MyCareAudit Logo

Security & Compliance

MyCareAudit is built with enterprise-grade security measures, full GDPR compliance, and alignment with the NHS Data Security and Protection Toolkit (DSPT).

UK GDPR Aligned NHS DSPT Aligned DSCR Ready Infrastructure Hardened to CIS Benchmarks 24/7 Security Monitoring AES-256 Encryption & TLS 1.3 Zero-Retention AI Inference

Security Measures

NHS DSPT 3.2

Encryption at Rest & In Transit

All data is encrypted using AES-256 at rest via dedicated encryption keys per workspace. Encryption is managed within our UK-hosted infrastructure. Data in transit is protected by TLS 1.3 with HSTS enforced.

NewNHS DSPT 4.2

Strong Authentication & Password Policy

Enforced across every entry point — signup, login, and password reset all require 10+ characters with mixed case, numbers, and symbols. Account lockout after 5 failed attempts. 8-hour session timeout.

NewNHS DSPT 4.4

Mandatory Multi-Factor Authentication

TOTP-based two-factor authentication is mandatory for all Owner and Admin accounts. Privileged users are guided through setup on first login and cannot disable MFA once enabled. 2FA is also deployed across the infrastructure hosting layer.

NewDSCR 6.3

Care Record Audit Logging

Every create, update, and delete action on care records — including daily notes, care plans, risk assessments, and incidents — is logged with user ID, timestamp, and record reference to ensure accountability.

NewCIS Benchmarks

24/7 Security Monitoring

Data access is continuously monitored for anomalous activity. We utilise automated threat detection to identify sensitive content and potential security events. Incidents are triaged based on severity, with customer-impacting events receiving highest priority.

NewDSCR 6.4

Tamper-Proof Audit Logs

Audit log records are preserved even if user accounts are deleted. User references are set to null rather than cascading deletions, ensuring a complete, unbroken audit trail for regulatory inspections.

NewDSCR / GDPR

DSCR-Compliant Data Export

Full-content data export covering care plans, daily notes, risk assessments, and incidents is provided in machine-readable JSON format to support data portability and Subject Access Requests (SAR).

NHS DSPT 3.4

Data Isolation & Access Control

Strict logical data isolation per customer is enforced. Access is governed by Role-Based Access Control (RBAC) with granular permissions, following the principles of least-privilege and “need-to-know.”

NHS DSPT 6.1

Incident Response & Breach Notification

MyCareAudit maintains a formal incident management process. We commit to notifying affected customers without undue delay and within 48 hours of confirming a personal data breach.

AI Data Privacy

How we protect your data during AI-assisted processing

1Data Minimisation Before Inference

We apply technical filters to redact and reduce service user identifiers — such as names and personal details — before any data is sent to international AI gateways for processing.

2Zero Data Retention

Data sent for AI processing is used solely for real-time inference and is not retained by the AI provider after the response is generated, in accordance with provider policies and our Data Processing Agreement.

3No Model Training

Your care data is never used to train, fine-tune, or improve AI models. This is guaranteed under our provider’s Privacy Policy and enforced through contractual restrictions in the DPA.

AI inference is provided by Azure OpenAI (UK South), which processes requests within the United Kingdom under zero-retention agreements. No care data is used for model training or improvement.

UK Data Residency & Sub-processors

🇬🇧 All Data Stays in the UK

MyCareAudit operates entirely from UK-based infrastructure. All personal data, care records, and AI processing remain within the United Kingdom at all times.

Application Server

IONOS VPS — London, United Kingdom

ISO 27001 certified data centres

AI Processing

Azure OpenAI — UK South (London)

Zero data retention, no model training

File Storage

AWS S3 — eu-west-2 (London)

AES-256 encryption at rest

Sub-processors

  • IONOS SE — Application hosting, compute (London, UK). ISO 27001 certified.
  • Microsoft Azure — AI inference via Azure OpenAI (UK South). SOC 2 Type II, ISO 27001 certified.
  • Amazon Web Services (AWS) — File storage via S3 (eu-west-2, London). SOC 2 Type II, ISO 27001 certified.
  • Stripe — Payment processing. PCI DSS Level 1 certified.

No international transfers are required for core data processing. Full sub-processor list available on request.

NHS Data Security & Protection Toolkit

MyCareAudit’s security controls are designed to align with the 10 data security standards defined by the NHS DSPT. We are actively pursuing formal “Standards Met” registration and will update this page once assessment is complete.

NHS DSPT Standards Alignment
1

Personal Confidential Data

Encrypted with dedicated keys within UK-hosted infrastructure. Processing is governed by documented instructions and lawful bases under Art. 6 and Art. 9.

Aligned
2

Staff Responsibilities

RBAC enforced. Hosting staff undergo security training and background checks.

Aligned
3

Training

Infrastructure provider conducts regular security awareness programmes.

