Compliance & Security

Evidence you can stand behind on inspection day.

Sentinote exists to make safeguarding responses fast and provable. That only works if the data underneath it is handled carefully. Here's how we approach compliance, data protection, and security — written plainly, with no overclaiming.

CQC alignment Data protection Security Audit logs
CQC alignment

Built around the questions inspectors ask.

The CQC's framework turns on five key questions. Most safeguarding failures aren't missed notes — they're missed timing, or no record that anyone acted. Sentinote produces the timeline that answers the two questions that matter most: was it seen, and was it acted on.

Sentinote is a tool that supports your compliance — it doesn't replace your own policies, training, or registered manager's judgement. Our exports are formatted to make inspection evidence easy to assemble; the responsibility for CQC registration and standards remains with your service.

Data protection

UK data, handled under UK GDPR.

Care notes flow into Sentinote over an encrypted UK connection, are matched against your rules, and the alert plus matched note text are kept in your tenant-isolated audit log inside the UK. Retention is clamped to your plan: 14 days on Trial, 30 days on Starter, 90 days on Growth, 12 months on Scale. Notes are never shared with third parties and never used to train models.

Matched in memory, logged in the UK

Notes are matched against your rules in memory; when a rule fires, the alert and matched note text are written to your tenant-isolated audit log in the UK.

Clear processor role

Your agency is the data controller; Sentinote acts as your processor. A Data Processing Agreement is ready to sign before any trial goes live.

Retention you control

The alert record — matched note text, the rule that fired, client & carer identifiers, and dispatch outcome — sits in your tenant-isolated UK audit log, then is deleted automatically per your plan's retention.

Registered with the ICO: registration ZC173286
Data controller (Sentinote): VAR Data Works, trading as Sentinote
Lawful basis: processing on behalf of your agency under a written DPA
Data subject rights & DPA requests: hello@sentinote.co.uk
Security

Sensible defaults, least privilege.

We keep the security model simple and conservative: encrypt everything in transit and at rest, give people only the access they need, and keep recoverable backups.

Encryption in transit & at rest

All traffic runs over TLS. Stored notes and audit records are encrypted at rest in our UK hosting environment.

Role-based access

Access is scoped to roles — carers, managers, and stakeholders see only what their role allows. Internal access follows least-privilege principles.

Backups & recovery

Audit data is backed up regularly so an alert trail can be recovered. Backups stay within the UK hosting region.

Responsible disclosure

Found a security issue? Email us and we'll respond quickly. We'd rather hear about it than not.

We're an early-stage product and don't yet hold formal certifications such as ISO 27001 or Cyber Essentials. We're happy to share our current security posture and roadmap on request — ask us before you commit.

Audit logs

A timestamped chain of custody.

Every step of an alert's life is recorded to the second — note logged, rule matched, call placed, call answered, follow-up taken. Filter by client, severity, or date range, and export in one click.

Want our security posture in writing?

We'll walk your team through how data is handled and share our DPA before you commit a single real note.

Talk to us hello@sentinote.co.uk