Security and compliance
Medical evidence is special-category personal data. Every file is encrypted at rest and in transit, every access is logged, and all client data resides in ISO-accredited UK infrastructure.
Keeping data on UK soil in independently certified facilities removes the whole question of international transfer before it starts. Two-factor authentication is enforced on every account, and role-based permissions apply to every folder and document.
The controls
ISO 27001 UK data centres. No transatlantic transfer and no third-country processors.
Each document is encrypted before being written to storage, with keys held separately from the data.
Enforced on every account, with role-based permissions on every folder and document.
Due diligence
When a firm asks how a claimant's records are protected, a clear, specific answer is part of winning the instruction.
Data stays on UK soil in ISO 27001 facilities, so there is no international transfer to assess. Each document is encrypted before it is written, with keys held separately from the data. Access is invite-only, two-factor is enforced, and every view, download and amendment is logged and attributable. Taken together, these are not abstract assurances; they are the controls an information governance review expects to see evidenced, and we will provide the detail in writing on request.
For your IG team
A firm's information governance team does not want reassurance. They want to know where the data sits, how it is encrypted, who can reach it, and what is logged. Vague answers slow an instruction down while they are chased up.
Here are the specifics they will ask for. All client data resides in ISO 27001 accredited data centres in the United Kingdom, so there is no international transfer to assess and no third-country processor to add to the register. Each document is encrypted before it is written to storage, with the keys held separately from the data, so a compromise of storage alone yields nothing readable. Access is invite-only and protected by two-factor authentication, with role-based permissions on every folder and document. Every view, download and amendment is logged and attributable, and no patient detail is sent by email. We provide this detail in writing, with a data processing agreement, so the review has what it needs to sign off rather than a marketing page to interpret.
No patient detail leaves the system by email.
Each document is encrypted before it is written to storage, with keys held separately from the data, and traffic is encrypted in transit.
Yes. We provide a data processing agreement and our security and data-handling detail in writing on request.
The detail your firm's due diligence needs, in one document.
Request the pack