SH:24 C.I.C.

SH:24 online sexual health and STI testing service

SH:24 is the only fully-integrated online sexual health service that works in partnership with local clinics to provide access to self-sample STI/STD screening via an online platform available 24/7. Supported by remote clinical support, accredited clinical laboratory, clinical record system, pharmacy, comprehensive performance analytics and online tools to support self-management.


  • Seamless user pathway between online and clinic services
  • Track-record on-boarding clinics to an integrated online sexual health service-model
  • Remote clinical support via email, telephone, SMS and webchat
  • Clinically led, user-informed designed risk/safeguarding assessment
  • High visibility using web-analytics, SEO, social media and online signposting
  • CQC registered service compliant with BASHH/FSRH Standards
  • Secure clinic admin portal to manage users and view data
  • Ability to provide online CT treatment with partner notification
  • Consultant-led specialist SRH clinical team including nurses and health advisors
  • Integration with ISO15189 accredited and CQC-registered laboratory for clinical specimens


  • Evidence of high satisfaction levels with positive service user feedback
  • User co-designed test kits with track-record of high return rate
  • Ongoing academic service evaluations informing service innovation
  • Bespoke workflow and user-pathway co-designed with customers
  • Detailed visual analysis of performance metrics on a monthly basis
  • Dedicated data-analyst to provide intelligence and inform service provision
  • Track-record shifting asymptomatic users online and releasing clinic resource
  • Online algorithm designed to target and support high-risk vulnerable users
  • Added value online tools to support user self-management
  • User safety assured through comprehensive safeguarding and remote support


£21.11 to £79.32 per person

Service documents


G-Cloud 11

Service ID

4 8 6 1 8 8 1 7 2 3 6 3 6 0 5


SH:24 C.I.C.

Blake George

020 7620 2250

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Integration with booking systems, clinical record systems, partner notification tools, pharmacy and laboratory information management systems.
Cloud deployment model Hybrid cloud
Service constraints No service constraints
System requirements Compliance with ICO/DoH/NHS Digital data protection security standards

User support

User support
Email or online ticketing support Email or online ticketing
Support response times SH:24 strives to resolve support requests within 1 hour from 9am to 5pm, Monday to Friday, and within 3 hours on weekends.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 A
Web chat accessibility testing SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
Onsite support Onsite support
Support levels Clinic/buyer support is available 9am to 5pm - 7 days per week, service-user support is available 9am to 5pm - 7 days per week, DevOPs support for any IT technical issues is available 24/7. All support provided at no additional cost.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Online and onsite training is provided to plan the overall user journey, set-up users and train how to use the SH:24 Admin Clinical Record System. Alongside this, customised SH:24 handbooks are provided for reference.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Disaggregated and anonymised raw backing data is shared securely though password protected .csv file via email. This can be provided on request following completion of the contract to account for delayed kit returns.
End-of-contract process Service user eligibility agreed during the contract is removed, access to the SH:24 back-end is revoked. The buyer is required to pay for an agreed estimate of delayed kit returns.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface Yes
Description of service interface The interface is available 24/7 and assesses users eligibility, any risk, safeguarding needs and informs us of their circumstances that subsequently identifies which suite of tests should be requested of the pathology and which self-sampling consumables should be sent out. The admin or back-end system then flags any safeguarding needs for our clinicians to respond to and creates the kit order that a team of kit distributors fulfill. They then trigger a dispatched SMS to the user to keep them up to date on the progress of their order.
Accessibility standards WCAG 2.1 A
Accessibility testing SH:24 tests its features on all devices prior to launch and we review our platform analytics to ensure our testing reflects users of the platform.
What users can and can't do using the API A library of APIs exist to perform integration between Laboratory LIMS, Pharmacy, clinical record and booking systems.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation During mobilisation we work with the buyer to co-design the user pathway including triage criteria, notification logic, ability for users to select/deselect tests and results management in order to target high-risk users and reduce inappropriate use. Buyers can elect to cap the number of orders each day based on their affordability limit.


