Security and compliance are fundamental to everything we do at Revitaco. This page provides transparency into our practices, certifications, and the third parties we work with.
Security Overview
Revitaco implements comprehensive security measures to protect your data. Our approach is based on defence in depth, with multiple layers of protection.
Encryption
All data encrypted in transit and at rest using industry-standard encryption
Access Control
Role-based access with multi-factor authentication
Monitoring
Continuous monitoring and alerting
Secure Development
Secure coding practices and regular code reviews
Incident Response
Documented procedures with 72-hour breach notification
Business Continuity
Automated backups and disaster recovery
Technical Security Measures
- Network Security: DDoS protection and network segmentation
- Application Security: Input validation and secure coding practices
- Data Security: Encryption at rest and in transit, data minimisation
- Identity Security: MFA enforcement, password policies, session management
- Operational Security: Least privilege access and security training
Data Hosting
Your data is hosted in the United Kingdom, ensuring compliance with UK data residency requirements and minimising latency for UK-based users.
Data Centre Location
- Location: United Kingdom
- Infrastructure Provider Certifications: ISO 27001, SOC 2
- Availability: High availability architecture
Data Residency
All primary data (resident records, care notes, user data) is stored exclusively in UK data centres. No customer data is transferred outside the UK without explicit consent and appropriate safeguards.
Backup and Recovery
- Automated daily backups
- Point-in-time recovery capability
- Backups encrypted and stored securely
- Regular backup restoration testing
Sub-Processors
We use carefully selected third-party service providers (sub-processors) to deliver our platform. Each provider is vetted for security and compliance.
| Provider | Purpose | Location | Privacy |
|---|---|---|---|
| Supabase | Database hosting (PostgreSQL) | United Kingdom | View |
| Vercel | Application hosting | Global (edge network) | View |
| Clerk | User authentication | USA (GDPR compliant) | View |
| Stripe | Payment processing | UK/USA | View |
| Resend | Transactional email | USA (GDPR compliant) | View |
| Sentry | Error monitoring | USA (GDPR compliant) | View |
| Amazon Web Services (AWS) | File storage (S3) | United Kingdom | View |
We maintain contracts with all sub-processors that include appropriate data protection obligations. Customers are notified of new sub-processors with at least 30 days notice.
Audit Logging
Comprehensive audit logging is essential for care sector compliance and demonstrating accountability. Revitaco maintains detailed, immutable audit trails.
What We Log
We maintain comprehensive audit trails covering user activity, data access, modifications, and system events. This supports CQC compliance and enables full accountability.
Retention and Access
- Audit logs retained in line with NHS records guidance
- Logs are immutable and tamper-evident
- Accessible to authorised administrators via the platform
- Exportable for regulatory inspections
Certifications & Compliance
We are committed to achieving and maintaining recognised security and compliance certifications relevant to the UK care sector.
UK GDPR Compliant
ActiveCompliant with UK General Data Protection Regulation
ISO 27001
ActiveInformation Security Management System certification
Cyber Essentials Plus
PlannedUK Government-backed cybersecurity certification
NHS DSPT
PlannedNHS Data Security and Protection Toolkit alignment
Regulatory Alignment
- CQC: Platform designed to support CQC compliance requirements
- UK GDPR: Full compliance with UK data protection legislation
- Data Protection Act 2018: Adherence to UK-specific requirements
- PECR: Compliance with electronic communication regulations
Security Questions or Concerns?
If you have security questions, require additional documentation, or want to report a security concern, please contact our security team.
- Security Enquiries: security@revitaco.io
- Responsible Disclosure: security@revitaco.io
- Compliance Documentation: legal@revitaco.io