In Your Element Ltd (Trading as Elemental Software)

Social Prescribing Software

Elemental helps organisations to enhance the impact of their social prescribing programmes via their award-winning digital social prescribing products and services. Elemental offers a range of social prescribing solutions designed to support the strategy and practice of self-care and independence in health, housing and the community.


  • Social Prescription Generator
  • Clinical Record Integration
  • API - Social Prescription Connector
  • Directory of Services
  • Health Risk Analysis
  • Analytics Module (Reports, Dashboards & Data Export)
  • EMIS Integration
  • Monitoring Tool
  • Attendance Tracker
  • Self Referral Module


  • Referring patients to a range of quality assured community interventions
  • Frees GP time by sending referral straight to relevant hub
  • Connect patient health risks to specific interventions in their community
  • Helping patients better understand health risks using validated monitoring tools
  • Provide accurate epidemiological information to facilitate greater reporting
  • Track patient’s health and wellbeing improvement journey in real time
  • Generate bookings with providers using a patient's personal calendar
  • Provide analytics to justify commissioning
  • Crossreference health journeys against specific and cohort health risks
  • Facilitate, track and measure attendance rates


£20000 per licence per year

Service documents

G-Cloud 11


In Your Element Ltd (Trading as Elemental Software)

Liam Monk

02871 271800

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to - Insignia Health (Patient Activation Measure (PAM) Within Flourish System)
- EMIS (Social Prescription Connector within EMIS Web)
- Triangle (Well-being Star)
Cloud deployment model Public cloud
Service constraints No, the system is compatible with all modern browsers (that is supported by the vendor), although Chrome is recommended. There are no additional plug-in requirements.
System requirements Requires a modern browser (that is supported by your vendor)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 2 hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web chat and chat bot both available on the website and Zendesk support built into the Elemental platform
Web chat accessibility testing Initial pilots have been carried out in small focus groups to date. In addition to this, we have recently (in the past month) signed a contract with a large disability charity in Northern Ireland and part of our plans of working together with this charity is to carry out these such tests more frequently and in more detail.
Onsite support Yes, at extra cost
Support levels We provide the following support levels;

- As standard a customer support help desk via telephone, email and through our online ticketing platform from 9am-5.30pm Monday to Friday. If any issue needs escalating then second line support will be provided via our in-house development team and the licensee client will have access to one of our cloud support engineers. This standard support is included in the cost of the annual software license fee.

- On-site training for Licensees. A set number of training days is allocated to each licensee depending upon the package option they opt for. Once these days have been used up additional training days can be purchased and are costed at £500 per day.

- Dedicated Project Manager for each licensee client throughout the on-boarding process. Once on-boarding is complete then a dedicated customer support team works with the licensee client post go live. This is included as standard in the cost of the annual software license fee.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started To help users get started with our products we provide a blended learning environment through a combination of;

- Face to Face training workshops
- Online training webinars
- E-learning training
- Online support via our integrated customer support platform Zendesk
- Email support
- Telephone support

In addition to this we also carry out a range of community development tasks that helps engage the community in which the social prescribing platform will be used. This includes;

- Mapping of community assets
- Stakeholder community engagement workshops

This allows us to define a shared vision with partners and stakeholders in order to truly co-design a training programme based on the vision for social prescribing for that area and the strategic objectives around well-being and other indicators.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction At the end of a contract period the user will email us and their data will be compiled and sent to them in an encrypted CSV file.
End-of-contract process At the end of the contract process, all data will be provided to the client in the form of an encrypted CSV file. This is included in the cost of the annual software license fee.

Any requests to transfer the data in a different format will be considered but there may be an additional cost associated with this.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Yes, the platform layout is responsive and will adapt to display on a range of mobile and desktop screens.
Accessibility standards None or don’t know
Description of accessibility Elemental's service interface is available in the following ways to all users (as mentioned in above question), using an individual username and password for users. Different access points include;
-Via a web-browser
-Via a dedicated self-refer kiosk
-Via a customer Website powered by Elemental on the back-end
-Via EMIS Partner API within EMISWeb
-Via Elemental's own API to a variety of partner platforms (i.e. directory of services)

Users are supported digitally with Elemental right across the social prescribing journey from making a referral to co-creating a social prescription package and supporting a patient along their journey to better health outcomes.
Accessibility testing Initial pilots have been carried out in small focus groups to date. In addition to this, we have recently (in the past month) signed a contract with a large disability charity in Northern Ireland and part of our plans of working together with this charity is to carry out these such tests more frequently and in more detail.
What users can and can't do using the API We currently have an API service.

It provides User management (Create, Read, Update, Delete) and search features for registered and authorised users of our system via a REST interface.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation What can be customised?
The set up of the platform can be customised depending on:
- Who is making referrals. Referrals can be set to be received via the standalone platform or via several clinical systems/in house systems i.e. EMIS Web
- What they want to use the platform to capture. For example, the monitoring tools that the licensee wishes to use can be customised (Elemental has several commercial partnerships set up with companies like Insignia (PAM scores) Triangle (Outcomes star)).
- User functionality can be customised to ensure that the project pathways are managed and followed
- Reporting and KPIs can be customised per customer

How can users customise?
- Customisation is done within the hub management area of the platform for that particular licensee

Who can customise?
- Only those nominated as super users for that particular licensee hub can customise for the licensee


Independence of resources Our system is built in the Amazon Cloud and is deployed across multiple availability zones. This is to ensure it is both resilient to hardware failure and scalable should demand require. Based on the System Metrics, we can quickly provision additional virtual servers to cope with demand when it arises.


