Certifications & standards
We’re a young platform, so most accreditations are in flight rather than already on the wall. We publish status truthfully — "in progress" means we’ve booked the engagement and are working toward the standard; "planned" means scoped but not yet started.
Cyber Essentials Plus
IASME-accredited
UK government-backed scheme covering boundary firewalls, access controls, malware protection, patch management, and secure configuration. Engagement booked Q3 2026.
NHS DSPT
NHS Digital
NHS Data Security and Protection Toolkit — the 14-assertion standard NHS suppliers must meet. "Standards Met" submission in preparation.
SOC 2 Type 1
AICPA Trust Services Criteria
Type 1 readiness letter scoped for Q4 2026; Type 2 observation window starts immediately after. Control mapping in progress via Drata.
Security controls
Defence in depth. No single control is the line — every layer assumes the one above it might fail.
Encryption at rest
Supabase Vault (pgsodium envelope encryption) for sensitive columns — bank details, NI numbers, MFA secrets. Per-row DEKs reference a Vault-managed master.
Encryption in transit
TLS 1.3 on every public endpoint. HSTS preload enabled.
Hash-chained audit log
Every privileged action lands in a tamper-evident ledger. A BEFORE-INSERT trigger computes SHA-256 over the prior hash + canonical JSON of the new row, so any retroactive edit breaks the chain.
Least-privilege database role
Application traffic runs under a dedicated PG role with NOBYPASSRLS. Per-table FORCE ROW LEVEL SECURITY policies pin every read/write to the requesting user.
Admin MFA
TOTP enrolment required for every admin account. High-trust actions (plan approval, payroll mutations, GDPR DSAR on behalf of a worker) require a fresh MFA assertion ≤ 15 min old.
Refresh-token reuse detection
Refresh-token family revocation on reuse. Replay attempts page on-call within minutes.
Rate-limited authentication
Per-IP + per-account exponential backoff on auth endpoints. Redis fail-closed: Redis outage downgrades auth to 503 rather than letting brute force through.
HMAC-signed signing tokens
Public signing links carry an HMAC-SHA256 token bound to the envelope id with a short TTL. Tampering or reuse across envelopes fails closed.
Data privacy & residency
Production data lives in the UK (Supabase London). Backups replicate within the same region. We do not transfer personal data outside the UK/EEA except via the sub-processors listed below, and those transfers are governed by Standard Contractual Clauses where required.
Article 15 — Right of access
Self-serve from /contractor/settings/privacy. Admin-initiated requests are MFA-gated. Async export packs 17 PII tables into a ZIP, served via a 7-day HMAC-signed download URL.
Article 17 — Right to erasure
Resumable, audit-trailed cascade across 12 erasure steps. HMRC-retained records (statements, audit log) are redacted-in-place rather than deleted per ICO §17(3)(b).
Article 33 — Breach notification
Documented incident-response runbook with a 72-hour ICO breach template. Tabletop drill cadence: quarterly.
ICO registration
CareSyndicate is registered with the UK Information Commissioner.
Sub-processors
Every third party we share customer data with, what they do, and where they process it. This list is the authoritative one — if a Data Processing Agreement references "the published sub-processor list", this is it.
| Processor | Purpose | Region | Data access |
|---|---|---|---|
| Supabase | PostgreSQL database, file storage, authentication | eu-west-2 (London) | All platform data |
| Render | Backend + frontend hosting | eu-central (Frankfurt) | Application traffic; no persistent storage |
| Resend | Transactional email (notifications, DSAR completion, signing) | EU | Recipient email + message body |
| Sentry | Error tracking + APM | EU (de.sentry.io) | Stack traces; PII scrubbed before send |
| OpenRouter / Anthropic / OpenAI | AI gateway egress (LLM calls) | US | Prompts only; PII redacted via Presidio before egress |
| Twilio | SMS notifications (optional, per-org) | US/EU | Recipient phone + message body |
| Vapi | Voice AI (optional, per-org) | US | Call audio + transcript |
We notify customers in writing before adding a sub-processor that will receive personal data; existing customers may object before the change takes effect.
Service level objectives
Operational targets we hold ourselves to. Real-time availability and incident history is published at status.caresyndicate.ai.
Availability target
99.5%
~3.6h / month error budget
Auth p95 latency
< 300ms
End-to-end including DB round trip
RPO / RTO
5min / 1h
Supabase point-in-time recovery
Vulnerability disclosure
If you’ve found a security issue, please email security@caresyndicate.ai with steps to reproduce. We acknowledge inside one business day and aim to triage within three. We do not currently run a paid bug bounty, but we will publicly credit good-faith researchers on this page with their permission.
Please do notpublicly disclose vulnerabilities before we’ve had a reasonable chance to fix them. We commit to keeping you in the loop on remediation timing.
Talk to us
Procurement questionnaires, DPA requests, or anything else trust- adjacent → security@caresyndicate.ai. For general support → support@caresyndicate.ai.
Want to verify any of this independently? Our public status page, hash-chained audit, and DSAR self-serve mean you can confirm most claims here without taking our word for it.
Status page