Security & Compliance

Built for UK care data.

CareEvidence AI processes sensitive personal and special-category data on behalf of UK care providers. We treat that responsibility as a first-class engineering concern — not a compliance afterthought.

Data residency and hosting safeguards

Resident-related data is hosted on managed infrastructure with UK / EU residency requirements, reviewed sub-processors, and transfer safeguards documented in our DPA and sub-processor register before real care data is enabled.

Tenant isolation by row-level security

Every tenant-scoped table in the database enforces PostgreSQL row-level security. The application sets a tenant context on every request and the database refuses to return rows from any other tenant — even on a developer mistake.

Encryption

TLS 1.2+ for every connection. Database, document storage and queue data use provider-managed encryption at rest. Document URLs are short-lived signed links scoped to a single tenant.

Authentication and MFA

Identity managed by Amazon Cognito. Email + password with optional TOTP MFA. Forced password rotation on first login. SSO (SAML / OIDC) available on Enterprise.

Audit trail

Every state-changing action — AI draft, approval, document upload, role change — is recorded in an append-only audit log. Tenants can export the audit history for inspection or DPO review.

Human-in-the-loop AI

AI drafts are never auto-applied. A registered manager or compliance lead must approve each draft before it becomes part of the formal record. Drafts retain their source citation back to the underlying care notes.

Backups and recovery

Managed database backups, document storage protection, restore runbooks and incident response procedures are part of the launch pack. Production restore evidence is a required sign-off gate before real customer data is enabled.

Sub-processors

We maintain a sub-processor register for hosting, database, storage, identity, billing, email, monitoring and optional AI inference providers. The full list, including regions and transfer safeguards, is provided on request as part of our DPA.

Want our full security pack?

We share our threat model, data protection impact assessment (DPIA), sub-processor list and DPA on request. Get in touch and we’ll send the pack to your DPO or IG lead. Security reports can be sent to security@care-evidence-ai.com; data-protection requests can be sent to privacy@care-evidence-ai.com.

Request the security pack