Compliance

At Tortus, we take clinical safety, data privacy and cyber security very seriously

TORTUS is the first DTAC assured generative AI company in the NHS. We are GDPR compliant and CyberEssentials certified. Our software is penetration tested by a CREST-approved vendor and we supply a DPIA and full DCB0129 to every partner. 


Question about compliance?  [email protected]

What is DTAC?

DTAC, or the Digital Technology Assessment Criteria, is a framework that was introduced by NHS England in 2021. Its primary objective is to ensure that digital health technologies meet essential standards before being used within the NHS and social care environments. The framework evaluates and approves digital health products by focusing on five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

One of the critical standards that products must meet is clinical safety, which involves adhering to specific NHS clinical safety standards and conducting thorough clinical risk management activities overseen by a Clinical Safety Officer. In addition, developers must ensure that their technologies comply with the UK-GDPR and NHS data protection standards. This includes conducting Data Protection Impact Assessments and having appropriate data governance in place, such as appointing a Data Protection Officer.

Moreover, technologies must be robust and secure, meeting the requirements of the Cyber Essentials scheme and other security measures like Multi-Factor Authentication and annual penetration testing. They should also be able to communicate seamlessly with existing NHS systems, ensuring data can be exchanged efficiently and securely. Lastly, technologies should be user-friendly and accessible to all users, including those with disabilities, ensuring they meet the NHS Service Standard for usability and accessibility.

DTAC serves as a national baseline, streamlining the evaluation process for new technologies and providing a clear path from development to deployment within the NHS. It is part of the wider effort to integrate digital health technologies into the NHS, ensuring they are safe, effective, and add value to patient care.

What is GDPR?

The UK GDPR is a vital framework that mandates strict guidelines for handling personal data in the UK’s healthcare sector. Healthcare organizations and health tech companies in the UK must comply with several practices, including implementing robust data protection measures, obtaining consent from patients, having effective incident response plans, facilitating patients’ rights, justifying data processing on legal grounds, and complying with international data transfer regulations. Compliance with these regulations ensures ethical handling of sensitive health data, enhances patient trust and security in digital health technologies, and impacts how patient data is managed, shared, and protected.

Do you store data?

We don’t store data – our system architecture is a cyber-secure and penetration-tested local desktop application that records audio locally and sends that file to secure, UK-based and GDPR-compliant cloud servers which host our speech-to-text A.I. and Large Language Models, where the audio is converted into transcript, note, codes and other documentation.

Once the processing (‘inference’) is complete, the outputs are returned to the desktop application, and the original and intermediate data in the cloud is permanently deleted. The data in the cloud is only ever kept in working memory for processing and never stored beyond that 20-30s processing time window. The data in O.S.L.E.R. itself on the local desktop is maintained in the app for as long as it is open, but once it is closed, that data is also deleted. When you restart O.S.L.E.R., the process starts afresh.

Do you train models on patient data?

No. As a company, we decided to protect patient privacy and preserve confidentiality, not to train our models on patients’ data. Instead, we pioneered a new approach of continuous clinical evaluation of models, building a bespoke platform ( CREOLA), and validating any new model regarding clinical safety and accuracy as the state-of-the-art in AI is now moving so fast. For example, using this process, we have updated our speech AI models five times in just over a year, similarly fast as the large language models, and we will continue to do so.

Crest-approved certification:

CREST is a globally recognized accreditation and certification body that sets rigorous standards for penetration testing in the information security industry. Choosing a CREST-approved penetration tester provides several advantages such as high standards of conduct, assurance of quality, comprehensive support and guidance, and insurance protection. CREST certification is particularly valuable for organizations that need to ensure their digital assets are secure against cyber threats and supports compliance with various regulatory requirements such as ISO, GDPR, and PCI DSS.