guided by our comprehensive incident management policies. We provide detailed incident reports to stakeholders, summarising the nature of the incident, the response actions taken, and recommendations for preventing future occurrences.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Doctify is an entirely paperless company and provides cycle to work schemes for emplyees.

  Equal opportunity

  Doctify is an equal opportunity employer and we consider applications from all backgrounds.

  Wellbeing

  Doctify provides employees with all legally mandated benefits as well as:; ; Continuous learning sessions, training programmes and self-development (‘Doctify's Healthcare Heroes', ‘Learn from Leaders', soft-skills, career expertise, etc.); ; Transparent internal mobility opportunities and career paths for professional hyper-growth; ; 28 days annual leave: 25 days leave + 3 days off between Christmas and New Year (plus bank holidays) + 1 day annual leave for each year of service after 1 year (up to 30 days); ; 4 weeks remote-working to be used throughout the year (within 3 hours of your local HQ); ; Hybrid-working, flexible-working hours; ; Enhanced Parental leave

Pricing

• Price: £499 a licence
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at david@doctify.com. Tell them what format you need. It will help if you say what assistive technology you use.