Security & trust
Built for care providers' compliance reviews
Care providers' compliance officers, DPOs and CQC inspectors all want to know the same things: where the data lives, who can see it, how it's protected, and what happens when something goes wrong. This page consolidates the answers. If your procurement team needs a single URL to attach to an RFP response, this is it.
Last updated: 17 May 2026. If anything is unclear or you need additional documentation, get in touch.
Track record
A decade of running care records, and counting
The first Carerealm account was created on 19 November 2015. Since then we've spent more than ten years running this platform every day for care providers across the UK, keeping it secure, keeping the records intact, and quietly rebuilding the underlying technology as the web evolved underneath us.
- 10+ years live
- In production continuously since November 2015. Real services have trusted us with real records for over a decade.
- 4 generations rebuilt
- The platform has been rebuilt from the ground up four times to keep pace with what modern care needs. Customers haven't had to start over each time. We have.
- 100% continuity
- Every rebuild has carried your existing areas, diary entries, files, audit trail and history forward unchanged. The records you wrote in 2017 are still readable today.
The point isn't novelty. It's continuity. Care records aren't a product trend; they're a long-term commitment, and we've held that commitment since 2015. When you choose Carerealm, you're choosing a team that's already shown it's willing to do the unglamorous work of keeping a platform safe, current and yours, year after year.
The compliance bit
Now for the technical part
The rest of this page is for the compliance officers, DPOs and procurement teams, the people who need to see the specifics. Here's the short version; everything below is the long version.
- EU-hosted on Google Cloud
- Application + database run in Google Cloud's europe-west1 region (Belgium). Data does not leave the EU.
- ICO registered (ZA261106)
- Carerealm is registered with the UK Information Commissioner's Office. Registration covers our role as Data Controller for our own contact records and Data Processor for customer data.
- Encrypted in transit and at rest
- TLS for every connection. Google Cloud Storage and Cloud SQL apply AES-256 encryption to data at rest by default. Platform-level secrets (OAuth client secrets, SAML keys) are stored as AES-256-GCM ciphertext.
- MFA + SSO
- TOTP-based MFA available on every account. Single sign-on via Google, Microsoft 365 (Entra ID), Apple, and self-serve SAML 2.0 for organisations bringing their own identity provider.
- Complete audit log
- Every state-changing API call is captured in a tamper-evident audit log with attribution, timestamp and structured description. Admins can view and export; nobody can edit or delete entries.
- Auto-revert SSO tripwire
- If an admin enables required-SSO and the platform detects an unusually high rate of login failures in the next 24h, the policy is automatically downgraded to preferred and the realm owner is notified. Stops misconfigurations from locking everyone out.
Data residency & hosting
The Carerealm application is deployed on Google Cloud App Engine in the europe-west1 region (St. Ghislain, Belgium). The primary database is Google Cloud SQL in the same region. File uploads are stored in Google Cloud Storage in EU multi-region.
We deliberately do not multi-region your data outside the EU. If a UK-only or specific-country data-residency requirement applies to your procurement, please talk to us before signing. We'll be honest about whether we're a fit.
Encryption
In transit: every connection to *.carerealm.com is TLS 1.2+ (TLS 1.3 preferred). HSTS is enabled on production hostnames. Mobile apps pin no certificates today but use the OS trust store and require valid TLS for every request.
At rest: Cloud SQL applies AES-256 encryption to every disk volume by default. Cloud Storage objects are encrypted with AES-256 server-side keys. Platform-level secrets (OAuth client secrets, SAML certificates and private keys) are additionally encrypted application-side with AES-256-GCM before being stored in the database, so a database snapshot alone cannot decrypt them.
Passwords are stored as bcrypt hashes (cost factor 10). OAuth-only accounts have no password stored at all.
Authentication & access control
Sign-in options: email + password (with optional TOTP MFA), Google OAuth, Microsoft (Entra ID) OAuth, Apple sign-in (native on iOS, web-based elsewhere). Realms can additionally bring their own identity provider via self-serve SAML 2.0.
Multi-factor authentication: any user can enable TOTP MFA from their profile. Realm admins can require MFA across an organisation. When SSO is enforced via SAML or OAuth, MFA decisions from the upstream IdP apply.
Permissions: each supported person's area is its own permission boundary. Users get read / contribute / moderate roles per area. Realm admins see everything within their realm.
Sessions: a 365-day refresh token anchored to a server-side session row. Admins (and the end-user themselves) can view active sessions and revoke any of them individually. Suspicious-login alerts surface via the in-app session log.
Auto-revert tripwire: if a realm admin turns on "SSO required" and the next 24h shows an abnormally high failed-login rate among members, the policy is automatically downgraded back to "preferred" and the realm owner is notified by email. Stops a misconfigured IdP from locking everyone out of records they need access to.