Independence of resources SH:24's services are designed to scale with IT hardware, resource usage and system integrity monitored 24/7. SH:24 is supported by flexible pools of organisational groupings covering operations, clinical, commercial and service development in order to support the service as it scales and provide contingency during periods of peak demand. We analyse our capacity regularly to ensure our resource planning is robust.


Service usage metrics Yes
Metrics types Including, but not limited to: orders, returns, turn-around times, insufficient/haemolysed samples, number of reactive results, CT treatments, safeguarding cases, user feedback including complaints, heat-map with uptake via LSOA, demographic breakdown of orders (gender, ethnicity, MSM, age etc). Data is quality assured and buyers are assisted with ongoing and one-off data requests to answer specific questions from our data set.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Disaggregated and anonymised raw backing data is shared securely through password protected CSV file via email each month or as required. SH:24 provides a comprehensive, visual performance report and a safeguarding report each month alongside the backing data. Reports are generated by a fully automated system within the HSCN network and data is quality-assured prior to submission. We highlight trends, concerns or improvements with a detailed qualitative analysis.
Data export formats CSV
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability SH:24 is hosted on AWS utilising a cluster service model with an availability of 99.99%.
Approach to resilience This information can be made available on request
Outage reporting Email alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Prior to access being granted to Admin CRS, training is provided. We use an internal procedure to vet applications. Once training and approval are complete, users sign a Confidentiality Code of Conduct. Once access is granted each session requires login using 2-factor authentication and a memorable word. Permissions are limited by level and role. The application logs actions performed by users, providing an audit trail. This feature allows review of vies, edits and actions performed.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Data Security and Protection Toolkit
  • Cyber Essentials
  • External audit of data and security measures/protocols

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Data Security and Protection Toolkit, Cyber Essentials, External audit of data and security measures/protocols
Information security policies and processes SH:24’s approach to data protection and security is shaped by existing and relevant legislation. When designing our service, SH:24 consulted users, clinicians, data protection experts, Trusts and Public Health experts which has also influenced our approach to data protection and security. We are registered with the Information Commissioner's Office and our service has been peer reviewed and approved by SH:24’s partner NHS Trust Information Governance (IG) Boards and Caldicott Guardians. In our last Data Security and Protection Toolkit submission we provided 100% of the mandatory evidence items and confirmed 100% of all assertions.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes to the application (front-end and the Admin Portal) are reviewed and approved by our Service Development Director and our DPO in accordance with SH:24’s Change Control Procedure. Prior to any deployment of any major updates or changes to the service renewed penetration testing is undertaken to assess the integrity of the SH:24 application. The management of access rights is subject to regular compliance checks.
Vulnerability management type Undisclosed
Vulnerability management approach Regular audits of our system security including penetration testing are conducted by an accredited third-party. Weekly code reviews take place together with Quality Assurance inspections and user acceptability testing (UAT), carried out by a combination of internal and external reviewers, before any new or revised features are deployed. No code is deployed without a regression test. Urgent security patches are automated and deployed daily. Non-urgent updates are deployed monthly.
Protective monitoring type Undisclosed
Protective monitoring approach The operating system and user access is monitored on a daily basis as part of SH:24's daily metrics overseen by our DevOps team. Any unusual activity or failure to meet metrics triggers an alarm and subsequent investigation compliant with ICO guidance. We promptly assess the risk to people's rights and freedoms and if appropriate report the breach to the ICO within 72 hours as per GDPR.
Incident management type Undisclosed
Incident management approach Our Data Breach Policy is updated yearly and sets out how we identify, investigate, manage and report information incidents. SH:24 follows NHS Digital and ICO guidelines to assess whether an incident is reportable on the Data Security and Protection Reporting Tool. If notifiable, the breach reported separately to the ICO. All incidents and near misses are entered onto our incident management system and our information security and data protection officer ensures key members of staff and any individuals/organisations affected are notified.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Health and Social Care Network (HSCN)


Price £21.11 to £79.32 per person
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