Back to Home

Grace Suite: Safety & Security

Last updated: 3 March 2026

Professional Responsibility

Grace Suite provides AI-assisted tools to support professional practice. All final decisions, notes, and actions remain the professional responsibility of authorised practitioners. Our AI does not make care decisions or replace professional judgement.

Human-in-the-Loop Workflow

1

Input

Practitioner or user provides raw content (voice, text, visit notes, or care records).

2

AI Assistance

AI structures content, suggests completions, or generates voice output—always for review.

3

Review

Practitioner or authorised user reviews, edits, and validates the AI output for accuracy and appropriateness.

4

Approve

Final content is saved with a full audit trail: who provided input, who reviewed, and when approved.

Audit Trail

  • • Original input timestamp and user ID
  • • AI processing timestamp and model version
  • • User ID who reviewed/edited
  • • All edits and timestamps
  • • Final approval timestamp and user ID

Data Residency and Sovereignty

All primary user data across Grace Suite is stored within the European Union. We maintain full data residency within the EU/EEA to comply with UK GDPR and meet public sector requirements.

Hosting Locations

Primary Services
  • Database: Supabase (Ireland, EU)
  • Application: Vercel Edge (EU)
  • Authentication: Supabase Auth (Ireland, EU)
AI Processing
  • OpenAI API: United States
  • ElevenLabs: United States
  • Safeguards: SCCs + technical measures
  • No storage: Transient processing only

We do not transfer or store personal data outside the EU/EEA except as strictly necessary for AI processing. Such transfers are covered by Standard Contractual Clauses and technical supplementary measures as documented in our Data Protection Impact Assessment.

Compliance Frameworks

Professional Standards

Grace Notes
  • • Social Work England (SWE) standards
  • • Professional Capabilities Framework (PCF)
  • • Care Act 2014 compliance
  • • Record keeping and audit trails
Grace Companion
  • • UK GDPR and Data Protection Act 2018
  • • Accessibility standards (WCAG 2.1 AA)
  • • Voice data protection and privacy
Grace Care Facilities
  • • CQC Regulatory Standards
  • • Ofsted Requirements (where applicable)
  • • Staffing and resident record compliance
Cross-Product
  • • UK GDPR across all products
  • • Information security management
  • • Data protection by design and default

Security and Data Protection

Cyber Essentials Plus (In Progress)

Currently undergoing assessment for UK government cybersecurity certification.

ISO 27001 (Planned 2025)

Planning comprehensive ISMS implementation for international security standard.

Certification Roadmap

We are actively working towards achieving these security certifications to enhance our compliance framework and provide additional assurance for council and NHS partnerships. Current security controls meet all operational requirements for UK deployment.

Technical Safeguards

  • Encryption: TLS 1.3 in transit; AES-256 at rest
  • Access controls: Role-based permissions with MFA for admin
  • Logging: Comprehensive audit logs for all actions
  • Backup: Daily encrypted backups within EU
  • Testing: Regular vulnerability scanning and penetration testing
  • Retention: Configurable data retention schedules
  • Availability: 99.9% uptime SLA with monitoring and incident response

Documentation and Governance

We maintain comprehensive governance documentation to support public sector procurement and compliance requirements:

  • Data Protection Impact Assessment (DPIA): Full assessment of AI processing risks and mitigations
  • Sub-processor register: Current list of all third-party services and locations
  • Information Security Policy: Internal controls and procedures
  • Incident Response Plan: Clear procedures for security incidents
  • Staff training: Regular data protection and security awareness training
  • Business continuity: Disaster recovery and service continuity plans

Reporting Security Concerns

If you discover a security vulnerability or have concerns about safety:

Security Team

Email: security@grace-companion.co.uk

We take all security reports seriously and will respond within 24 hours.

For responsible disclosure, please allow us reasonable time to address issues before public disclosure.

Get in Touch

For security, compliance, or procurement enquiries about Grace Suite:

Grace Suite Compliance Team

Email: compliance@grace-companion.co.uk

Phone: 0203 657 3367