UK Healthcare Compliance

GreenM builds and runs private AI and health-data platforms for UK healthcare organisations, deployed inside the organisation's own cloud or on premises. Because the platform runs inside your environment, patient data never leaves your boundary, and the work sits within your existing NHS Data Security and Protection Toolkit (DSPT) scope and information governance rather than a separate supplier's. GreenM is not a vendor asking you to extend trust to its certification boundary. It deploys within yours, and supplies the documentation and controls your governance process needs.

How is GreenM different from vendor-hosted healthcare AI tools?

Most UK healthcare AI compliance pages belong to voice-scribe and clinical-documentation tools. Those are vendor-hosted, so patient data flows out to the supplier. The supplier then needs its own DSPT, its own certifications, and its own boundary for you to trust.

GreenM is data infrastructure and private AI, deployed inside your environment. Patient data never leaves your boundary. Compliance is inherited from your governance and GreenM's engineering, not from a separate vendor perimeter. The same deployment model spans every GreenM service: AI Launchpad, Private AI Foundation, Unified Health Data, and Clinical Workflow Integration and Automation.

How does GreenM work within your compliance environment?

GreenM deploys private AI inside your own cloud or on premises and operates as the data processor under UK GDPR and the Data Protection Act 2018, with your organisation as the data controller. The platform runs within your existing governance: your DSPT scope, your information governance, your access policies.

Rather than holding a separate set of supplier certifications, GreenM provides what your own assessments need: the technical and security documentation for the deployed platform, the data-protection and data-residency detail for your records, and the interoperability and access design for your review. Your governance stays the system of record. GreenM gives it accurate inputs.

How does GreenM handle NHS data security and the DSPT?

The NHS Data Security and Protection Toolkit (DSPT) is the annual self-assessment NHS England requires of organisations that access NHS patient data, measured against the National Data Guardian's data security standards and UK GDPR obligations.

GreenM does not hold a separate DSPT submission, because GreenM does not host your patient data. Vendor-hosted tools need their own DSPT because your data flows out to them. GreenM deploys inside your environment, so patient data stays within your DSPT-assessed boundary and your existing toolkit scope applies.

When your team completes or renews its DSPT, GreenM provides the technical and security documentation for the platform we have deployed, so the assessment reflects what is actually running in your environment.

How does GreenM support a DTAC assessment?

The Digital Technology Assessment Criteria (DTAC), published by NHS England, is the baseline NHS organisations use to assess a digital health product across five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility. DTAC is completed by the deploying organisation. GreenM supports that local review by supplying the platform evidence for each area:

Data protection — UK GDPR and Data Protection Act 2018 alignment, processor role, data residency (see below).

Technical security — the controls listed in the next section.

Interoperability — HL7 FHIR R4 resources (Patient, Encounter, Observation, DocumentReference) where clinical systems are integrated.

Clinical safety — assessed by the deploying organisation as part of its own clinical risk management, since GreenM provides data infrastructure and decision support rather than a clinical decision-making device.

Usability and accessibility — reviewed per deployment against the organisation's accessibility requirements.

What technical security controls does GreenM build in?

Across the deployments we run, security is part of the architecture rather than a review at the end. Each platform is built with encryption in transit and at rest, role-based access control, tenant isolation, audit logging of system and model activity, and multi-factor authentication. Private models run inside your environment.

GreenM engineers to the controls behind Cyber Essentials (NCSC) and ISO/IEC 27001, and has supported client organisations through ISO/IEC 27001 and SOC 2 (Type I and Type II) audits.

Where does patient data live, and is it used to train AI models?

Under UK GDPR and the Data Protection Act 2018, GreenM acts as the data processor and your organisation remains the data controller.

The platform is deployed in your chosen UK region — Azure UK South, AWS London (eu-west-2), or on premises — with no cross-region replication and no outbound data egress beyond your environment. Patient data, model weights, and inference logs do not leave your boundary. Your data is not used to train shared or third-party models. A Data Processing Agreement (DPA) is available for review.

Planning a UK healthcare AI deployment?
Talk to GreenM about a private AI rollout inside your own environment.
Book a Call

Frequently asked questions

Is GreenM approved for use in the NHS?

There is no single NHS-wide approval a supplier can hold. NHS organisations approve digital products through their own governance: the DSPT, a local DTAC assessment, and information governance review. GreenM deploys inside your environment and provides the documentation your team needs for that local review.

Does GreenM hold its own NHS DSPT?

No, and it does not need one for the way GreenM deploys. Patient data stays inside your DSPT-assessed environment. GreenM supports your toolkit submission with platform documentation.

Where is patient data stored?

In your own environment, in a UK region (Azure UK South or AWS London) or on premises. Patient data does not leave your boundary and is not used to train shared or third-party models.

Does GreenM hold ISO 27001 or SOC 2?

GreenM engineers to those controls and has supported client organisations through ISO/IEC 27001 and SOC 2 (Type I and Type II) audits.

Who is responsible for clinical safety?

Clinical safety and clinical risk management sit with the deploying organisation, since GreenM provides data infrastructure and decision support rather than a clinical decision-making device. GreenM supplies the technical evidence your clinical safety process needs.