Security & trust

Security built for healthcare

Care homes hold some of the most sensitive personal data in the UK. We treat protecting that data as a first-class product feature, not a bolt-on.

Standards we hold ourselves to

Independent attestations, not marketing claims.

Compliant

CQC aligned

Platform controls map to CQC Key Lines of Enquiry for safe, well-led and effective care.

Compliant

GDPR & UK DPA 2018

Data controller / processor agreement and full data subject rights workflow built into the platform.

In progress

NHS DSPT

Data Security and Protection Toolkit submission underway. Standards Met expected within 6 months.

Aligned (audit planned)

ISO 27001

Annex A controls implemented. Stage 1 audit booked.

Certified

Cyber Essentials

UK government-backed scheme covering firewall, secure config, access control, malware and patching.

Annual

Penetration testing

Independent CREST-accredited testing of the platform and infrastructure.

How we protect your data

From the network edge to the database row, security is layered. Here is the short version.

Encryption everywhere

  • TLS 1.2+ for all data in transit. HSTS preloaded.
  • AES-256 encryption at rest, managed by Supabase / AWS KMS.
  • Strict CSP, X-Frame-Options DENY, Referrer-Policy and HSTS headers.
  • All secrets rotated and stored in encrypted vaults.

Access controls

  • Role-based access control (RBAC) across every record.
  • Row-level security enforced in the database, not just the API.
  • Multi-factor authentication available on every account.
  • Audit trail on every read, write, export and consent change.

Data residency

  • All customer data hosted in UK / EU-West region.
  • Daily encrypted backups with 30-day retention.
  • Point-in-time recovery to any second in the last 7 days.
  • Disaster recovery runbooks tested quarterly.

Secure engineering

  • Dependency vulnerability scanning on every commit.
  • Static analysis and secret scanning in CI.
  • Mandatory peer review for every production change.
  • Vercel + Supabase managed infrastructure, both SOC 2 Type II.
Data protection

GDPR and UK DPA 2018, by design

Every workflow is built around lawful basis, data minimisation and the rights of residents, families and staff.

Lawful basis
Each data field is classified by lawful basis. Care plan data is processed under Article 9 health and social care provisions.
Subject access requests
Built-in DSAR workflow with a 30-day SLA timer and audit trail. One-click data exports for residents, families and staff.
Retention
Configurable retention policies per record type, defaulting to NHS records management standards (8 years for adult social care).
Sub-processors
Limited to Supabase, Vercel, Resend, Stripe. All EU/UK hosted. Public list maintained at /legal/sub-processors.
Responsible disclosure

Found something? We want to hear from you.

We welcome reports from security researchers. We will acknowledge within 2 business days, validate within 5, and credit you publicly with your permission.

Email
security@salstead.com
PGP fingerprint published on request
Scope
salstead.com, app.salstead.com, api.salstead.com and supporting infrastructure.

Need a copy of our security pack?

We can share our security questionnaire, sub-processor list, DPA template and architecture overview under NDA. Email security@salstead.com or book a call.

Request security packTalk to our team