Security & Data Protection

ACS employs industry-leading security measures to protect sensitive data and ensure compliance with GDPR and Ofsted regulatory requirements.

Last updated: 11 June 2026

Overview

ACS is a secure, cloud-based care management platform designed specifically for children's homes and care providers. We understand the importance of protecting sensitive personal data and maintaining compliance with UK regulatory requirements.

Our platform is built with security and compliance at its core, implementing comprehensive measures to protect data at rest, in transit, and ensuring robust access controls.

Data in Transit

All data transmitted between users and our platform is encrypted using industry-standard protocols, ensuring that sensitive information cannot be intercepted or accessed by unauthorised parties.

  • TLS/SSL Encryption: All connections use TLS 1.2 or 1.3 protocols with strong cipher suites
  • Digital Certificates: Valid SSL certificates from trusted Certificate Authorities
  • Perfect Forward Secrecy: Ephemeral key exchange prevents retrospective decryption
  • Secure Cookie Configuration: HttpOnly, Secure, and SameSite protection on all session cookies

Data at Rest

Stored data is protected through multiple layers of security to prevent unauthorised access, even in the event of a physical security breach.

  • Encryption: Sensitive data encrypted using industry-standard algorithms
  • Password Hashing: User passwords hashed using bcrypt with salt (never stored in plain text)
  • Database Security: PostgreSQL database with Row-Level Security for tenant isolation
  • Secure Infrastructure: Hosted in secure data centres with physical security controls

Access Control & Authentication

Multi-layered access controls ensure that users can only access information appropriate to their role and responsibilities.

  • Role-Based Access Control: Nine-tier permission system with granular access rights
  • Secure Authentication: JWT tokens with cryptographic signing and HttpOnly secure cookies
  • Session Management: Automatic session timeout with secure re-authentication
  • Home-Level Restrictions: Staff can only access data for their assigned home/organisation

GDPR & Data Protection Compliance

Our platform is designed to support compliance with the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.

  • Lawful Basis: Data processing based on legitimate interests and legal obligations
  • Data Minimisation: Only necessary personal data is collected and retained
  • Subject Access Rights: Support for data subject access requests (DSARs)
  • Right to Erasure: Data retention policies and secure deletion procedures
  • Data Portability: Ability to export and transfer personal data

Ofsted Regulatory Compliance

ACS includes features specifically designed to support compliance with Ofsted regulatory requirements for children's homes.

  • Complete Audit Trail: All data changes tracked with timestamps and user attribution
  • Digital Signatures: Legally binding electronic signatures for policy acknowledgments
  • Regulation 44 Visits: Dedicated module for independent visitor reports
  • Incident Reporting: Comprehensive incident logging with Ofsted notification tracking
  • Staff Training Records: Mandatory training tracking with expiry alerts

Monitoring & Maintenance

We maintain continuous monitoring and regular security assessments to ensure ongoing protection of your data.

  • Regular Security Updates: Security patches applied promptly to all systems
  • Data Backup: PostgreSQL database with point-in-time recovery capability (infrastructure-managed)
  • Activity Logging: Comprehensive audit logs for security monitoring
  • Incident Response: Established procedures for handling security incidents

Security Enquiries

If you are a regulator, inspector, or have specific security questions, please contact our compliance team through your organisation's designated support channel. We can provide additional documentation and evidence of our security measures upon request.

This document provides a high-level overview of our security measures. Specific technical details are not disclosed to maintain security effectiveness. Our security practices are regularly reviewed and updated to reflect emerging threats and regulatory requirements.