Data Security & Privacy

We take our responsibility to you and your patients incredibly seriously. This page explains how we keep your patients’ data safe, our security credentials, and how we fit with NHS rules and guidance on data sharing.

How do we keep data secure?

Data is protected with measures in place to safeguard and secure data collected through the App. Data is kept secure and protected using verified Secure SSL connections.

Basic demographic information is collected and encrypted at rest. There is no need for additional controls as the user may delete the app at any time and their information is removed.

The users’ personal details are AES-256 encrypted in the database.

The data is held within an Amazon EC2 Instance, hosted in the London data centre. The server is configured behind Amazon firewalls and has monitoring enabled. All user data is encrypted at rest, using AES 256 Bit Encryption. All data is stored in the UK based data centre.

What data do we process?

To identify users, we collect the following data sets:

Full name

Date of Birth

Email Address

Mobile phone number

How are we ‘IG compliant’?

We have NHS Data Security and Protection Toolkit assurance. Our standards exceeding Assessment Criteria (under NHS ODS code D5N7J). You can see our full submission here. We also develop software under the principle of ‘Privacy by Design’ and adhere to the Digital Social Care Data Protection & Cyber Cecuirty Guidance.

Are we Cyber Essentials certified?

Yes. Cyber Essentials is a scheme run by the UK government and the National Centre for Cyber Security to help you know that you can trust your data with us. We have the Cyber Essentials and Cyber Essentials Plus certification.

Data Privacy Impact Assessments (DPIAs)

When using Surgery App, it is up to the data controller (your organisation) to complete a DPIA. As a data processor, we cannot complete it for you. A template DPIA is available upon request. Email support@surgeryapp.co.uk to request a copy.