Aligned
4

Managing Data Access

Mandatory MFA for privileged roles and least-privilege access across the stack.

Aligned
5

Process Reviews

Internal audits to ensure ongoing compliance with data protection policies.

Aligned
6

Responding to Incidents

Formal management with 48-hour customer notification commitment.

Aligned
7

Continuity Planning

Encrypted daily backups and disaster recovery testing.

Aligned
8

Unsupported Systems

CI/CD pipelines with automated security patching and vulnerability scanning.

Aligned
9

IT Protection

Hardening to CIS Benchmarks; network security via firewalls, NACLs, and VPNs.

Aligned
10

Accountable Suppliers

Formal DPAs in place with sub-processors (IONOS, Azure, AWS S3). All data remains within the United Kingdom — no international transfers required for core services.

Aligned

GDPR Compliance

We operate a UK GDPR-aligned privacy and security programme, designed to support compliance with the UK General Data Protection Regulation and the Data Protection Act 2018.

ArticleRequirementHow We Comply
Art. 5PrinciplesLawfulness, fairness, transparency, purpose limitation, data minimisation (only necessary data collected), accuracy, storage limitation, integrity & confidentiality.
Art. 6Lawful BasisLegitimate interests for service delivery, consent for marketing, contractual necessity for subscriptions.
Art. 9Special CategoriesSpecial category data processed under Art. 9(2)(h) — management of health or social care systems and services — and Art. 9(2)(c) — vital interests — where applicable. Supported by Schedule 1, Part 1, Condition 2 of the Data Protection Act 2018.
Art. 25Data Protection by DesignPrivacy built into architecture: dedicated encryption keys per workspace, UK-hosted infrastructure, access controls, data minimisation at the AI inference layer, and comprehensive audit logging.
Art. 28Processor ObligationsFormal Data Processing Agreements (DPAs) with all sub-processors. Processing only on documented instructions. Confidentiality obligations for all personnel.
Art. 32Security of ProcessingAES-256 encryption, logical data isolation, 24/7 monitoring, vulnerability testing, incident response plan.
Art. 33Breach NotificationProcessor notifies without undue delay per DPA terms. MyCareAudit commits to notifying customers within 48 hours of confirming a breach. 24/7 monitoring enables rapid detection.
Art. 44–49International TransfersAll core data processing occurs within the United Kingdom. AI inference uses Azure OpenAI (UK South) with zero data retention. File storage uses AWS S3 (eu-west-2, London). No international transfers required for core services.

Data Processing Principles

  • Data collected only for specified, explicit purposes
  • Minimum data collected for each function
  • Data kept accurate and up to date
  • Retained only as long as necessary
  • Processed with appropriate security measures
  • Transparent processing with clear privacy notices

Your Data Rights

  • Access: Export all your data in JSON or CSV format at any time
  • Rectification: Update your personal information via Settings
  • Erasure: Request account and data deletion
  • Portability: Download data in machine-readable format
  • Restriction: Request restriction of processing
  • Objection: Object to processing for direct marketing
Read our full Privacy Policy →

Infrastructure & Hosting

Full transparency about where your data is stored and the security standards that protect it. All infrastructure is UK-based.

IONOS VPS (London)

  • RegionUnited Kingdom (London)
  • ProviderIONOS SE
  • CertificationsISO 27001, ISO 50001
  • Physical SecurityBiometrics, CCTV, 24/7 patrols
  • EncryptionAES-256 at rest, TLS 1.3

Azure OpenAI (UK South)

  • RegionUK South (London)
  • ProviderMicrosoft Azure
  • CertificationsSOC 2 Type II, ISO 27001
  • Data RetentionZero — no data stored
  • Model TrainingProhibited by contract

AWS S3 (eu-west-2)

  • Regioneu-west-2 (London)
  • ProviderAmazon Web Services
  • CertificationsSOC 2 Type II, ISO 27001
  • EncryptionAES-256 (SSE-S3)
  • Access ControlBucket policies + IAM

🇬🇧 UK Data Residency: All MyCareAudit infrastructure operates within the United Kingdom. Application hosting is on IONOS VPS in London, AI processing uses Azure OpenAI in UK South, and file storage uses AWS S3 in eu-west-2 (London). No personal data leaves the UK for core services. Your data is encrypted at rest with dedicated keys, logically isolated per workspace, and never shared with or sold to third parties.

Providers using MyCareAudit

Palm 2 Palm CareDomiciliary Care & Supported Living, London & SouthendCQC Good
Jothno Care and SupportDomiciliary Care & Supported Living, LondonCQC Good
Nari Care Services LtdDomiciliary Care, London
Palmerston Care HomeResidential Care, Southend

Questions About Security?

Our Data Protection Officer is available to answer any security or compliance questions.

Contact UsPrivacy Policy