Request Demo
NHS Compliance

NHS Compliance & Safety

Built for the NHS. Trusted by clinicians. Certified to the highest standards. Every MediPulse AI product is designed from the ground up to meet — and exceed — NHS regulatory, data security, and clinical safety requirements.

Download Compliance Docs Speak to Our Team
NHS compliance and regulatory framework
Our Commitment

Compliance is Not an Afterthought — It's Our Foundation

At MediPulse AI, regulatory compliance and clinical safety are embedded into every stage of our product development lifecycle, not added as an afterthought. We work closely with NHS England, MHRA, and ICO to ensure every product we deploy is certified, safe, and trusted.

Our compliance team — led by Chief Compliance Officer Lisa Patel, a former MHRA assessor — maintains an unbroken record of annual NHS DTAC and DSP Toolkit assessments passed at the highest standard since 2021.

NHS Data Security & Protection Toolkit — all 10 standards met

CE Class IIb Medical Device — MHRA registered

ISO 27001 Information Security Management — certified since 2022

NHS DTAC compliant — assessed and passed annually

GDPR Article 25 — data protection by design and by default

Cyber Essentials Plus — government-backed cybersecurity certification

Certifications

Our Certifications & Accreditations

A comprehensive suite of NHS, regulatory, and international certifications that demonstrate our unwavering commitment to safety and compliance.

✓ Compliant

NHS DTAC — Digital Technology Assessment Criteria

Full compliance with NHS England's Digital Technology Assessment Criteria, covering clinical safety, data protection, technical security, interoperability, and usability standards for NHS digital products.

Active — Assessed March 2026
✓ Certified

CE Class IIb Medical Device Marking

Our Clinical AI Decision Support Suite holds CE Class IIb Medical Device certification — the standard applied to software intended to influence clinical decision-making in medium-to-high risk scenarios.

Active — Renewed January 2026
✓ Registered

MHRA Medical Device Registration

Registered with the Medicines and Healthcare products Regulatory Agency (MHRA) as a medical device manufacturer. All qualifying AI software is listed on the MHRA Device Register.

Active — Registration No. MD-2021-0847
✓ Certified

ISO 27001 — Information Security Management

Independently audited and certified to ISO/IEC 27001:2022, the international standard for information security management systems. Covers all systems, staff, and processes handling NHS data.

Active — Certified by BSI Group
✓ Compliant

GDPR — General Data Protection Regulation

Full compliance with UK GDPR (2018) and the Data Protection Act (2018). All data processing activities are documented in our Records of Processing Activities (ROPA) and reviewed quarterly.

Active — ICO Registration ZA847293
✓ Certified

Cyber Essentials Plus

Certified to Cyber Essentials Plus — the highest tier of the UK Government's Cyber Essentials scheme, verified through independent external penetration testing of all internet-facing systems.

Active — Certified by IASME Consortium
DSP Toolkit

NHS Data Security & Protection Toolkit

MediPulse AI meets all 10 mandatory standards of the NHS Data Security and Protection Toolkit, assessed annually against NHS England's requirements.

100% Compliance Across All 10 DSP Standards

The NHS Data Security and Protection (DSP) Toolkit is the mandatory self-assessment framework used by organisations that access NHS patient data. MediPulse AI has achieved the highest level of compliance — "Standards Met" — across all 10 standards since our first assessment in 2021.

Our annual assessment is reviewed by NHS England's Information Governance team, with all evidence packs available to NHS Trust procurement teams on request.

Data Security & Protection Leadership100%
Responding to Incidents100%
Staff Responsibilities100%
Managing Data Access100%
Process Reviews100%
Secure Storage & Use of Confidential Data100%

All 10 Mandatory Standards — Met

1
Data Security & Protection Leadership Board-level accountability and named SIRO & Caldicott Guardian
2
Responding to Data Security Events Incident management, 72-hour breach notification procedure
3
Staff Responsibilities Annual mandatory IG training, role-based access policies
4
Managing Data Access Least privilege, multi-factor authentication, access reviews
5
Process Reviews Data flows documented, reviewed, and risk assessed annually
6
Confidential Information Secure storage, pseudonymisation, encryption standards
7
IT Infrastructure Vulnerabilities Patch management, penetration testing, vulnerability scanning
8
Unsupported Systems No end-of-life systems in scope; lifecycle management policy
9
IT Suppliers and Partners Third-party due diligence, contractual data security obligations
10
Monitoring & Reporting Continuous monitoring, monthly security reporting, annual audit
Clinical Safety

Clinical Safety is Built Into Every Product

Our Clinical Safety programme, led by Dr. Amara Osei (our CCIO and designated Clinical Safety Officer), ensures every MediPulse AI product meets the NHS clinical safety standards required for AI software in clinical decision support roles.

📋

DCB0129 — Clinical Risk Management for Manufacturers

Full compliance with NHS Digital's clinical risk management standard for health IT manufacturers. All products have a Clinical Risk Management File (CRMF) and Clinical Safety Case Report.

