What's actually in place, and what isn't.

The platform is modelled around the CQC framework.

Care logs, incidents, risk assessments and staff training link to CQC quality statements. Evidence is structured so it's available when inspectors ask for it.

Special Category Data handled appropriately.

Role-based access control, scoped data visibility (care home isolation), audit logs on sensitive actions, encrypted at rest and in transit (TLS 1.3).

No data leaves the UK.

Application hosted on UK infrastructure. Database on Supabase EU region. No US cloud dependencies in the production path.

Care workers upload DBS; care homes verify before booking.

Worker credentials including DBS certificate, expiry and update-service subscription are stored against the worker's profile. Care homes can set DBS requirements per shift and passporting enforces them automatically.

Structured logs of sensitive actions.

Mutations on resident records, care plans, medication-related actions, and staff credentials are logged with user, timestamp, and before/after state.

Tools for data export and deletion.

Backend audit trail exists. Self-service SAR tooling for care workers, families and residents is being built.

Application in progress.

As a data controller, Vicarity will be registered with the Information Commissioner's Office. We'll publish the registration number here once granted.

Target: before general availability.

DSPT is required to process NHS patient data at scale. We're preparing the assessment alongside ISO 27001 groundwork.

Target: 12–18 months post-launch.

Information security management. We'll undertake a formal audit once we have production scale to warrant certification.

Target: pre-DSPT.

UK baseline cyber security certification. Simpler and faster than ISO 27001 — a natural first step.