Security & compliance

Built for regulated
healthcare data.

Crewmates handles clinical, personal and financial data every day. Security and compliance aren’t an add-on. They’re how the platform is built.

Request security pack Privacy policy

Security pillars

Nine foundations for every piece of data.

Encryption

TLS 1.3 in transit, AES-256 at rest. Database, backups and file storage all encrypted.

UK data residency

Primary data stored in eu-west-2 (London). Dedicated residency available for Enterprise.

Role-based access

Fine-grained permissions per module. Row-level security enforced in the database itself.

Audit logging

Every read, write and permission change on sensitive data is logged and retained.

GDPR workflows

Subject access, right-to-erasure and data portability built into the platform.

Clinical retention

Clinical records retained for 8 years by default, aligned to NHS and GDPR guidance.

Incident response

Documented breach-response plan with escalation tree and ICO notification timeline.

Network isolation

Production traffic isolated from dev/staging. Secrets managed through platform vaults.

Backups & DR

Daily encrypted backups with point-in-time recovery. Quarterly disaster-recovery testing.

Standards

Regulatory alignment.

UK GDPR

Fully aligned. Lawful basis documented per workflow, DPA available on request.

CQC

Data handling and audit trails aligned to CQC fundamental standards.

NHS DSPT

Working toward NHS Data Security & Protection Toolkit submission.

ISO 27001

ISO 27001-aligned controls today. Formal certification on roadmap.

Cyber Essentials

Cyber Essentials-aligned controls. Certification planned.

MHRA

Controlled drug workflows match MHRA chain-of-custody requirements.

How data flows

From sign-in to backup.

Auth & sessions

User authentication runs on Supabase Auth with server-side session management. SSO available for Enterprise. Passwords hashed with bcrypt; sessions rotated and short-lived. TOTP MFA enforced for staff users.

Data storage

Postgres databases in UK regions. Row-level security policies enforce organisational and role-based access at the database level. Every query is scoped to the calling user’s organisation and permission set.

Files & media

Attachments stored in encrypted object storage with signed-URL access. Retention policies apply per content type.

Audit trail

Sensitive operations write to an immutable audit log: who, what, when and (for writes) a diff of the change.

Backups

Daily encrypted backups with point-in-time recovery. Quarterly restore drills documented.

Need our security documentation?

Security review packs (DPIA template, DPA, platform overview) available on request for procurement teams.

Request security pack

Built for regulatedhealthcare data.