Service usage metrics Yes
Metrics types Per Licensee:
-Reports: Patient Progress (Health Journey), Patient Attendance + Health Journey, Intervention Activity (upcoming meetings), Activity Report (Referrals - Sources and Destinations, Case Status updates, Social Prescriptions to Interventions), Programme Report (Targets / Actuals, Interventions), User Health Journeys

-User Count (for each role)

Other metrics are via request (available on SysAdmin dashboard)

-System Metrics: (the time for the server to respond to the request) - Total Requests, Average Transaction Time, Per Component (Page), Average Transaction Time, Max Transaction Time
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach - Amazon WebServices RDS settings include an ‘encrypted at rest’ option
- All automated backups are also encrypted
- All sensitive data (within the data) is encrypted at field level.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users can contact Elemental for a complete copy of their data. There is a self-service feature in development to handle this.
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks In addition, all sensitive data transmitted within the Server’s VPC (Virtual Private Cloud) network is also encrypted. This is achieved by utilising field level encryption in any sensitive fields within the database.
Data protection within supplier network Other
Other protection within supplier network All platform data is secured on AWS. Access to server instances is via secure ssh sessions. All confidential data is encrypted.

Availability and resilience

Availability and resilience
Guaranteed availability Our system is resilient to hardware or zone failure. Uptime over the last few years is close to 100%. Either party may terminate the Service Level Agreement - if it gives the other no less than 3 months’ notice in writing, such notice to expire no sooner than the end of the Initial Period or any subsequent Renewal Period.

A party may end this call-off contract if the other party is affected by a Force Majeure event that lasts for more than 30 consecutive days.
Approach to resilience The system is deployed across multiple Availability Zones within the AWS infrastructure. Should any part fail, or a zone fail entirely, this is detected and the other nodes handle the load until the issue is resolved.
Outage reporting Performance is automatically monitored and issues are sent to the engineering team via email and slack.

Service outages (scheduled/unscheduled) are made public via our Zendesk powered forum.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
  • Other
Other user authentication Users currently log in using a username and password. The password is ‘hashed’ and can only be reset (not requested).
Access restrictions in management interfaces and support channels All management and support channels are secured using Username and password.

Management channels are limited to specific user roles.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
  • Other
Description of management access authentication Access to servers is restricted using Public Key Authentication (a PEM certificate file securely stored)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Data Security & Protection compliant
  • Cyber Essentials
  • Working towards ISO27001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Data Security & Protection (DSP) compliant and Cyber Essentials compliant (certified through IASME consortium). Working towards ISO27001.
Information security policies and processes Alongside our 'Privacy by Design' approach to protecting data, we ensure the maximum security of data that is processed, including as a priority, when shared, disclosed and transferred. Our Information Security Policy & Procedures provide the detailed measures and controls that we take to protect personal information and to ensure its security from consent to disposal.
We carry out information audits to ensure that all personal data held and processed by us is accounted for and recorded, alongside risk assessments as to the scope and impact a data breach could have on data subject(s). We have implemented adequate and appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Whilst every effort and measure is taken to reduce the risk of data breaches, the Company has dedicated controls and procedures in place for such situations, along with the notifications to be made to the Supervisory Authority and data subjects.
Through our strong commitment and robust controls, we ensure that all staff understand, have access to and can easily interpret the data protection laws requirements and its Principles and that they have ongoing training, support, and assessments to ensure and demonstrate their knowledge, competence, and adequacy.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We have no physical assets upon which live data and processes run. Our service runs on secure AWS instances. The only people with accesses to this are senior engineers who have RSA keys stored securely on their PCs, which are encrypted and password protected.
Vulnerability management type Supplier-defined controls
Vulnerability management approach All processes and data are securely stored on AWS instances, and all confidential data is encrypted.

User access is over HTTP and is Username/Password protected. Multiple failed login attempts will lock users out of the system temporally to disrupt brute force attacks.

Multi-Factor Authentication work is in progress

Server logs are monitored and alarms set to flag suspicious activity.
Protective monitoring type Supplier-defined controls
Protective monitoring approach System logs, system load and response times are monitored for suspicious activity. Users can also contact us if they suspect something. If a compromise is suspected all senior staff are notified immediately. Senior engineers analyse the system.
Depending on the nature of the threat, we can blacklist the connection performing the attack temporarily close all incoming connections to protect the data.
All relevant parties are notified and report given as to what happened, and if any data was compromised. If such an incident were to occur senior engineers would respond ASAP, normally detected within seconds and responded to within minutes.
Incident management type Supplier-defined controls
Incident management approach We have a designated Data Protection Officer (DPO). Users can report directly to the DPO if they suspect anything via email, phone or support website.

Incident reports are supplied over secure connection to any parties affected by an incident.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks NHS Network (N3)


Price £20000 per licence per year
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