Security & Compliance

Clinical safety

DCB0129 — CAREFUL holds active DCB0129 certification with a maintained Clinical Safety Case Report and Hazard Log. The Clinical Safety Officer is named and accountable.

Cyber security

Cyber Essentials Plus — Current certification. Verify online →

NHS Data Security and Protection Toolkit (DSPT) — Completed and published. Verify online →

Data protection

ICO Registration — Careful Systems Limited is registered with the Information Commissioner's Office. Verify (ZA249706) →

Data residency — All data is processed and stored in Microsoft Azure, in appropriate zones for data sovereignty.

GDPR compliance — CAREFUL processes data under the Trust's controllership. Data processing agreements are in place for all deployments.

Hosting and infrastructure

CAREFUL runs on Microsoft Azure Kubernetes Service (AKS) in Azure regions appropriate for data sovereignty (including UK South). The architecture provides:

• 99.95% uptime SLA from Azure for the AKS cluster
• Three availability zones — physically separate datacentres within UK South
• Auto-scaling from 3 to 11 nodes based on demand
• Zero-downtime deployments via rolling updates with instant rollback
• Encryption — TLS in transit, encryption at rest, SSL-enforced database connections

Defence in depth

Security operates across five layers: WAF and DDoS protection at the edge (Azure Front Door); private pod networking with service isolation; Kubernetes RBAC with Azure Managed Identity; Azure Key Vault for secrets management; and encrypted database connections with no stored credentials.

Monitoring

Azure Monitor, Container Insights and Log Analytics provide infrastructure observability. Sentry.io tracks application errors in real time. Health alerts are integrated into Slack for rapid response.

Deployment pipeline

All changes follow a controlled CI/CD pipeline: sandbox → demo → production, with manual approval before each release. This ensures no untested code reaches the production environment.