Patient safety and security is our priority.
Forward is GDPR compliant, NHS IG Toolkit Certified (Level 2), meets GMC confidentiality guidelines, and has been formally approved by NHS Trusts.
Forward users must have an approved NHS or trust email address to log into the app. A confirmation email will be sent to that address and the activation link must be clicked to gain access to the app. Users must create a 4-digit pin to protect the app on their device.
Users can only access patient information when invited to a team by an existing Forward user, or by creating the patient profile themselves. Encrypted Keystore and Keychain stored credentials restrict access appropriately.
Encryption in transit
Data is encrypted in transit and transferred via the HTTPS (SSL/TLS protocol). When transmitting messages, devices use an SSL handshake with 2048-bit RSA keys to encrypt the socket connection to our servers. We support the sync of RSA public keys, ensuring data remains fully encrypted in transit . To further enhance security we have implemented OWASP certificate pinning. Access to Forward servers is only possible via SSH keys.
Storing data safely
Data is stored in a UK based data centre, hosted by AWS and compliant with all applicable ISO standards, including ISO27001. Data is stored for five years unless a request is made otherwise. Administration access to data is restricted to machines within the same Virtual Private Cloud. This means only the responsible clinical team can access specific patient data, unless a request is made for audit or investigation purposes by someone with a duty of care for that patient. Nothing is stored permanently on users’ own devices, including any photographs taken within the app.