Security By Design
Customer trust and data security are critical to everything we do at Birdie.
External assurance
As part of our ongoing commitment to security, Birdie is certified to ISO 27001 and Cyber Essentials Plus. Both of these standards require regular independent audits to be carried out by an accredited third party.
We also exceed the NHS Data Security and Protection Toolkit (DSPT) standards, and are on the Digital Social Care Records (DSCR) Assured Solutions list.
Additional information and resources can also be found on our Trust Centre, including relevant certificates and PenTest reports.
Product security
Secure access
Logging in to Birdie is secured by a one-time authentication link.
Permissions
We enable permission levels within the app to be set for your staff so that only carers who've been invited by you can access a client’s information. These are defaulted to the most secure permission levels and can only be enabled by an affirmative action by you.
Uptime
We have uptime of 99.9% or higher.
Network and application security
Data Hosting and Storage
Birdie services and data are hosted in Amazon Web Services (AWS) facilities (eu-west-2) in the UK.
Failover and DR
Birdie was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 AWS availability zones, these are three different physical data centres, and will continue to work should any one of those fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
Backups
Database backups of Birdie’s production system are taken regularly and prior to any major upgrade or configuration change to Birdie’s production environment. These backups allow, in the event of a disaster, the creation of a replica environment within a minimal period of time. Backups are stored in a different AWS environment, with restricted access.
Monitoring
Birdie uses multiple internal and 3rd-party tools for monitoring its production environment and protecting it against potential threats or errors:
- An internal notification mechanism is in place to alert Birdie operations and support teams on different anomalies detected in production.
- AWS analytical tools are configured to continuously monitor Birdie’s production environment status, including server availability, CPU, memory, disk space and other key metrics; the Cloud Monitoring tool also sends alerts to Birdie’s operations team based on preconfigured policies.
- HoneyComb and DataDog are used for live production monitoring via Open Telemetry and logging
- Sentry is used for live production bug and regression tracking
An internal production monitoring dashboard aggregates information from Birdie’s multiple systems and provides Birdie operates with a clear view of it’s production environment status. Birdie also operates a support ticketing system allowing administrators and end-users to report any issues or errors they encounter while using Birdie’s web-based solution.
Permissions and Authentication
All-access to personal confidential data on IT systems can be attributed to individuals and logged. The principle of ‘least privilege’ is applied, so that users do not have access to data they have no business need to see.
We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on GitHub, Google, AWS to ensure access to cloud services are protected.
Encryption
All data sent to or from Birdie is encrypted in transit using 256-bit encryption. Our API and application endpoints are TLS/SSL only and score an “A” rating on Qualys SSL Labs‘ tests. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Penetration testing
Our dedicated infrastructure team is in charge of ensuring our platform is secure and available at all times. Once a year we engage third-party security experts to perform detailed penetration tests on the Birdie application and infrastructure (last penetration test has been performed in October 2024 by Modux).
24/7 Incident Response
We recognise that Birdie may be critical to the well-being of your customers and business. That's the reason why we have on-call engineers available at all times.
Birdie implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Additional Security features
Training
All employees complete Security Awareness training quarterly as part of the commitment to the NHS DSPT and compliance to data protection laws.
Staff with access to personal data are appropriately and regularly trained to handle data in accordance with the data protection laws.
Policies
Birdie has developed a comprehensive set of security policies covering a range of topics including a Business Continuity Plan, Incident Response Plan, and Data Protection Policy. These policies are updated frequently and shared with all employees.
Confidentiality
All employee contracts include a robust confidentiality agreement, and employees are regularly made aware of the importance of the Common Law Duty of Confidentiality.
Payments
All payments made to Birdie go through one of our partners, GoCardless or Stripe. Details about their security setup can be found at GoCardless's security page or Stripe's security page.
Data Protection
Birdie is committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Information Commissioner’s Office (ICO) guidance. We have aligned our compliance programme to the ICO’s Accountability Framework. We are registered with the ICO, under reference ZA267724.
We have appointed a dedicated Data Protection Officer (DPO) to oversee and advise on our data protection compliance programme.
Read our Privacy Notice to find out how we manage your data when we are a Controller and our Data Processing Agreement when we are a Processor.
Data Protection by Design
Data protection by design and default is built into all the work we do at Birdie. We ensure that data protection is considered at the outset of any project, and we put in place appropriate technical and organisational measures designed to implement the data protection principles effectively. We integrate safeguards into our processing to meet the UK GDPR's requirements, and adopt a privacy-first approach.
Data Protection Impact Assessments (DPIA)
DPIAs are performed prior to any new project where data processing is “likely to result in a high risk to the rights and freedoms of data subjects”. We do this to make sure that we’re always in control of our risks and we have procedures in place to mitigate them. We are also on hand to support you with your DPIAs if needed.
Data Protection Compliance Monitoring
Birdie’s DPO carries out a programme of regular compliance monitoring activities including formal and informal internal audits, testing and observations to ensure that a high level of compliance is maintained. Where potential issues are discovered, these will be appropriately logged and managed.
We only process clients’ data upon their instruction
When you use our product, Birdie is a Processor of the data about your care recipients and care givers. We process this data in line with the Data Processing Agreement between you and Birdie.
Data Sharing and Transfers
Like most companies, we use a number of third parties as part of our data processing, for example cloud services and technology services. We also use tools (e.g. product analytics) to deliver our services to you and improve the product.
We have a due diligence process with all our vendors and all sub processors of personal data have a Data Processing Agreement in place. Those agreements are scrutinised by our DPO and must be approved by the senior leadership team prior to signing.
Where data is transferred outside of the UK or the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses or the UK’s International Data Transfer Agreement/Addendum.
When acting as a Processor, we inform you of all of our Sub Processors, here.
We do not sell your data to anybody.
Questions?
If you think you may have found a security vulnerability, please get in touch with our team at support@birdie.care.
If you have a question or concern about data protection / privacy, please get in touch with our Data Protection Officer at dpo@birdie.care.
