Trust Centre

Data Protection, Security & Compliance

We take the protection of information seriously and recognise the trust placed in us by our clients, partners, and the individuals whose data we process.

This Trust Centre provides an overview of how we manage information security, data protection, and regulatory compliance across our services. It brings together our certifications, registrations, governance approach, and key assurance information in one place, allowing stakeholders to understand how we safeguard data and operate responsibly.

Get Started

Click the links below to discover how we protect your data and ensure transparency.

 

Certifications & Registrations

Read More

Client Responsibilities & Shared Accountability

Read More

Data Protection & Privacy

Read More

Information Security

Read More

Assurance, Testing & Audits

Read More

Certifications & Registrations

We maintain a number of independently assessed certifications and registrations that demonstrate our commitment to robust security and data protection practices.

  • We are certified to ISO/IEC 27001:2022 by a UKAS-accredited certification body. This confirms that our Information Security Management System (ISMS) meets internationally recognised standards for managing the confidentiality, integrity, and availability of information. Our ISMS is risk-led and proportionate, reflecting our operating model as a remote-first organisation.

     

     

    Download PDF Certificate

  • We have successfully completed the NHS Data Security & Protection Toolkit and are independently assessed, demonstrating alignment with the National Data Guardian’s 10 Data Security Standards and NHS expectations for handling health and personal data.

     

    Download PDF Certificate

  • We hold both Cyber Essentials and Cyber Essentials Plus, with Cyber Essentials Plus assessed by a CREST-certified certification body. This provides independent validation of key technical security controls designed to protect against common cyber threats.

     

    Download PDF Certificate

  • We are registered with the UK Information Commissioner’s Office (ICO) as a data controller, in accordance with UK GDPR and the Data Protection Act 2018.

     

    Download PDF Certificate

Learn More

Client Responsibilities & Shared Accountability

Information security and data protection are shared responsibilities and depend on the context in which services are delivered. While we implement robust technical and organisational measures within our control, our clients retain responsibility for:

  • Defining the lawful basis for processing
  • Determining purposes and means of processing (where acting as controllers)
  • Completing and maintaining Data Protection Impact Assessments where required
  • Ensuring appropriate user access and configuration within client-managed environments

We work collaboratively with clients to support these responsibilities, including providing assurance information, responding to DPIA enquiries, and contributing to security and privacy risk assessments where appropriate.

Data Protection & Privacy

We are committed to processing personal data lawfully, fairly, and transparently. Data protection considerations are embedded into our services, governance, and decision-making processes.

Controller and Processor Responsibilities

The role we perform in relation to personal data depends on the specific service being provided.

  • In some contexts, we act as a data controller
  • In others, we act as a data processor on behalf of our clients
  • In certain arrangements, responsibilities may be shared or distinct across services

Because our services are not “one size fits all”, we do not impose a single standard Data Protection Impact Assessment (DPIA) template on clients. Instead, we work collaboratively with clients to:

  • Support the development of DPIAs where required
  • Provide information about our technical and organisational measures
  • Assist clients in meeting their own controller obligations

This ensures that risk is assessed appropriately and proportionately for each service and use case.

Regulatory Framework

Our data protection practices are aligned with:

  • UK GDPR
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR), where applicable
  • NHS and public-sector data protection expectations (where applicable)

Further details on how we process personal data, including individual rights, cookies, and retention practices, are available in our published Privacy Notice.

Privacy by Design

Data protection is considered from the outset of service design and delivery. This includes:

  • Data minimisation and purpose limitation
  • Role-based access controls
  • Secure processing environments
  • Regular review of processing activities
Learn More

Information Security

We operate a formal Information Security Management System (ISMS) that is certified to ISO/IEC 27001:2022 and subject to ongoing monitoring, review, and improvement.

Our information security approach is risk-based and designed to protect information throughout its lifecycle, whether held electronically or accessed remotely.

Learn More

Remote-First Operating Model

As a remote-only organisation, our security model reflects the absence of traditional office premises. Physical security considerations are addressed through:

  • Device security requirements for all users
  • Encrypted storage and managed endpoints
  • Policies governing remote access, device usage, and secure working

This approach is reflected in our risk assessments and is considered within the scope of our ISO/IEC 27001 certification.

Security Principles

Our security controls are designed to ensure:

  • Confidentiality of information through controlled access
  • Integrity of information through change management and validation
  • Availability of systems and data through resilience and recovery planning

Operational Security Controls

Our control environment includes, where appropriate:

  • Role-based access control and least-privilege principles
  • Multi-factor authentication for systems handling sensitive data
  • Secure configuration and patch management
  • Centralised logging and monitoring
  • Encryption of data in transit and at rest where appropriate
  • Regular vulnerability management and remediation

Assurance, Testing & Audits

We use independent assessment and testing to validate the effectiveness of our security and data protection controls.

Independent Assurance

Our assurance activities include:

  • External ISO/IEC 27001 certification audits
  • Independent assessment of the NHS Data Security & Protection Toolkit
  • Cyber Essentials and Cyber Essentials Plus certification

These assessments provide confidence that our controls are designed and operating effectively.

Testing & Review

We undertake regular testing and review activities, including:

  • Vulnerability scanning and remediation
  • Independent penetration testing
  • Internal risk assessments and management review

Findings are tracked and addressed in line with our risk management framework.

Incident Management

We maintain documented processes for identifying, managing, and responding to information security and data protection incidents.

Where required, incidents are assessed for:

  • Regulatory notification obligations
  • Client notification requirements
  • Lessons learned and control improvement
Learn More

Accessing Further Assurance Information

We recognise that clients and partners may require additional assurance information as part of their own governance, procurement, or audit processes.

We can provide, on request:

  • Redacted or summary penetration test reports

  • Confirmation of ISO/IEC 27001 certification outcomes

  • Supporting information for DPIAs and security questionnaires

Requests for further assurance information are assessed on a case-by-case basis to ensure information is shared responsibly and securely.

Get In Touch