Enterprise-Grade Security by Design.

ISO 27001 Certification

Able Care maintains ISO 27001 certification for its information security management system. The certification scope covers the design, development, hosting and support of the Able Assess platform. Annual surveillance audits are conducted by an accredited certification body. The ISMS includes documented risk assessments, security policies, access controls and incident management procedures.

Encryption

All data in transit is protected with TLS 1.2 or higher. All data at rest is encrypted with AES-256. Encryption keys are managed through a dedicated key management service with automatic key rotation. Mobile application data is encrypted on-device using platform-native encryption libraries. No unencrypted patient data is stored on any endpoint device.

Penetration Testing

We commission annual penetration tests from an independent, CREST-accredited security firm. Testing covers the web application, APIs, mobile applications and cloud infrastructure. All findings are triaged, remediated and re-tested within documented timelines. Executive summaries are available to customers on request.

Data Residency

By default, all data is hosted in UK-based data centers. EU and US data residency options are available for customers with jurisdictional requirements. Data never leaves the designated region without explicit written consent. All hosting providers are ISO 27001 certified and undergo annual SOC 2 Type II audits.

Access Controls

The platform enforces role-based access control (RBAC) with granular permissions for clinical staff, administrators and reporting users. Multi-factor authentication (MFA) is required for all accounts. Single sign-on (SSO) integration is available via SAML 2.0 and OpenID Connect. All access events are logged in a tamper-evident audit trail. IP whitelisting is available for API and administrative access.

Incident Response

Able Care operates a documented incident response plan covering detection, containment, eradication and recovery. Automated monitoring detects anomalous access patterns and potential breaches in real time. Confirmed incidents are escalated within 15 minutes of detection. Affected customers are notified within 72 hours in accordance with GDPR requirements, or within 60 days for HIPAA-covered incidents. Post-incident reviews are conducted within 5 working days, with root cause analysis and corrective actions documented and shared with affected parties.