DTAC Compliance
How Formulate meets the NHS Digital Technology Assessment Criteria for digital health technologies.
What is DTAC?
The Digital Technology Assessment Criteria (DTAC) is the NHS framework for evaluating digital health technologies. It assesses products across five pillars: clinical safety, data protection, technical security, interoperability, and usability. Formulate has completed a DTAC self-assessment to demonstrate our commitment to meeting the standards expected by NHS organisations and training programmes.
The Five Pillars
Clinical Safety
Formulate has a designated Clinical Safety Officer and maintains a clinical safety case report per DCB0129. Hazards are identified, risk-rated, and mitigated. Outcome measure scoring uses validated algorithms with deterioration alerting.
Data Protection
GDPR-compliant by design. Client records are pseudonymised (initials or codes, never full names). A published Data Processing Agreement covers all processor obligations. Clients can view and delete their data via a secure portal under GDPR Article 17.
Technical Security
AES-256 encryption at rest, TLS 1.2+ in transit. Row-level security enforced at the database layer. Strict Content Security Policy with per-request nonces. PII stripping before any AI processing. UK-hosted infrastructure (AWS eu-west-2, London).
Interoperability
Worksheets and formulation outputs are exportable as print-ready PDFs. Outcome measure data uses validated scoring aligned with IAPT minimum dataset definitions. Homework is delivered via tokenised URLs that work across any device or browser.
Usability & Accessibility
Responsive design tested across mobile, tablet, and desktop. WCAG 2.1 AA contrast compliance. Keyboard-navigable interface with skip navigation. Guided onboarding flow for new users. Worksheets designed at an appropriate reading level for client-facing use.
Criterion-by-Criterion Assessment
Status of each DTAC criterion as of March 2026.
| Criterion | Status | Evidence |
|---|---|---|
| Clinical safety case (DCB0129) | Compliant | Published clinical safety case with hazard log, risk ratings, and named Clinical Safety Officer |
| Clinical safety officer designated | Compliant | Tarun Vermani, DClinPsy trainee (UCL), Clinical Academic pathway |
| Hazard log maintained | Compliant | Six identified hazards with severity, likelihood, mitigations, and residual risk documented |
| Data Protection Impact Assessment | Compliant | DPIA completed covering all personal data processing activities |
| GDPR Article 28 DPA published | Compliant | Data Processing Agreement published at /dpa with full processor obligations |
| Data subject access and deletion | Compliant | Client data portal enables viewing submitted responses and requesting deletion under Article 17 |
| Encryption at rest and in transit | Compliant | AES-256 at rest, TLS 1.2+ in transit, UK-hosted database (AWS eu-west-2) |
| Access control and authentication | Compliant | Row-level security at database layer; Supabase Auth with JWT; per-therapist data isolation |
| Penetration testing | Planned | Scheduled as part of DSPT registration process |
| Vulnerability management | Compliant | Automated dependency scanning; Sentry error monitoring; strict CSP headers |
| Business continuity | Compliant | Automated database backups with point-in-time recovery; CDN-based static asset serving |
| Interoperability standards | Partially compliant | PDF export for clinical outputs; IAPT-aligned outcome measures. FHIR integration planned for future release |
| Usability testing with target users | Compliant | Designed by a practising clinician; iterative feedback from DClinPsy trainee cohort |
| Accessibility (WCAG 2.1 AA) | Compliant | Contrast ratios meet 4.5:1 minimum; keyboard navigation; skip links; semantic HTML |
Related compliance documentation