Due-diligence answers, without the trust-center theatre.
Review the WhiteFieldHealth security posture, healthcare governance controls, retention model, and privacy architecture in one place.
Data hosting
UK-first operating posture
Primary regimes
UK GDPR, NHS DSPT, HIPAA-aligned controls
Security baseline
AES-256 at rest, TLS 1.3 in transit
Trust snapshot
Built for governance review, not just marketing reassurance.
Current posture
The control surface before the deep detail.
This opening layer is meant to accelerate security, procurement, and governance review before the longer sections below.
Encryption at rest
AES-256
Encryption in transit
TLS 1.3
Regulatory breach-notice window
72 hrs
US healthcare contract support
BAA-ready
GDPR compliant
NHS DSPT
ICO registration
Cyber Essentials
ISO 27001
Patient data is handled under formal processor terms
We operate under a Data Processing Agreement and keep controller versus processor responsibilities explicit.
UK residency is the default operational position
Clinical data handling follows UK-hosted processing patterns unless a customer-specific arrangement changes that position.
Governance evidence is built for due diligence review
Retention, auditability, access controls, and healthcare-specific standards are documented in one place.
Incident response and notification paths are documented
Escalation, investigation, and regulatory notification procedures are part of the operating model, not an afterthought.
Control area 01
GDPR compliance
WhiteFieldHealth operates within the UK GDPR and Data Protection Act 2018 framework, with healthcare-specific processing anchored to explicit role separation and operational review.
Lawful basis for processing
Processing is anchored in contractual necessity and healthcare lawful bases, with explicit consent reserved for non-essential processing where required.
Data subject rights
Access, rectification, erasure, restriction, portability, and objection workflows are supported through one accountable response path.
Data protection impact assessments
High-risk processing involving patient data, transcription, and note generation is reviewed through DPIA-led governance.
Data protection oversight
A designated privacy lead oversees compliance activity, supports operational reviews, and acts as a contact path for governance questions.
International transfers
No third-country transfer occurs without an explicit customer arrangement and suitable UK transfer safeguards.
Breach notification
Qualifying incidents are assessed rapidly, with regulatory and customer notification paths aligned to applicable UK obligations.
Control area 02
Data security
Technical and organisational controls protect patient data across storage, transmission, application access, and incident handling.
Encryption at rest
Patient data is encrypted with AES-256, with key-management controls and rotation procedures supporting the storage layer.
Encryption in transit
Traffic is protected with TLS 1.3, HSTS, and certificate controls across public and authenticated product paths.
Access controls
Role-based access, least-privilege boundaries, session controls, and MFA support shape who can see or change sensitive content.
Infrastructure security
UK-hosted infrastructure uses network segmentation, hardened boundaries, and monitored cloud environments with resilience controls.
Application security
Testing, dependency scanning, and common web-risk mitigations are part of the release and maintenance posture.
Incident response
Documented response procedures define severity, ownership, communication steps, and post-incident review expectations.
Control area 03
HIPAA safeguards
For US healthcare workflows where contractually required, WhiteFieldHealth supports HIPAA-aligned safeguards and BAA-backed processing arrangements.
Administrative safeguards
Access governance, security management, risk review, and incident response controls support regulated workflows where HIPAA terms apply.
Technical safeguards
Encryption, access controls, authentication controls, and audit mechanisms are available for systems handling regulated health data.
Physical safeguards
Facility and infrastructure controls are inherited through audited cloud environments with resilience and access restrictions.
HIPAA applicability depends on customer role, deployment architecture, and executed contractual terms, including a Business Associate Agreement where required.
Control area 04
Audit logging
Auditability is treated as an operating control. Key product and administrative events are recorded for review, governance, and investigation.
Authentication events
Login, logout, failed attempts, MFA challenges, and credential changes.
Data access
Patient record views, note access, transcript playback, and template views.
Data modification
Note creation, edits, deletions, template changes, and configuration updates.
Administrative actions
User management, role changes, organisation settings, and invitation events.
AI processing events
Transcription requests, note generation, retrieval calls, and model processing metadata.
Export and sharing
Note exports, PDF downloads, clipboard copies, and related outbound actions.
Enterprise customers can also receive audit-log exports and SIEM integration support.
Control area 05
Data retention
Retention periods are set to match clinical, legal, and operational needs while keeping data-minimisation obligations explicit.
| Data type | Retention period | Basis |
|---|---|---|
| Clinical notes | 8 years from last entry | NHS Records Management Code |
| Paediatric / mental health notes | 25 years from last entry | NHS Records Management Code |
| Audio recordings | 30 days after transcription | Data minimisation - Art. 5(1)(c) |
| Transcripts | Same as clinical notes | Part of the clinical record |
| Audit logs | 7 years | NHS DSPT requirement |
| Account data | Duration of contract + 1 year | Contractual necessity |
| AI processing metadata | 3 years | Legitimate interest / quality assurance |
| Anonymised analytics | Indefinite | Fully anonymised, not personal data |
Organisation administrators can configure shorter retention periods where appropriate. Deletion requests are handled in line with applicable GDPR rights.
Control area 06
Data processing and sub-processors
WhiteFieldHealth acts as a processor on behalf of the customer organisation. Supporting sub-processors are limited to services necessary to deliver the product.
Cloud infrastructure
UK data centres with audited physical and operational controls, resilience, and recovery coverage.
AI transcription
Audio processing is scoped to service delivery with transient handling patterns and controlled retention boundaries.
AI language models
API-based processing relies on contractual no-retention commitments for customer data used in note-generation workflows.
Transactional email
Supportive account communications such as resets and invitations are routed through a GDPR-aligned email provider.
Customers are notified before new sub-processors are engaged, and the full list is available through contractual documentation.
Control area 07
Healthcare standards
WhiteFieldHealth is designed for healthcare teams and maps its controls to the standards and expectations those environments actually care about.
NHS DSPT
We maintain an NHS Data Security and Protection Toolkit submission posture aligned to the National Data Guardian standards.
Clinical safety process
Clinical risk management and safety review follow a maintained governance process appropriate to documentation-support tooling.
HIPAA readiness
For US workflows where required, WhiteFieldHealth supports HIPAA-aligned controls and Business Associate Agreement terms.
Caldicott alignment
Patient information handling is scoped to justified use, minimum necessary access, and clearly governed accountability.
Control area 08
Questions, documents, and requests
Use one contact path for trust reviews, subject-rights questions, procurement diligence, or privacy documentation requests.
Contact
Email our support and compliance contact path directly for governance questions and document requests.
[email protected]Need a trust answer quickly?
Start the diligence review with the right page, then email us directly.
Use compliance for controls, privacy for data handling, and the contact route for specific document or review requests.