Security & Compliance
MyCareAudit is built with enterprise-grade security measures, full GDPR compliance, and alignment with the NHS Data Security and Protection Toolkit (DSPT).
Security Measures
Encryption at Rest & In Transit
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. HSTS is enforced with a 2-year max-age and preload directive.
Strong Authentication
NHS DSPT-compliant password policy (10+ chars, mixed case, numbers, symbols). Account lockout after 5 failed attempts. 8-hour session timeout.
Comprehensive Audit Trails
Every login, data access, admin action, and security event is logged with IP address, timestamp, and user agent. Logs retained for minimum 12 months.
Security Headers & XSS Protection
Content Security Policy, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, CORS, and frame protection headers on every response.
Rate Limiting & Brute Force Protection
IP-based rate limiting on all authentication endpoints. Progressive lockout on failed login attempts. Automated suspicious activity detection.
Data Isolation & Access Control
Multi-tenant architecture with strict data isolation. Role-based access control (RBAC) with 5 granular roles and 40+ permissions. Team members only see their organisation’s data.
GDPR Data Subject Rights
Self-service data export (JSON/CSV), right to erasure (account deletion requests), data portability, and Subject Access Request (SAR) processing.
Cookie Consent & PECR
Granular cookie consent banner with essential, analytics, and preference categories. Full compliance with UK PECR and EU ePrivacy regulations.
Secure API Architecture
All API endpoints require authentication. Input sanitisation prevents SQL injection and XSS. Parameterised queries via Prisma ORM eliminate injection vectors.
Incident Response & Monitoring
Real-time security event monitoring with severity classification. Critical events trigger immediate alerts. Comprehensive incident response procedures.
Infrastructure Security
Hosted on enterprise-grade cloud infrastructure with automated backups, disaster recovery, and 99.9% uptime SLA. Daily encrypted database backups with 30-day retention.
Data Retention & Disposal
Configurable data retention policies aligned with CQC record-keeping requirements. Secure data disposal with cryptographic erasure for deleted accounts.
NHS Data Security & Protection Toolkit
MyCareAudit\u2019s security controls are designed to align with the 10 data security standards defined by the NHS DSPT, helping care providers demonstrate compliance.
Personal Confidential Data
Data classified, access controlled, processing lawful under GDPR Art.6 & Art.9
Staff Responsibilities
Role-based access, team management, deactivation workflows, audit trails
Training
Built-in training compliance tracking with mandatory/recommended categorisation
Managing Data Access
RBAC with 5 roles, 40+ permissions, session management, account lockout
Process Reviews
Governance dashboards, KPI tracking, compliance timeline, audit scheduling
Responding to Incidents
Incident reporting, investigation workflows, CQC notification tracking
Continuity Planning
Daily backups, 30-day retention, disaster recovery, data export tools
Unsupported Systems
Modern tech stack, regular dependency updates, automated security patching
IT Protection
TLS 1.3, HSTS, CSP headers, XSS protection, CORS, rate limiting
Accountable Suppliers
Cloud infrastructure with ISO 27001 certification, GDPR DPA in place
GDPR Compliance
Full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
| Article | Requirement | How We Comply |
|---|---|---|
| Art. 5 | Principles | Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality |
| Art. 6 | Lawful Basis | Legitimate interests for service delivery, consent for marketing, contractual necessity for subscriptions |
| Art. 9 | Special Categories | Health data processed under explicit consent and substantial public interest (social care provision) |
| Art. 12-14 | Transparency | Privacy policy, cookie policy, terms of service, data processing notices |
| Art. 15 | Right of Access | Self-service data export (JSON/CSV) and formal Subject Access Request processing |
| Art. 17 | Right to Erasure | Account deletion requests via Data Requests page with admin processing workflow |
| Art. 20 | Data Portability | Full data export in machine-readable format (JSON/CSV) for all user data categories |
| Art. 25 | Data Protection by Design | Privacy built into architecture: encryption, access controls, data minimisation, audit logging |
| Art. 32 | Security of Processing | Encryption, pseudonymisation, resilience, regular testing, incident response |
| Art. 33-34 | Breach Notification | Security monitoring, incident detection, notification procedures within 72 hours |
Data Processing Principles
- Data collected only for specified, explicit purposes
- Minimum data collected for each function
- Data kept accurate and up to date
- Retained only as long as necessary
- Processed with appropriate security measures
- Transparent processing with clear privacy notices
Your Data Rights
- Access: Export all your data in JSON or CSV format at any time
- Rectification: Update your personal information via Settings
- Erasure: Request account and data deletion
- Portability: Download data in machine-readable format
- Restriction: Request restriction of processing
- Objection: Object to processing for direct marketing
Questions About Security?
Our Data Protection Officer is available to answer any security or compliance questions.