Safety and Security

Careflow is committed to keeping the data secure. It meets the strictest security and information governance requirements needed for health and social care.

It meets or exceeds all relevant healthcare data protection standard.

ISO 27001 certified

Careflow has full ISO 27001 certification. We adhere to robust processes around risk management, security, business continuity and compliance.

Data Protection

Our Caldicott Guardian ensures ongoing review and fulfilment of the Caldicott principles and recommendations.


All patient-identifiable data and content is encrypted, both in transit and at rest. Careflow uses AES GCM 256-bit level encryption for storage, supported by strong certificate-based key management policies. Information accessed by a device is encrypted in transit using 256-bit TLS.

Application security

We strictly follow OWASP recommendations and regularly run internal vulnerability scans, penetration tests and commission independent specialists in information security to run external tests. We develop against web application vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (XSRF) and SQL injection.

Service monitoring

Service availability is continuously monitored. Our team is on standby 24×7 to respond in the unlikely event of a serious application issue. Our services are performance and load monitored. Messages are tracked to ensure they are not lost in transit or in the event of system failure.


Careflow holds an NHS Information Governance Statement of Compliance (IGSoC). Careflow complies with US Health Insurance Portability and Accountability Act (HIPAA).

Clinical Safety Standard ISB0129

Careflow is ISB0129 compliant. We use a secure agile development life cycle with testing and clinical review overseen by a registered Clinical Safety Officer with additional external safety assurance resource.

User authentication

Careflow implements claims-based authentication (OAuth 2.0), two-factor authentication for device access and enforces a strong password policy. Careflow can additionally federate against other identity providers, including Active Directory.

Hosting Accreditation

Careflow’s data is hosted in the Microsoft Azure cloud computing platform. Azure meets a broad set of international and industry-specific compliance standards, such as ISO/IEC 27001/27002:2013, HIPAA and FedRAMP. Microsoft is the only cloud provider to adhere to the ISO/IEC 27018 code of practice, covering the processing of personal information by cloud service providers.