Tick the features you want. Totals update live. Cost = effort × day-rate.
CareVault stores personal and special-category (health) data, so it must be built and run under UK GDPR and the Data Protection Act 2018, regulated by the ICO. Two roles: the care company is the Controller (decides why/how data is used) and the software/hosting provider is the Processor (acts on the controller's instructions). Both carry obligations.
| Article | What it requires | Owner | Covered by |
|---|---|---|---|
| Art 5 — Principles | Lawful, fair, minimised data; storage limitation | C | Retention / purge |
| Art 6 — Lawful basis | A valid basis for each processing purpose | C | — |
| Art 9 — Special category | Extra condition for health data (typically 9(2)(h) health/social care) + Appropriate Policy Document | C / P | Special-category safeguards |
| Art 15 — Right of access | Provide a person's data on request (DSAR) | C | UK GDPR — DSAR export |
| Art 17 — Erasure | Delete data when no longer needed / on valid request | C | Retention / purge |
| Art 25 — By design & default | Build privacy in from the start, not bolt-on | P | Access control, architecture |
| Art 28 — Processor terms | A Data Processing Agreement (DPA) must be in place | C + P | Contract (not build) |
| Art 30 — Records | Keep a Record of Processing Activities (ROPA) | C / P | Documentation |
| Art 32 — Security | Encryption, access control, audit logging, backups | P | Encryption, audit log, RBAC |
| Art 33/34 — Breaches | Notify ICO within 72h; processor notifies controller | C ← P | Audit log + process |
| Art 35 — DPIA | Impact assessment (required: large-scale health data) | C | Discovery deliverable |