Where is iStaffRota data stored?

All data is stored in UK-based data centres. Data never leaves the United Kingdom and is subject to UK GDPR at all times.

Security & data protection

Your care data, in safe hands.

Q: Is iStaffRota GDPR compliant?

Yes. iStaffRota is fully compliant with UK GDPR. We act as a data processor on behalf of care agencies (the data controller) and provide a full Data Processing Agreement on request.

Q: What certifications does iStaffRota hold?

iStaffRota is Cyber Essentials certified and fully GDPR compliant. We are also a PRSB Quality Partner, recognising adherence to clinical record standards.

Cyber Essentials certified. Fully GDPR compliant. UK-hosted. iStaffRota takes the security of patient and staff data seriously — because in care, there is no room for error.

Certifications

Third-party verified. Not self-assessed.

Our security posture is validated by independent bodies — not just a checkbox on our website.

Cyber Essentials

UK government-backed certification for cyber security baseline controls

GDPR Compliant

UK GDPR compliant with full Data Processing Agreements available

PRSB Quality Partner

Professional Record Standards Body — clinical record quality standards

How we protect your data

Security built into every layer.

256-bit encryption

All data in transit and at rest is encrypted using AES-256. Every connection to iStaffRota uses TLS 1.2 or higher — no exceptions.

UK data residency

All data is stored in UK-based data centres. Your care records never leave the United Kingdom and remain subject to UK GDPR at all times.

Full audit trails

Every change to a care record, medication record, rota or user account is timestamped and attributed. Nothing can be changed without a trace.

Role-based access control

Granular permission levels — managers, coordinators, carers, family members and inspectors each see only what they need. Access can be revoked instantly.

Regular penetration testing

Independent security specialists perform penetration testing on a regular schedule. Results inform ongoing hardening of the platform.

Automated backups

Data is backed up automatically and continuously. Recovery point objective (RPO) and recovery time objective (RTO) are tested regularly.

Security updates included

Security patches are applied as part of your subscription — there are no chargeable security upgrades or "enterprise security" add-ons.

Data Processing Agreement

A full GDPR-compliant DPA is available on request. We act as data processor; your agency remains the data controller at all times.

Security questions

Answers to the questions your DPO will ask.

Where is data stored and does it leave the UK?

All data is stored in UK-based data centres and never leaves the United Kingdom. UK GDPR applies at all times.

Is iStaffRota GDPR compliant?

Yes. iStaffRota is fully compliant with UK GDPR. We act as data processor; your agency is the data controller. A full Data Processing Agreement is available on request. Contact [email protected] to obtain a copy.

What certifications does iStaffRota hold?

Cyber Essentials (UK government cyber security baseline) and full GDPR compliance. We are also a PRSB Quality Partner, recognising adherence to clinical record standards.

Can I control which staff can see which data?

Yes. Role-based access control is granular — you configure exactly what each role sees. Carer visibility of client information can be limited to their assigned visits. Family access to records is controlled per client. Inspector access is time-limited and audited.

What happens to my data if I cancel?

On cancellation, you can export all your data in standard formats. Data is retained for 30 days post-cancellation to allow recovery if required, then securely deleted. We can provide written confirmation of deletion on request.

Questions about security or compliance?

Our team is happy to talk through your specific data protection requirements — including completing due diligence questionnaires.