TORTUS Logo
TORTUS Logo

Compliant by design

We put clinical safety, data privacy and cyber security at
the heart of what we do

TORTUS is the first DTAC assured generative AI company in the NHS. We are GDPR compliant and CyberEssentials PLUS certified. Our software is penetration tested by a CREST-approved vendor and we supply a DPIA and full DCB0129 to every partner.

Question about compliance?  [email protected]

How we stay compliant

At TORTUS, we are pioneering the future of clinician-AI co-working

What is GDPR?

The UK GDPR is a vital framework that mandates strict guidelines for handling personal data in the UK's healthcare sector. Healthcare organizations and health tech companies in the UK must comply with several practices, including implementing robust data protection measures, obtaining consent from patients, having effective incident response plans, facilitating patients' rights, justifying data processing on legal grounds, and complying with international data transfer regulations. Compliance with these regulations ensures ethical handling of sensitive health data, enhances patient trust and security in digital health technologies, and impacts how patient data is managed, shared, and protected.

What is DTAC?

DTAC, or the Digital Technology Assessment Criteria, is a framework that was introduced by NHS England in 2021. Its primary objective is to ensure that digital health technologies meet essential standards before being used within the NHS and social care environments. The framework evaluates and approves digital health products by focusing on five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

Do you store data?​

We don’t store data - our system architecture is a cyber-secure and penetration-tested local desktop application that records audio locally and sends that file to secure, UK-based and GDPR-compliant cloud servers which host our speech-to-text A.I. and Large Language Models, where the audio is converted into transcript, note, codes and other documentation.

Once the processing (‘inference’) is complete, the outputs are returned to the desktop application, and the original and intermediate data in the cloud is permanently deleted. The data in the cloud is only ever kept in working memory for processing and never stored beyond that 20-30s processing time window. The data in O.S.L.E.R. itself on the local desktop is maintained in the app for as long as it is open, but once it is closed, that data is also deleted. When you restart O.S.L.E.R., the process starts afresh.

Do you train models on patient data?​

No. We took a decision as a company to protect patient privacy and preserver confidentiality not to train our own models on patients data. Instead, we pioneered a new approach of continous clinical evaluation of models instead, building a bespoke platform (link to CREOLA), and validating any new model in terms of clinical safety and accuracy as the state-of-the-art in AI is now moving so fast. Using this process we have updated our speech AI models five times in just over a year, similarly fast with the large language models, and we will continue to do so. 

CREST-approved certification:​

CREST is a globally recognized accreditation and certification body that sets rigorous standards for penetration testing in the information security industry. Choosing a CREST-approved penetration tester provides several advantages such as high standards of conduct, assurance of quality, comprehensive support and guidance, and insurance protection. CREST certification is particularly valuable for organizations that need to ensure their digital assets are secure against cyber threats and supports compliance with various regulatory requirements such as ISO, GDPR, and PCI DSS.

TORTUS Logo