We put clinical safety, data privacy and cyber security at the heart of what we do
TORTUS is the first DTAC assured generative AI company in the NHS. We are GDPR compliant and CyberEssentials PLUS certified. Our software is penetration tested by a CREST-approved vendor and we supply a DPIA and full DCB0129 to every partner.
Question about compliance? Visit our Trust Centre:
At TORTUS, we are pioneering the future of clinician-AI co-working
What is GDPR?
The UK GDPR is a vital framework that mandates strict guidelines for handling personal data in the UK's healthcare sector. Healthcare organizations and health tech companies in the UK must comply with several practices, including implementing robust data protection measures, obtaining consent from patients, having effective incident response plans, facilitating patients' rights, justifying data processing on legal grounds, and complying with international data transfer regulations. Compliance with these regulations ensures ethical handling of sensitive health data, enhances patient trust and security in digital health technologies, and impacts how patient data is managed, shared, and protected.
What is DTAC?
DTAC, or the Digital Technology Assessment Criteria, is a framework that was introduced by NHS England in 2021. Its primary objective is to ensure that digital health technologies meet essential standards before being used within the NHS and social care environments. The framework evaluates and approves digital health products by focusing on five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.
Do you store data?
TORTUS is a cyber-secure, penetration-tested web application. Audio is captured in your browser and sent over an encrypted connection to our UK-based, GDPR-compliant cloud, where our clinical speech-to-text and language models convert it into transcripts, notes, codes and other documentation.
Once processing ("inference") is complete, the outputs are returned to your browser. Audio is held only on your device for the duration of processing and is then permanently deleted. Consultation data displayed in the browser is stored locally and available for your configurable timeframe.
Any consultation outputs retained beyond the session are held in line with the retention policy agreed with your organisation, and managed under our ISO 27001:2022 Information Security Management System.
Do you train models on patient data?
No. We took a decision as a company to protect patient privacy and preserver confidentiality not to train our own models on patients data. Instead, we pioneered a new approach of continous clinical evaluation of models instead, building a bespoke platform, and validating any new model in terms of clinical safety and accuracy as the state-of-the-art in AI is now moving so fast. Using this process we have updated our speech AI models five times in just over a year, similarly fast with the large language models, and we will continue to do so.
CREST-approved certification:
CREST is a globally recognised accreditation and certification body that sets rigorous standards for penetration testing in the information security industry. Choosing a CREST-approved penetration tester provides several advantages such as high standards of conduct, assurance of quality, comprehensive support and guidance, and insurance protection. CREST certification is particularly valuable for organizations that need to ensure their digital assets are secure against cyber threats and supports compliance with various regulatory requirements such as ISO, GDPR, and PCI DSS.
UKAS accredited ISO 27001:2022 certification
At TORTUS AI, we take security and protecting data seriously which is why we are ISO 27001:2022 certified.
ISO 27001:2022 is the most recent international standard for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). The ISMS provides a structured framework for TORTUS AI to manage and protect our information assets, ensuring the confidentiality, integrity, and availability of data by managing our security risks.
Our ISO 27001:2022 certificate is in place for a period of 3 years with annual surveillance visits conducted to ensure compliance to the standard. Choosing to certify with a UKAS accredited body ensures a heightened level of trust and credibility, providing confidence to our customers, suppliers and partners that TORTUS AI adheres to rigorous standards.
