Innerstrength LTD.


Tickerfit is a web-based platform for health professionals and mobile application for patients with Heart Failure and/or undergoing cardiac rehab. TickerFit manages and delivers a curriculum of daily activity and education. Results are tracked in real-time using web based technologies enabling actionable insights and driving improved patient outcomes.


  • Healthcare practitioner dashboard allows for real-time monitoring and communication
  • Secure and confidential
  • Application can integrate with Fitbit and Apple Watch
  • Application can be adapted based on specific clinical requirements
  • Application can be adapted based on specific patient requirements
  • Patient can add in their own exercise records
  • On-site training can be provided to clinical teams
  • Passive activity recording via HealthKit/Google Fit
  • Tailored content delivery to patient - Audio/Video/PDF
  • Ability to capture Patient Reported Outcome Measures


  • Monitoring and communication allows for care programme to be adapted
  • Reduce unnecessary visits
  • Support self care and management
  • Targeted conversations for better patient outcomes
  • Improve efficiency in patient interactions
  • Provide reach and scale to healthcare professional's expertise and oversight
  • Empower patients to be in control of their own recovery


£20 to £150 per licence

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


Innerstrength LTD.

Avril Copeland


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Access to the mobile application can only be offered to a patient by invitation from a healthcare professional.
System requirements
  • Internet access with Chrome/Firefox/MS Edge/Safari
  • IOS / Android for mobile application

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Critical issues < 2 hours
Others < 5 hours
Support is available 9 to 5 Monday to Friday. Critical issue support is available 24/7/365
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Healthcare professional email support is available Monday to Friday 9 to 5.
Critical Issues - Response and resolution < 3 hours
Other Issues - Response < 5 hours, resolution < 5 working days.

User manuals and FAQs are available to cover common support questions.

HCP training is available (see pricing document)
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Healthcare Practitioners - we provide training as well as train-the-trainer to enable all users to access the system

Patients - a get-started guide is provided
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats PowerPoint files
End-of-contract data extraction We are a data processor, contracted to a healthcare provider. The healthcare provider decides which data to collect and the legal basis for collecting it. Patients are invited to use the service by the healthcare provider.

Data retention periods and end of service data management/transfer are covered in each contract. Options for data extraction include:
1. Continue to provide the Hosted service for use by the clinic only in a read-only format. Subject to a new agreement/contract covering this service with commercials and costs agreed at that time.
2. Continue to store data for archiving purposes instead of transferring it back to the customer. Subject to a new agreement/contract covering this service with commercials and costs agreed at that time.
3. Provide professional services to assist the customer in an orderly transition to any replacement system on an hourly charged basis at Innerstrength’s then current rates. Innerstrength will not be obliged to disclose any confidential information to the customer or replacement.
4. Return the customer data to the customer in an industry standard format requested by the customer; and/or destroy all copies of the customer data held by Innerstrength and provide the customer with written verification of such destruction.
End-of-contract process The contract end service is defined in each respective contract and can include:

- Data return and retention periods
- Statistical analyses
- Extended contract to only include data storage

In the majority of circumstances data is returned and deleted.

Data is not returned to the patient by Innerstrength Health.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • MacOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The web application is for Healthcare Practitioners

The smartphone application is for patients
Accessibility standards None or don’t know
Description of accessibility The mobile app has been designed for mobile devices with capabilities for user accessibility.

We work with app users during initial design phases of our application in order to constantly imporve usability.
Accessibility testing Currently we do not underake testing specific to users of assistive technology.
What users can and can't do using the API All of the functionality of our applications is exposed through our secure APIs. Additionally, we expose custom integration APIs to support specific customer requirements.
API documentation Yes
API documentation formats Open API (also known as Swagger)
API sandbox or test environment Yes
Customisation available Yes
Description of customisation During the implementation phase, the customer can decide on:


These can be changed during the lifetime of the contract, by contacting the support team


Independence of resources Our platform is hosted on AWS and is configured to provision additional resources as the demand on existing resources increases. This guarantees that load on any part of the infrastructure is maintained within its operating tolerances.


Service usage metrics Yes
Metrics types Usage metrics can be made available to customers upon request (this usually forms part of the contractual agreement)
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
Other data at rest protection approach All personally identifying and protected health information is encrypted at rest

Access is via individual logins

Access control is strictly monitored

User access is based on the least-privileges concept
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users cannot export their data. The service allows users to manually enter and review their data via web application or smartphone application.

Data export of users data can be requested by the nominated customer contact directly to support. We can then arrange for data to be exported and provided to the customer for delivery to the user.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Any manual transfer of sensitive information that may be required is achieved using password encrypted archives (zips etc..) using a secure transfer service provider (e.g.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Data is stored in AWS and is encrypted at rest

Availability and resilience

Availability and resilience
Guaranteed availability Subject to contract. Typically 99.5% is guaranteed under our SLA
Approach to resilience Our platform is hosted on AWS and is deployed in a minimum of 2 availability zones at any time. The service runs in a "n+1" redundant configuration such that if any component should fail, the service will remain operational and self "heal" by automatically replacing the impacted resource.
Outage reporting We publish our status using a 3rd party availability monitor with global access checking.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels All access employs a role based security model that assigns appropriate priveleges to a user according to their role. Only specifc users are granted access to administrative and/or support interfaces.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards GDPR also working towards ISO/IEC 27001:2013 (ISO 27001)
Information security policies and processes The Innerstrength Health Company Information Security Policy is followed by all staff members

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Innerstrength’s configuration management process for issue tracking, source code maintenance and documentation including changes relating to security patches and software components utilised in the product are detailed in our development process manual.

Our source code repository is linked directly to our issue management system. This guarantees each change to the codebase is recorded against a description containing the reasons for the change, code review process and any security considerations taken during implementation.

We have distinct development and production environments and Continuous integration procedures in place. Build tools are used to track build numbers and issue numbers within each build.
Vulnerability management type Supplier-defined controls
Vulnerability management approach In order to ensure vulnerabilities are tracked and monitored across all systems we maintain a vigilant approach that includes, external penetration and security testing, carrying out security reviews during our weekly planning sessions and our own internal security testing.

We also carry out code reviews so that code is critically viewed by other members of the team prior to commit.

We monitor security updates and advisories relating to our software components and deploy patches relating to these straight away.
Protective monitoring type Supplier-defined controls
Protective monitoring approach A full audit trail is kept of all application and user activity on Amazon AWS. All alarms and events are written to periodically rotated log files and persisted to secure S3 storage for retrospective analysis.

Automated alarms are used to notify us of any potential threats. Customers can also report any incidents directly to us.

Any notified threat is acted upon by the incident team and is remedied.
Incident management type Supplier-defined controls
Incident management approach An Incident Response Plan is detailed within the Innerstrength Health Information Security Policy. The Plan covers incidents of an electronic (e.g. an attacker accessing the network for unathorised/malicious purposes, or a virus outbreak) or physical (e.g. loss/theft of a laptop of mobile device). The Plan incorporates the following aspects:
- Incident Preparation (following guidelines and policies outlined in the Plan)
- Confidentiality of data
- Electronic Incident plan details
- Physical Incident plan details
- Notification of relevant parties, if applicable
- Managing risk

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £20 to £150 per licence
Discount for educational organisations Yes
Free trial available Yes
Description of free trial We can provide a time-limited free version of our service in certain circumstances, for example for educational institutions and charities, where no development work is required.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