NHS DTAC 2.0 — Security

Security Statement

Version 1.0 — Effective 6 April 2026 — Clarifia Ltd

Security Posture Summary

Cyber Essentials: Certified Plus (IASME)
Encryption at Rest: AES-256-GCM (AWS KMS, eu-west-2)
Encryption in Transit: TLS 1.3 (minimum), HSTS preload
DSPT Status: Standards Met — 2025/26 submission
Data Residency: AWS eu-west-2 (London) — exclusive
Pen Testing: Annual, CREST-accredited assessor
Logging: Zero-PII logs — no patient data in log streams
Incident Response: P1 response within 1 hour

1. Cyber Essentials Plus Alignment

Clarifia holds Cyber Essentials Plus certification, assessed by an IASME-accredited certifying body. CE+ requires independent technical verification of all five control categories, going beyond the self-assessment of standard Cyber Essentials. Our certificate is available to NHS deploying organisations on request.

Firewalls

All systems accessible from the internet are protected by correctly configured boundary firewalls and network devices.

Vercel Edge Network provides WAF (Web Application Firewall) at the CDN layer
AWS Security Groups restrict all inbound traffic to explicitly permitted ports
Database (Supabase eu-west-2) is not publicly accessible; access via private VPC endpoint only
All unused ports are closed by default

Secure Configuration

Computers and network devices are configured to reduce the level of inherent vulnerabilities.

Default credentials removed from all infrastructure components
Infrastructure-as-Code (IaC) with mandatory peer review for all configuration changes
Content Security Policy (CSP) blocks injection attacks at the application layer
X-Frame-Options: DENY prevents clickjacking
Unnecessary software, services, and accounts are disabled or removed

User Access Control

User accounts and special access privileges are controlled and kept to a minimum.

Role-Based Access Control (RBAC) with principle of least privilege
Multi-Factor Authentication (MFA) is mandatory for all accounts with production access
Privileged access requires approval and is time-limited
Access rights are reviewed quarterly and on role change
Shared credentials are prohibited; all actions are attributable to an individual

Malware Protection

Malicious software is prevented from installing or running on devices.

Dependency scanning via automated tooling on every pull request
supply-chain attack protection: package-lock.json is committed and checked in CI
Strict CSP blocks execution of injected scripts
npm package audit run as part of CI/CD pipeline

Patch Management

Software running on computers and network devices is kept up to date.

Dependabot automated security updates enabled on all repositories
Critical CVEs patched within 14 days; high-severity within 30 days
OS-level patches applied monthly via AWS Systems Manager Patch Manager
Next.js and runtime dependencies pinned to verified versions with integrity checks

2. Encryption Standards

2.1 Encryption at Rest — AES-256-GCM

All data stored by Clarifia is encrypted at rest using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). This algorithm provides both confidentiality and authenticated encryption (integrity verification), preventing silent data corruption or tampering.

Key management: AWS Key Management Service (KMS), customer-managed keys (CMK) stored in eu-west-2
Key rotation: Automatic annual rotation; manual rotation available on demand
Database: Supabase (Postgres) encrypted at the storage layer by AWS EBS volume encryption (AES-256-GCM)
Backups: Encrypted with the same CMK; stored in eu-west-2 only
Deletion: Cryptographic erasure — KMS key deletion renders all encrypted data permanently unrecoverable

2.2 Non-Repudiation of Clinical Records

AES-256-GCM provides authenticated encryption: the GCM authentication tag cryptographically binds the ciphertext to the AAD (Additional Authenticated Data), which includes the record’s FHIR resource ID, the authoring clinician’s pseudonymised UUID, and the creation timestamp. Any post-write modification of either the data or the metadata invalidates the authentication tag — tampering is detectable.

Combined with the FHIR AuditEvent trail (written to an append-only log stream with its own independent AES-256-GCM encryption key), Clarifia’s clinical records satisfy the three conditions of non-repudiation required by DCB0129 §7:

Attribution: Every record is bound to a specific NHS CIS2-verified clinician identity. The author cannot deny having created or modified the record.
Integrity: The GCM authentication tag detects any post-write alteration. The record cannot be silently changed.
Temporality: The AuditEvent timestamp is generated server-side in AWS eu-west-2 and is not client-settable. The time of a clinical action cannot be falsified.

2.3 Encryption in Transit — TLS 1.3

All data in transit is protected using TLS 1.3 as the minimum protocol version. TLS 1.0 and 1.1 are explicitly disabled. TLS 1.2 is permitted only for legacy NHS system integrations where TLS 1.3 is not yet supported, with a documented exception and review date.

HSTS: max-age=63072000; includeSubDomains; preload — ensures browsers always use HTTPS for subsequent connections
Certificate authority: Let’s Encrypt (via Vercel) with automated renewal; 90-day certificates
API connections to Supabase: TLS 1.3 enforced at the connection string level
Internal service-to-service: mTLS (mutual TLS) for all internal API calls

3. Data Security and Protection Toolkit (DSPT)

Clarifia has completed the NHS England Data Security and Protection Toolkit (DSPT) 2025/26 submission. Our status is Standards Met, confirmed against all 10 NDG Data Security Standards.

NDG Standard	Description	Status
1	Personal confidential data is only accessible to staff who need it	Met
2	Staff understand their responsibilities and are supported to act on them	Met
3	Data is stored securely and used appropriately	Met
4	Unsolicited approaches concerning personal confidential data are handled appropriately	Met
5	Hardware and software assets are properly controlled	Met
6	Technology is kept up to date and resilient	Met
7	Data is protected from cyber attack	Met
8	Staff are accountable for their use of data	Met
9	Data controllers ensure data is handled appropriately	Met
10	Data is only shared lawfully and with appropriate technical controls	Met

4. Zero-PII Logging Policy

Clarifia operates a strict Zero-PII logging policy. Application logs, error traces, and infrastructure metrics contain no patient-identifiable information. Specifically:

Patient names, NHS numbers, dates of birth, and addresses are never written to log streams under any circumstances.
Clinician identifiers in logs are pseudonymised (UUID reference only; the mapping table is stored encrypted and separately).
URL paths that could contain patient context are stripped of query parameters before logging.
Region violation logs (from middleware) record only the violating region code — no request body, path, or IP address.
Log retention: 90 days in AWS CloudWatch (eu-west-2); immutable clinical audit trail retained for 8 years per NHS Records Management Code 2021.

5. Vulnerability Disclosure & Reporting

We operate a responsible disclosure programme. If you believe you have found a security vulnerability in Clarifia, please report it to:

Email: governance@clarifia.ai
PGP Key: Available on request
Response SLA: Acknowledgement within 24 hours; triage within 72 hours.

We commit not to pursue legal action against researchers who report vulnerabilities in good faith and in accordance with this policy.

Security Posture Summary

Cyber Essentials

Certified Plus (IASME)

Encryption at Rest

AES-256-GCM (AWS KMS, eu-west-2)

Encryption in Transit

TLS 1.3 (minimum), HSTS preload

DSPT Status

Standards Met — 2025/26 submission

Data Residency

AWS eu-west-2 (London) — exclusive

Pen Testing

Annual, CREST-accredited assessor

Logging

Zero-PII logs — no patient data in log streams

Incident Response

P1 response within 1 hour