| Driven Only By Your Success

Information Security

Security, Access & Auditability

Security Controls

Script Assist operates a regulated healthcare platform supporting clinical, prescribing, and controlled-drug workflows. The platform is operated within environments under Script Assist’s control, with layered controls for confidentiality, integrity, and availability.

  • Encryption: TLS 1.3 for all data in transit; AES-256 for data at rest.
  • Identity & Access: role- and user-based permissions (least privilege), MFA for all staff and client users, and one user / one login (no shared credentials). Sessions time out after inactivity. Access is reviewed quarterly by the Data Protection Officer.
  • Audit & Monitoring: all user sessions and key system interactions are captured in immutable audit logs. Anomalous behaviour and unauthorised access attempts trigger alerts and investigation.
  • Data Export & Download Controls: reporting exports are permissioned and logged.
  • Secure Operations: change control for production releases, segregation of environments, and routine backup and recovery processes.
  • Device & Workforce Controls: Script Assist staff use Script Assist-owned devices managed via MDM, with full-disk encryption and endpoint protection. Staff are subject to contractual confidentiality obligations and data-protection training.

Organisational Boundaries

Script Assist enforces organisational separation at platform level using multi-tenant boundaries.

  • Each clinic and each pharmacy operates within its own organisation environment.
  • Clinical records, prescriptions, dispensing activity, inventory, and operational workflow data are segregated by organisation.
  • An organisation can access only:
    • data created within that organisation, and
    • data explicitly routed to it as part of a defined operational process (for example, a prescription sent from a clinic to a dispensing pharmacy).

These boundaries are enforced through tenancy controls, role- and user-based access rules, and audited access.

Patient Access Model

Patients interact with Script Assist as individuals receiving care.

  • Patients can complete onboarding steps, upload required documents, and view the status of their own care and prescriptions.
  • Patient access does not change organisational data boundaries or access controls.

Platform Versions: V1 and V2

Script Assist uses the same organisational segregation architecture across platform versions. The differences relate to patient login and onboarding only.
Script Assist V1

  • Patients authenticated via a single patient login.
  • Patient-uploaded onboarding materials (for example, identity and verification documents) were held at the patient level, so patients did not need to re-upload the same documents when engaging with a new clinic.
  • Clinical and prescribing activity was always recorded and managed within the relevant clinic’s organisation environment.

Script Assist V2 (live January 17th)

  • Patients authenticate via a separate patient login per clinic relationship (i.e. a single login per clinic).
  • Patient onboarding and document handling are scoped to that clinic relationship to improve clarity while preserving onboarding efficiency.
  • Organisational segregation, access controls, and audit logging remain unchanged.

Third-Party Incident Clarification: CB1 Medical / Scribd

In August, CB1 Medical experienced a data exposure incident unrelated to Script Assist systems. A CB1 user downloaded reporting exports from within their own authorised access. Those files were subsequently modified outside of Script Assist and then uploaded by a CB1 user to a third-party document-sharing website (Scribd). Script Assist did not host, operate, or control Scribd. No Script Assist infrastructure, databases, or access controls were compromised.

Governance & Standards Alignment

Script Assist provides security and governance information to clinic, pharmacy, and enterprise partners as part of due diligence. Where required for a specific deployment, independent penetration testing and additional assurance can be commissioned on request.

Script Assist operates within established UK health and care governance frameworks. We meet DSPT expectations and follow the requirements of DCB0129 as part of our clinical risk management approach, which supports deploying organisations in meeting DCB0160 obligations. This framework underpins how we design, assess, and assure safety, security, and appropriate data handling across the platform.

We maintain clinical safety documentation aligned to DCB0129, including Clinical Safety Reports, which are available to clinic, pharmacy, and enterprise partners as part of due diligence.

Script Assist achieved Cyber Essentials certification (August 2025).

Certification position: While ISO 27001:2022 and SOC attestations are not currently held, our control environment and assurance approach are designed to align with NHS/DSPT expectations, and we provide transparency and evidence of controls as part of partner due diligence. Where a deployment calls for it, additional independent assurance (including third-party testing) can be commissioned.