Security & Clinical Safety

How MACH protects you and supports informed health decisions.

Last updated: June 2026

Azure UK South infrastructure
UK GDPR Compliant
DPIA Complete
Encrypted in transit and at rest
DCB0129 Clinical Safety

Data protection

MACH processes personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These are the primary legal frameworks governing data protection in England and Wales.

No personal data collected during chatbot use

When you use the MACH chatbot, no account is created and no personally identifiable information is required or collected. We do not store your conversations.

Data Protection Impact Assessment (DPIA)

A DPIA has been completed to identify and manage privacy risks in the design of MACH, in line with the ICO's guidance under UK GDPR Article 35.

Data residency

All MACH services are deployed on Microsoft Azure UK South. Data is processed and stored within the United Kingdom.

Encryption

In transit

All data exchanged between your browser and MACH is encrypted using HTTPS / TLS. Your connection to machhealth.co.uk is always secured in transit.

At rest

Data stored on Azure UK South infrastructure is encrypted at rest using Azure Storage Service Encryption with platform-managed keys. This is enabled by default on all Azure Storage services and cannot be disabled.

Infrastructure note: Microsoft Azure — the cloud platform on which MACH is built — holds ISO/IEC 27001, ISO/IEC 27018, and SOC 2 certification for its own infrastructure. These are certifications held by Microsoft, not by MACH. You can verify Azure's compliance portfolio at the Microsoft Trust Center.

NHS frameworks

MACH has been developed against the following NHS frameworks. Claims against each are gated on the confirmed status below.

NHS DTAC — Digital Technology Assessment Criteria (Version 2)

DTAC v2 is the NHS's mandatory framework covering clinical safety, data protection, technical security, interoperability, and usability for health technology products.

Status: Assessment in progress. Outcomes and any required mitigations will be published following completion.

NHS Data Security and Protection Toolkit (DSPT)

The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's 10 data security standards.

Status: Assessment pending. A formal DSPT submission is being prepared.

Clinical safety

DCB0129 — Clinical Risk Management

MACH is developed in accordance with DCB0129, the NHS standard for clinical risk management in health information technology. A clinical safety hazard log is maintained and is available on request.

MACH supplements — it does not replace — professional care

MACH is a patient-facing health information tool. It is not a medical device and does not diagnose, treat, or prescribe. All users are directed to consult their own healthcare team for personal medical decisions. This is stated clearly within the product and in our Terms of Use.

Clinical Safety Officer

A designated Clinical Safety Officer (CSO) is responsible for overseeing clinical risk management and ensuring MACH meets the DCB0129 standard throughout the product lifecycle. CSO: Divyan Moodley.

Security assurance

Independent penetration testing

Independent penetration testing is part of our security assurance programme. Testing is conducted by a third party against OWASP methodology.

Access control

MACH applies the principle of least-privilege access to all internal systems. Only authorised personnel have access to administrative functions and contact-form data.

Report a security concern

If you believe you have identified a security vulnerability in MACH, please contact us at info@machhealth.co.uk. We aim to acknowledge all security reports within two working days.

Further information

For detailed information on how we collect and use personal data, please read our Privacy Policy and Terms of Use.

For partnership, procurement, or evaluation enquiries, please contact us.