Built for organisations that handle sensitive health data
Security is not an add-on. It is embedded in our architecture, authentication, data isolation, and governance — from day one.
UK Data Hosting
ISO 27001 infrastructure
TOTP MFA
With backup codes
RBAC (13 Roles)
100+ granular permissions
7-Year Audit Trail
Immutable, timestamped
Security built into every layer
From encryption and authentication to rate limiting and data isolation — every layer of the platform is hardened. Every action is logged to an immutable audit trail with 7-year retention. Audit events cannot be altered or deleted.
Also includes: PIN auth for controlled drugs, soft delete (no hard deletes), S3 storage with tenant isolation, CORS hardening with explicit origins
Encryption
TLS 1.2+ in transit. AES-256 at rest. Separate key management for backups.
Authentication
JWT tokens (30 min access, 7-day refresh). TOTP MFA with backup codes. PIN auth for controlled drug operations.
Password policy
12+ characters, mixed case, digit, special character. Bcrypt with 12 rounds. Account lockout after 5 failed attempts (15 min).
Rate limiting
10 login attempts/min, 5 password resets/min. Configurable per endpoint.
Security headers
CSP, HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. TrustedHost enforcement in production.
Data isolation
Complete multi-tenant isolation. Every query filtered by care_home_id. No cross-tenant data access possible.
NHS Data Security & Protection Toolkit
“Aligned” not “compliant”: we do not claim DSPT “Standards Met” or a published assessment outcome. Self-assessment available on request — see “What we mean by DSPT aligned” in Compliance & governance.
Compliance & governance
What we mean by “DSPT aligned”
DSPT compliant is often used when an organisation has completed the official NHS Data Security and Protection Toolkit assessment and achieved the required outcome (for example “Standards Met”). DSPT aligned is what we describe: we map controls, evidence, and our roadmap to the toolkit, but we have not published a DSPT submission or claimed Standards Met. That is deliberate and honest — use our self-assessment on request so your information governance team can judge fit.
We are actively working towards meeting all assertions in the NHS Data Security and Protection Toolkit, alongside the 10 National Data Guardian standards and the Cyber Essentials framework. GDPR data retention is automated — configurable purge policies run nightly via a background scheduler, so expired data is removed without manual intervention.
Data residency: All data is stored and processed within British infrastructure. Nothing ever leaves the United Kingdom.
Also includes: GDPR automated retention & purge, DPIAs for new features, 10 NDG standards alignment, Cyber Essentials framework
Responsible disclosure: If you believe you have found a security vulnerability, report it to info@ataracare.com. We respond within 48 hours.
Security questions? Let's talk.
We're happy to walk through our security architecture, share our DSPT self-assessment, or answer any questions your team has.