Care App meets the security and compliance standards UK care providers need — from GDPR to NHS DSP Toolkit alignment.
Every account benefits from these protections by default — no configuration required.
All data is transmitted over TLS 1.2+ (HTTPS). Data stored in our databases is encrypted at rest using AES-256.
Your data is stored on Google Cloud infrastructure located in UK and EU regions. Data never leaves the UK/EU.
Staff can only access records for their assigned clients. Team leaders see their team. Managers see their organisation. No cross-tenant access is possible.
Every action — care note, medication record, visit log — is time-stamped with the user's identity. Records cannot be altered or deleted without a trace.
Email verification on signup, strong password requirements, and session timeout controls. Firebase Authentication handles credential management.
Each care organisation's data is logically isolated at the database level using tenant identifiers enforced by server-side security rules — not just application logic.
How Care App supports your compliance obligations as a UK care provider.
Care App processes personal data in line with UK GDPR. A Data Processing Agreement (DPA) is available for all customers on request. Data subject rights (access, rectification, erasure) are supported.
Care App is aligned with DSP Toolkit requirements — covering data encryption, access controls, staff training records, and incident logging. Useful for NHS-funded services required to complete the Toolkit annually.
Care App's CQC Evidence Pack generates a structured compliance report covering care plans, risk assessments, incident logs, medication records, and training — ready to share with inspectors at short notice.
Digital MAR charts with tamper-evident logging ensure every medication event is recorded with a timestamp and staff identity — meeting CQC and NMC standards for medication record-keeping.
Mandatory training expiry dates and DBS renewal alerts help ensure your workforce remains compliant at all times — reducing the risk of CQC findings around training gaps.
Safeguarding concerns and incidents are logged with full detail and a clear audit trail, supporting Local Authority Designated Officer (LADO) reporting and CQC safe key line enquiries.
A summary of the personal data Care App stores on behalf of your organisation, and how it is protected.
| Data type | Who it relates to | How it is protected | Retention |
|---|---|---|---|
| Care plans, risk assessments | Clients (service users) | Encrypted at rest & in transit; role-based access | Until deleted by your organisation |
| Medication (MAR) records | Clients | Encrypted; immutable audit trail; role-based access | Until deleted by your organisation |
| Visit logs & QR check-ins | Clients & staff | Encrypted; GPS-stamped; immutable | Until deleted by your organisation |
| Staff profiles, DBS, training | Care workers | Encrypted; restricted to management | Until deleted by your organisation |
| Timesheets & payroll data | Care workers | Encrypted; restricted to management | Until deleted by your organisation |
| Billing & invoices | Clients / commissioners | Encrypted; restricted to management | Until deleted by your organisation |
Care App acts as a Data Processor on your behalf. As the care provider, you remain the Data Controller. Our Data Processing Agreement and Privacy Policy detail the full scope of processing.
Only users within your organisation with the appropriate role. Care App staff do not access your care records. Google Cloud infrastructure staff have no access to application-layer data due to encryption.
Your data remains available to export for 30 days after cancellation, after which it is permanently deleted from our systems. You can request immediate deletion at any time by contacting us.
Yes. Care App undergoes regular security reviews including penetration testing of both the application layer and Firestore security rules to identify and remediate vulnerabilities before they can be exploited.
Yes. A DPA is available to all customers. View our DPA or contact us to request a signed copy for your records.
In the event of a data breach, we will notify affected customers within 72 hours in line with UK GDPR requirements, and provide the information needed for your own ICO notification obligations.
Yes. Care App's security posture is aligned with NHS Data Security and Protection Toolkit requirements, making it suitable for use in NHS-commissioned care services. We hold a registered NHS ODS code.
Our team can answer security and compliance queries directly — or send you our DPA for review.
Contact Us View DPA