Trust & security
All systems operational

Carer data treated like the clinical record it is.

CareComply was designed for regulated environments. We host in the UK, encrypt at rest, sign every export, and enforce security at the database layer — not just the application.

ICO-registered
data controller · ZB123456
UK GDPR
compliant data processor
AWS London
eu-west-2 · SOC 2 Type II certified infrastructure
DPA available
pre-signed on Pro and Enterprise
Security controls

Protection at every layer.

Security is not an afterthought in CareComply — it is a design constraint. Here is how we protect the data you entrust to us.

ICO-registered

We are a registered data controller under UK GDPR and the Data Protection Act 2018.

UK data residency

All data is stored and processed in AWS eu-west-2 (London). Your data never leaves the UK.

Encryption at rest

AES-256 encryption on all stored data. TLS 1.2+ on all data in transit.

Tamper-evident exports

Every audit export is cryptographically signed with HMAC. Verifiable years later.

Row-level security

Database-level isolation. No query can access another organisation's data — enforced at the DB layer, not application layer.

Granular permissions

Every action is scoped to a role. Custom roles on Pro. Audit log records the identity behind every operation.

Audit trail

Every action. Tamper-evident. Verifiable.

The audit log records every event — who did it, when, from where, and what CQC key question it maps to. The log is append-only; no user, including an owner, can edit or delete entries.

  • Immutable append-only log
  • User identity + IP on every event
  • CQC key question tagging
  • Exportable as signed CSV or Excel
  • HMAC-verified exports — independently verifiable
Audit log
Tamper-evident
6 CQC key questions · 12 categories
TimeUserActionCQCSeverity
2m agoimogen.reed@lindenApproved document · DBS check · Marcus HollowaySafeinfo
14m agosystemSent automatic chase · Reference · Dr. Helen WhitfieldSafeinfo
1h agokola.adekoya@lindenUploaded document · Right to Work · P. SubramanianEffectiveinfo
3h agosystemExpiry reminder sent · Manual Handling · H. WójcikSafewarning
Yesterdayimogen.reed@lindenRejected reference · Char. ref. · M. HollowaySafewarning
YesterdaysystemAudit export signed · carecomply-cqc-audit-linden.xlsxWell-ledinfo
Data processing

Your data is yours. Always.

CareComply acts as a data processor for your tenant data and a data controller for our own operational data. A standard Data Processing Agreement (DPA) is available on request and pre-signed for Pro and Enterprise customers.

Sub-processors are limited to AWS (infrastructure), Stripe (billing), and Resend (transactional email). We do not sell or share your data with third parties.

If you cancel, you can export everything — every document, every audit log, every reference — before your account closes. Tenant data is permanently deleted within 30 days of confirmed cancellation.

Stop chasing paperwork

Run a CQC-ready agency without the spreadsheet tax.

Move onboarding, document review, reference chasing, and inspection prep onto a single audited workspace. Live in a day, free for 14.

Start free trial Book a demoNo card required · UK-hosted on AWS · GDPR-compliant