At Heidi, we actively collaborate with regulators around the world including NHS England to ensure clinicians are using Heidi safely. Read on to see how we ensure all UK clinicians meet the latest guidance from NHS England.
✅ DTAC: We’ve completed a full internal DTAC assessment aligned to NHS expectations, with supporting evidence available across the five domains. This can be provided again on request.
✅ DSPT: Heidi has a current and fully compliant DSPT submission listed on the NHS portal, addressing all relevant data protection and cyber security obligations.
✅ Security Certifications: Heidi holds ISO 27001, SOC 2 Type II, and ISO 9001 certifications, all globally recognised standards for cybersecurity, information security, data protection, and quality management. These certifications are independently audited multiple times per year. We also hold Cyber Essentials certification and are currently undergoing an audit for Cyber Essentials Plus to meet the newly updated requirement in the latest guidance.
✅ Penetration Testing: We conduct annual penetration testing using a CREST-accredited security firm, covering infrastructure, APIs, and application-level vulnerabilities.
✅ DPIA: We’ve completed a comprehensive DPIA for NHS deployments, including lawful basis, risk mitigation, and data flow transparency. Versions have already been used to support ICB governance approvals.
✅ Named Clinical Safety Officer: Heidi has three NHS-accredited Clinical Safety Officers with responsibility under DCB0129 and DCB0160 including our UK Chief Medical Officer and practicing GP Dr Hannah Allen, UK based Dr Samuel Adedero and Dr Kieran McLeod. Our clinical safety documentation, including the hazard log and Clinical Safety Case Report, is kept current and reviewed as part of our governance and quality process.
✅ Encryption and GDPR Compliance: Heidi uses end-to-end encryption (TLS 1.2+ in transit and AES-256 at rest), is fully compliant with UK GDPR and the DPA 2018, with strict controls for data minimisation, subject access, and purpose limitation.
✅ No Unsafe Functionality (e.g. Prompt Injection): The intended use of Heidi is to support the clinician through arduous admin not to provide clinical support. This is reflected in our terms of service and safety controls in the product including filters, prompt review, flags for any attempted use for clinical support, and review of all user-defined or inputted information including templates and free text.
