Security & Privacy
Formulate is designed from the ground up to protect clinical data. Here's how we keep your practice and your clients safe.
Encryption & Infrastructure
All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Our database is hosted on Supabase (AWS eu-west-2, London region), ensuring data residency within the UK.
Access Control
Row-level security (RLS) is enforced at the database level. Every query is scoped to the authenticated therapist — one practitioner can never access another's client data, even through direct API calls.
GDPR Compliance
Clients are identified by pseudonymous labels (initials or codes), never by full name or email. Every client has a secure data portal where they can view their submitted responses and request deletion under GDPR Article 17. Deleted data is purged permanently after a 90-day retention window.
AI Data Handling
Before any text is sent to our AI for worksheet generation, it passes through a PII stripping process that detects and replaces email addresses, phone numbers, NHS numbers, postcodes, and names with safe placeholders. Your data is never used to train AI models.
Content Security Policy
Every page response includes a strict Content Security Policy with per-request nonces. Inline scripts are only executed when signed with a valid nonce, preventing cross-site scripting (XSS) attacks.
Subprocessors
Third-party services that process data on our behalf.
| Service | Purpose | Data Location |
|---|---|---|
| Supabase | Database, authentication & file storage | EU (London) |
| Stripe | Payment processing | US / EU |
| Resend | Transactional email | US |
| Anthropic | AI worksheet generation | US |
| Vercel | Application hosting & CDN | Global edge |
| Sentry | Error monitoring | US |
Have a security concern?
Contact us at hello@formulatetools.co.uk
Need a Data Processing Agreement? View our DPA · DTAC Compliance · Clinical Safety Case