Carefold
Contact Book a demo
Carefold
Book a demo Contact
Compliance & Security

Built around the UK regulatory stack.

UK regulators have spent five years building a coherent standards stack for digital social care. We took them at their word, and built around it from day one. This page is the live posture of that work.

All systems operational
99.97% uptime, trailing 90 days · 0 P1 incidents this quarter · last incident: 14 Feb 2026 (resolved 22 min)
Full status →
Frameworks & certifications

The six things UK care procurement asks about.

Every framework below is either certified, audited, or attested at platform level. The evidence library is available under DPA — typically within a working day.

Assured-ready

DSCR

Digital Social Care Record standards (NHS England). Mapped against the published standards, evidenced, ready for re-assessment under the latest framework cycle.

Assured supplier listing in progress · Q3 2026
Aligned

DSPT

Data Security & Protection Toolkit. Carefold operates at "Standards Met" against the 2025-26 toolkit. Tenant DSPT evidence library available for your own submission.

Last re-attested 14 Feb 2026 · ODS 8K123
Compliant

DTAC

Digital Technology Assessment Criteria (NHSX). Clinical safety, data protection, technical assurance, interoperability, usability & accessibility — all scored against the published criteria.

DTAC v1.4 · WCAG 2.2 AA
Mapped

CQC SAF

All 34 Quality Statements of the Single Assessment Framework are mapped to Helm evidence panels — one-click export for inspections under the new framework.

6 evidence categories · 34 QSs · live in Helm
Baked in

DCB0129 / 0160

Clinical risk management for manufacturer (0129) and deployer (0160). Hazard log, severity, mitigations, post-deployment monitoring — for Helm, Move, and Pulse separately.

Clinical safety officer: Dr A. Faulkner
Following

NICE NG67

Managing medicines for adults receiving social care. Embedded in eMAR, PRN, CD register and stock workflows. Reviewed at each NICE guidance update.

NG67 + NG67 supporting evidence
Certified

ISO 27001

Information Security Management System. Carefold Limited holds ISO 27001:2022 certification with annual surveillance audits. Statement of Applicability available.

Cert no. CFD-27001-2025-001 · UKAS-accredited body
Certified

Cyber Essentials Plus

NCSC Cyber Essentials Plus, the assessor-tested level. Annual re-assessment with technical sample of devices, infrastructure and people processes.

Last assessed 22 Jan 2026 · IASME-accredited
In progress

SOC 2 Type II

Service Organisation Control 2 Type II report covering Security, Availability and Confidentiality. Observation window started Jan 2026; report expected Q4.

Observation period: 12 months · auditor TBD
CQC Single Assessment Framework

34 Quality Statements. One evidence pack.

The Single Assessment Framework groups its 34 Quality Statements under six evidence categories. Carefold Helm maps every one to a live evidence panel — auto-assembled from real records, not retrospectively scraped.

01 / 06 · evidence category

People's experience

Survey responses (Home portal), complaint outcomes, family-portal sentiment, "I" statement evidence. Direct from people receiving the care.

8 Quality Statements · auto-evidenced
02 / 06 · evidence category

Feedback from staff & leaders

Carer engagement surveys, supervision themes, exit-interview patterns, whistleblowing log (anonymised in evidence pack).

6 Quality Statements · auto-evidenced
03 / 06 · evidence category

Feedback from partners

GP feedback, social-worker collaboration logs, multidisciplinary review records, ICB & LA correspondence.

5 Quality Statements · auto-evidenced
04 / 06 · evidence category

Observation

Spot-check records, internal audit findings, manager-observation logs. The on-the-ground evidence inspectors look for.

5 Quality Statements · auto-evidenced
05 / 06 · evidence category

Processes

Policies, audit trails, training records, supervision schedules, corrective-action register, retention enforcement.

7 Quality Statements · auto-evidenced
06 / 06 · evidence category

Outcomes

The outcomes engine. Per-person outcome progress, agency-wide outcome rates, commissioner-format exports.

3 Quality Statements · auto-evidenced
Security posture

How we treat your data.

Carefold is a clinical platform for vulnerable adults. Our security posture is what we'd expect of any service handling our own family's records.

Hosting

UK-region AWS, isolated tenancy

All client data is hosted in eu-west-2 (London), with cold-failover to eu-west-1 (Ireland). Tenant data is logically isolated by a tenant_id discriminator and enforced at the query layer.

  • AWS UK Sovereign Cloud roadmap-aligned
  • Group plan: optional single-tenant DB
  • No data leaves the UK without consent
Encryption

AES-256 at rest, TLS 1.3 in transit

Every record encrypted at rest with envelope encryption via AWS KMS. TLS 1.3 enforced on every endpoint. Highly-sensitive fields (NI numbers, bank details, key-safe codes) carry an additional application-layer encryption.