Audit & logging
Every state-changing API call writes to the audit log (we call it "trace" internally). Each row captures: user, area, action category, structured description, optional structured metadata, and a monotonically-increasing timestamp.
The audit log is append-only by design. Admins can view and export, but no API endpoint exists to edit or delete trace entries. For CQC inspections and serious-incident reviews, this is the answer to "who did what and when".
Backend logs (HTTP request/response, application exceptions) are retained by Google Cloud Logging for 30 days. Application audit-log entries in our database are retained for the lifetime of the realm and exported with the realm on data-portability requests.
Sub-processors
The third parties that may process customer data while Carerealm is in use:
Google Cloud (App Engine, Cloud SQL, Cloud Storage, Cloud Logging)
Application hosting, database, file storage, infrastructure logging
Region: europe-west1 (Belgium) / EU multi-region
Vercel
Hosting and edge delivery for the marketing site and in-app shell (Next.js)
Region: EU/US (managed by Vercel)
Cloudflare (DNS, CDN, Stream)
DNS, CDN, DDoS protection in front of carerealm.com, and Cloudflare Stream for embedded marketing videos
Region: Global edge
Firebase (Google)
Authentication tokens and Firebase Cloud Messaging for push notifications
Region: EU/US (managed by Google)
Stripe
Subscription billing, payment card processing
Region: EU (Ireland)
SendGrid (Twilio)
Transactional email (verification, password reset, notifications)
Region: EU
Intercom
Marketing-site support messenger (carerealm.com only). Consent-gated.
Region: EU
OpenAI
AI features (diary chat, writing assistance). Only when a realm has opted in to AI; only data the asking user can already see is processed
Region: US (zero-day retention enabled)
Google Tag Manager + Google Analytics 4
Marketing site analytics (carerealm.com only, not the app). Consent-gated via the Carerealm cookie banner.
Region: EU/US (managed by Google)
Webrec
Marketing site session recording (carerealm.com only, not the app). Consent-gated.
Region: EU
Expo (EAS)
Mobile app delivery: over-the-air JS updates, push-notification token routing, and EAS Insights: anonymised app-usage/diagnostics telemetry (app opens, version/update adoption, device & OS). No care data; not cross-app tracking.
Region: US (managed by Expo)
Vercel Analytics + Speed Insights
First-party aggregate page views and Core Web Vitals. Cookie-free, no cross-site tracking.
Region: EU/US (managed by Vercel)
Google reCAPTCHA
Bot protection on /forgot-password and /register only
Region: US (managed by Google)
Adobe Fonts (Typekit)
Webfont delivery for the Carerealm display typeface
Region: US (managed by Adobe)
We notify customers in advance of material sub-processor changes. To receive these notifications, contact us and we'll add you to the list.
Backups & disaster recovery
Database: Cloud SQL automated daily backups + point-in-time recovery via transaction logs. Backups are retained for 30 days in the same region.
File storage: Cloud Storage versioning is enabled on customer-data buckets. Object lifecycle rules prevent accidental immediate deletion.
Application: stateless; redeploys are automated. App Engine handles instance failover within minutes.
GDPR & UK GDPR posture
We act as Data Processor for the care records you create on Carerealm. You are the Data Controller; you decide what gets recorded and who has access. Our role is to keep that data secure, available to you, and exportable when you ask.
Subject access requests: realm admins can export the data for any user from the admin UI. Data subjects who contact us directly are referred back to the realm Controller per the standard processor obligation.
Right to erasure: data is deleted on explicit request and on realm closure. Audit trace entries are retained for the realm's lifetime to preserve the integrity of the audit record. When the realm closes, trace entries are deleted along with the rest.
Data Processing Agreement: available on request. We can sign yours or send ours. Either way is fine.
Incident response
If we detect or are notified of a security incident, we triage within 24 hours, contain within 72 hours where technically possible, and notify affected customers without undue delay. Where the incident triggers UK GDPR Article 33 (personal data breach with risk to data subjects), notification to the ICO follows within 72 hours of awareness.
To report a vulnerability, email [email protected]. We respond to every credible report. We don't currently run a paid bug bounty programme.
What we don't (yet) have
We'd rather list these honestly than have you find out during a procurement process:
- ISO 27001 certification. Not certified today. We follow many ISO 27001 control practices but haven't been through formal audit.
- NHS DSCR Assured Solution status. Not on the register today; we're evaluating the application process. If commissioner procurement requires DSCR status, Nourish is the current alternative.
- SOC 2 Type II. Not currently undertaken.
If any of these are hard procurement requirements for you, tell us before signing up. We'll be honest about where we are.
Want this in PDF form for your compliance team?
Drop us a line and we'll send a print-ready version alongside our standard DPA template. No sales call required.