We operate inside one of the most regulated industries in the UK. Security is not a feature we ship. It is the condition under which everything else works.
Infrastructure
All patient and clinical data is stored and processed on Hetzner infrastructure located within the United Kingdom. Nothing leaves UK borders.
TLS 1.2 or higher on all connections. Data at rest is encrypted using AES-256. This applies to all environments, including backups.
Production, staging, and development environments are fully separated. No shared credentials. No cross-environment data access.
All services run in Docker containers. Infrastructure changes go through version control, and rollbacks take minutes.
Data privacy
Data minimisation, purpose limitation, and retention policies are built into the platform architecture—not applied as an afterthought.
Role-based access controls limit what each user can see and do. Sessions are time-limited, authenticated, and logged. Privileged access requires additional verification.
We operate as a data processor under UK GDPR. Data processing agreements are available for all clients and reviewed by our legal team.
Patient data deletion requests are handled within statutory timeframes. Audit trails of deletions are maintained as required.
Clinical compliance
Our platform and dispensing workflows are built to support and inspection requirements. Documentation, audit trails, and SOPs are accessible and inspection-ready.
Online prescribing flows built on the platform follow guidance for remote prescribing and clinical decision support.
Every prescribing and dispensing event is logged with timestamp, practitioner identity, and patient record reference. Logs are immutable and exportable.
Each client’s data is logically isolated within the platform. No client can access another’s patient records, configuration, or operational data. Isolation is enforced at both application and database layers.
DataForge meets the NHS England Clinical Risk Management standard for health IT manufacturers. Our clinical safety documentation is maintained, reviewed and approved by a GMC-registered Clinical Safety Officer.
Questions
Procurement teams, IT leads and clinical governance officers are welcome to contact us with specific questions. We reply within one working day.