  • HSTS preload, OCSP stapling
  • Per-tenant data keys, rotated quarterly
  • Field-level encryption for PII
Backups & recovery

15-minute PITR, 7-year retention

Point-in-time recovery every 15 minutes for the last 35 days. Nightly cold backups retained for 7 years. Quarterly disaster-recovery drills with full failover & data-integrity validation.

  • RPO ≤ 15 minutes
  • RTO ≤ 60 minutes (15 min on Group)
  • Quarterly DR validation
Access

RBAC, MFA, audited admin

Tenant-side: role-based + branch-scoped permissions, TOTP/WebAuthn MFA enforceable per role. Carefold-side: just-in-time access via audited bastion, all production access logged + reviewed weekly.

  • SSO (SAML 2.0 + OIDC)
  • Carefold-side impersonation audit-logged
  • Quarterly access reviews
Audit log

Append-only, 7-year retention

Every mutation generates an immutable audit-log entry. The log is append-only, written to a separate data store, and signed in batches. Tenants can export the full log via API at any time.

  • Who, what, when, IP, user-agent, before / after
  • Tamper-evident batch signing
  • API + CSV + structured-JSON export
Penetration testing

Annual + on major release

Independent CREST-accredited penetration test every 12 months and ahead of any major feature shipping medication or safeguarding logic. Findings remediated, retested, and summarised in the trust pack.

  • External attack-surface + auth'd app test
  • Move PWA mobile-specific test
  • Remediation SLA: 30d crit / 60d high
Incident response

Defined runbook, 1-hour notification

P1 production incident triggers an on-call rotation immediately. Customer-impacting incidents are notified within 1 hour. Post-incident report (PIR) published to the trust pack within 7 days.

  • 24/7 on-call rotation
  • 1-hour customer notification
  • PIR within 7 days, public on status page
Data lifecycle

GDPR-compliant, defined retention

Carefold is data processor; the tenant is data controller. Retention policies enforced at field level. On contract end, we export everything you ask for, retain for 90 days, then certified-delete.

  • Subject access & erasure flows
  • Per-record retention rules
  • Destruction certificate on offboard
Trust pack

Documents we'll send under DPA.

These exist. They are kept current. We send the full pack within one working day of mutual DPA. Some are public; the rest are NDA-gated. Ask.

Data Processing Agreement (template)
Standard Carefold-as-processor DPA, GDPR Art. 28-compliant, with SCC fallback for any cross-border processing.
PDF · 14 pp
v3.2 · Jan 2026
Public →
Clinical safety case (DCB0129)
Manufacturer's clinical risk management file. Hazard log, mitigations, severity scoring, post-deployment monitoring for Helm, Move & Pulse.
PDF · 32 pp
v2.4 · Feb 2026
NDA →
Deployment safety case (DCB0160) template
Pre-populated DCB0160 template for the deploying organisation, including agency-side hazards and recommended controls.
DOCX · 22 pp
v2.1 · Jan 2026
Public →
DSPT evidence library
Carefold-side evidence for the assertions that map to your DSPT submission as deployer. Mapped per-line.
PDF · 60 pp
2025-26 toolkit
NDA →
DTAC pack
Filled DTAC v1.4 with clinical-safety, data-protection, technical-assurance, interoperability and usability evidence.
PDF · 28 pp
v1.4 · 2025 cycle
NDA →
ISO 27001 SoA & certificate
Statement of Applicability + UKAS-accredited certificate, current within the surveillance cycle.
PDF · 18 pp
2025-26
Public →
Penetration test executive summary
CREST-accredited annual test summary. Findings, severities, remediation timeline. Full report under tighter NDA.
PDF · 8 pp
Nov 2025
NDA →
Business continuity & DR plan
RPO/RTO commitments, runbook for region failover, last DR exercise report, post-exercise actions.
PDF · 16 pp
v4 · Dec 2025
NDA →
Sub-processor list
AWS, Mapbox, Twilio (SMS), Stripe (billing only — no clinical data). All UK or EU. Updated every release.
PDF · 4 pp
live
Public →
Operational

Uptime, transparency.

We publish the same numbers we report internally. Status page mirrors what our on-call sees.

Helm · operational
UK-1 · UK-2 healthy
Move (PWA) · operational
PWA sync & push delivery within SLA
Home (family portal) · operational
Notifications within SLA
Pulse · operational
Last model retrain: 22 May 2026
Integrations · operational
GP Connect, Xero, Sage, Twilio healthy
Trailing 30d
99.97%
Trailing 90d
99.97%
Trailing 12mo
99.94%

Send your procurement questions.

We aim to respond to procurement questionnaires within 3 working days. Send what you've got — we'll fill it in line by line.

Contact security & compliance Book a demo