Trust & Safety
Security & Compliance
NHS-grade security from day one. Here is where we are, what we are working towards, and why patient data is safe with ProtoFlex.
Our Position
Transparency First
Security and compliance have been central to our architecture and processes from the beginning — not retrofitted after the fact. We have a clear path to full certification and are working through the frameworks in a deliberate, sequenced way.
This page sets out our current status across the frameworks that matter most to NHS IG leads, clinical safety officers, and procurement teams.
At a Glance
Compliance Status
NHS DSPT
Registered with the NHS Data Security & Protection Toolkit. Our submission can be verified directly via the DSPT portal.
Verify on DSPT ↗ICO Registration
Registered with the Information Commissioner's Office as a data controller. Registration is publicly verifiable.
Verify on ICO ↗Secure SDLC & Penetration Testing
Security is integrated into every stage of development through static analysis, dependency scanning, and threat assessment tooling — validated annually by penetration testing of the live platform.
Cyber Essentials
We have worked through the full Cyber Essentials checklist and met every control. Formal submission for accreditation is the next step.
DCB0129 Clinical Safety
We are working through the clinical hazard log with a specialist third-party consultant. Sign-off is the next step.
UK GDPR
All data hosted in the UK. Data Processing Agreements in place with each customer. Tenant isolation means no data is shared between organisations.
Data Protection
UK GDPR & Data Residency
Patient data never leaves the United Kingdom. ProtoFlex is hosted entirely on Microsoft Azure UK — one of the most mature and secure cloud environments available to NHS organisations.
We take a tenant-isolated architecture approach: each customer organisation's data is logically separated. There is no commingling of data across NHS organisations, which significantly reduces risk compared to shared-schema multi-tenant approaches.
A Data Processing Agreement (DPA) is agreed with every customer before go-live, setting out clearly who controls the data, how it is processed, and the safeguards in place.
Data Residency Summary
- ✓ UK-only hosting — Azure UK data centres
- ✓ Tenant isolation — each organisation's data is strictly separated
- ✓ DPA with every customer — agreed before any data is processed
- ✓ ICO registered — data controller registration in place
- ✓ No third-country transfers — data does not leave the UK
Cyber Essentials
Pending SubmissionWe have completed a thorough self-assessment against all five Cyber Essentials controls:
- ✓ Firewalls
- ✓ Secure configuration
- ✓ User access control
- ✓ Malware protection
- ✓ Patch management
Formal accreditation submission is the final step. We expect to hold the Cyber Essentials badge in 2026.
Cyber Security
Cyber Essentials Ready
Cyber Essentials is the UK government-backed scheme that provides a baseline of cyber hygiene. It is increasingly a prerequisite for NHS supplier contracts.
ProtoFlex has worked through the complete set of Cyber Essentials controls and satisfied every requirement. We are at the final accreditation step — formal submission to a certification body. This is a procedural step that does not change our actual security posture, which already meets the standard.
We plan to hold the certified Cyber Essentials badge by mid-2026. If you are evaluating us as a supplier and the badge is a hard requirement for your procurement process, please contact us — we can discuss timelines and, where appropriate, share our self-assessment documentation.
Clinical Safety
DCB0129 Clinical Safety
DCB0129 is the NHS standard for clinical risk management of health IT systems. It requires a named Clinical Safety Officer, a hazard log, and a formal clinical risk management process.
We have identified and engaged a specialist third-party clinical safety consultant to lead this work when we move into formal NHS procurement. This is a deliberate sequencing decision — DCB0129 is a significant investment and we are aligning it with our first contracted NHS deployment rather than certifying speculatively.
For any trust or organisation where DCB0129 is a procurement gate, we are ready to engage on a timeline that works for your procurement process. Please get in touch to discuss.
DCB0129
In Progress- ✓ Third-party clinical safety consultant identified and engaged
- ✓ Clinical safety approach scoped and agreed
- → Hazard log and clinical risk management file — to be completed alongside first NHS deployment
- → Clinical Safety Officer sign-off — to follow
Secure SDLC & Penetration Testing
Continuous + Annual- ✓ Annual penetration testing of platform and infrastructure
- ✓ Multiple toolsets used to broaden coverage
- ✓ Findings reviewed, prioritised, and remediated
- ✓ Results available to NHS IG teams on request
Security Testing
Security Built Into Every Release
Annual penetration testing is one part of our security picture. The more fundamental layer is a secure software development lifecycle in which security analysis is integrated into the development process itself — not applied as a checkpoint at the end.
Our development workflow incorporates multiple layers of tooling covering static code analysis, dependency vulnerability scanning, and threat assessment. Security issues are surfaced and addressed continuously during development, so we are not waiting for a penetration test to tell us something is wrong.
Annual penetration testing then validates that posture against the running platform and infrastructure, with findings triaged by severity and remediated before release. Results are available to NHS IG teams on request.
External Registrations
Verified Registrations
These registrations are publicly verifiable through their respective portals.
ICO Registered
Registered data controller with the Information Commissioner's Office.
View registration ↗
Get in Touch
Questions About Our Security Position?
If you are an NHS IG lead, clinical safety officer, or procurement officer with specific questions, we are happy to provide documentation, answer questions directly, or discuss our roadmap in the context of your procurement timeline.
Talk to the Team