🛡️

DCB0160 — Clinical Risk Management for Deployers

We provide implementation partners (NHS Trusts) with all documentation required to comply with DCB0160, including Hazard Logs, Risk Assessments, and Clinical Safety Case Reports.

🔬

NICE Evidence Standards Framework (AI/ML)

Our AI products are assessed against NICE's Evidence Standards Framework for Digital Health Technologies, achieving Level 3b — the highest tier for AI/ML-based diagnostic support tools.

🧪

Prospective Clinical Validation

All AI algorithms are prospectively validated on NHS patient cohorts before deployment, with ongoing monitoring of clinical performance metrics including sensitivity, specificity, and NPV/PPV.

Clinical safety and AI validation process
Data Governance

How We Handle Patient Data

Patient data is handled with the highest level of care, transparency, and security at every step of the data lifecycle.

🇬🇧

UK Data Residency

All patient data is stored exclusively within UK borders — in Microsoft Azure UK South (London) and UK West (Cardiff) data centres. No patient data is transferred outside the UK without explicit legal basis and NHS approval.

🔐

Pseudonymisation & Encryption

Patient records are pseudonymised at the point of ingestion. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed in Azure Key Vault with NHS Trust-specific key hierarchies.

📝

Full Audit Trails

Every access to patient data — by staff, systems, or AI models — is logged in an immutable audit trail. Audit logs are retained for a minimum of 8 years and are available for review by NHS Trust IG teams at any time.

🔒

Role-Based Access Control

Access to patient data is strictly controlled on a need-to-know, least-privilege basis. Role-based access controls are configured per NHS Trust, with mandatory multi-factor authentication for all users.

📄

Data Processing Agreements

All NHS Trust partnerships are governed by a comprehensive Data Processing Agreement (DPA) and Data Sharing Agreement (DSA) in line with UK GDPR Article 28 requirements. Template documents available on request.

🚫

No AI Training on Identifiable Data

We never use identifiable patient data to train our AI models without explicit ethical approval and patient consent frameworks. Model training uses only fully de-identified or synthetic data, or data under approved research agreements.

History

Regulatory Timeline

A transparent record of our certifications, assessments, and regulatory milestones from founding to the present day.

Q4 2021
CE Class IIb Medical Device Certification
Achieved CE Class IIb Medical Device marking for our Clinical AI Decision Support Suite following rigorous conformity assessment by our Notified Body.
Q1 2022
First NHS DSP Toolkit Assessment — Standards Met
Passed our first NHS Data Security and Protection Toolkit annual assessment, achieving "Standards Met" across all mandatory standards.
Q2 2022
ISO 27001:2013 Certification
Certified to ISO/IEC 27001:2013 by BSI Group, covering our Manchester HQ, London office, and all cloud infrastructure.
Q3 2022
MHRA Registration
Registered as a Medical Device Manufacturer with the MHRA following the UK's post-Brexit regulatory framework for medical devices.
Q1 2023
NHS DTAC Compliance Achieved
Completed NHS Digital's Digital Technology Assessment Criteria assessment, covering all domains including clinical safety, data protection, and technical security.
Q3 2023
Cyber Essentials Plus Certification
Achieved Cyber Essentials Plus certification following external penetration testing and vulnerability assessment of all internet-facing systems.
Q1 2024
NICE Evidence Standards Framework — Level 3b
Our Clinical AI achieved NICE ESF Level 3b for AI/ML diagnostic tools, supported by prospective real-world evaluation data from 12 NHS Trusts.
Q2 2024
ISO 27001:2022 Upgrade
Successfully transitioned from ISO 27001:2013 to the latest ISO 27001:2022 standard, incorporating updated controls for cloud security and threat intelligence.
Q1 2026
Annual DSP Toolkit Renewal — Standards Met
Completed our fifth consecutive annual NHS DSP Toolkit assessment, maintaining "Standards Met" status across all 10 mandatory standards.
Documentation

Compliance Documentation

Download our compliance documentation to support your NHS procurement, IG, and clinical governance processes.

📜

DTAC Certificate

NHS Digital Technology Assessment Criteria compliance certificate

PDF — 0.4 MB
🏅

ISO 27001 Certificate

BSI Group ISO/IEC 27001:2022 certification document

PDF — 0.3 MB
🔬

Clinical Safety Case Report

DCB0129 Clinical Safety Case Report — MediPulse AI Clinical Suite v4.2

PDF — 2.1 MB
🛡️

Data Protection Impact Assessment

GDPR Article 35 DPIA for NHS Trust deployments — template version

PDF — 1.8 MB

Full compliance documentation packs, including DSP Toolkit evidence, Hazard Logs, and Data Processing Agreement templates, are available to NHS procurement teams upon request.

Request Compliance Documentation

NHS procurement, IG leads, and clinical governance teams can request our full compliance documentation pack at any time.

Request Documentation Book a Compliance Briefing