DTAC Compliance
How Formulate meets the NHS Digital Technology Assessment Criteria for digital health technologies.
What is DTAC?
The Digital Technology Assessment Criteria (DTAC) is the NHS framework for evaluating digital health technologies. It assesses products across five pillars: clinical safety, data protection, technical security, interoperability, and usability. Formulate has completed a DTAC self-assessment to demonstrate our commitment to meeting the standards expected by NHS organisations and training programmes.
The Five Pillars
Clinical Safety
Formulate maintains a clinical safety case summary and hazard log aligned with DCB0129, overseen by a designated clinical safety lead. Hazards are identified, risk-rated, and mitigated. Outcome-measure scoring uses validated algorithms with deterioration alerting.
Data Protection
GDPR-aligned by design. Client records are pseudonymised (initials or codes, never full names). A published Data Processing Agreement covers all processor obligations. Clients can request deletion of their data via a secure portal under GDPR Article 17, and view their responses where their therapist has enabled sharing.
Technical Security
AES-256 encryption at rest, TLS 1.2+ in transit. Row-level security enforced at the database layer. Content Security Policy with per-request nonces on HTML pages. PII stripping before AI processing. UK-hosted database (AWS eu-west-2, London); application compute via Vercel’s global edge.
Interoperability
Worksheets and formulation outputs are exportable as print-ready PDFs. Outcome measure data uses validated scoring aligned with IAPT minimum dataset definitions. Homework is delivered via tokenised URLs that work across any device or browser.
Usability & Accessibility
Responsive design tested across mobile, tablet, and desktop. WCAG 2.1 AA contrast compliance. Keyboard-navigable interface with skip navigation. Guided onboarding flow for new users. Worksheets designed at an appropriate reading level for client-facing use.
Criterion-by-Criterion Assessment
Status of each DTAC criterion as of June 2026, from Formulate's own self-assessment (not an external certification).
| Criterion | Status | Evidence |
|---|---|---|
| Clinical safety case (DCB0129) | In progress | Published hazard-log summary at /clinical-safety; full DCB0129 clinical safety case report in preparation |
| Clinical safety officer designated | In progress | Interim clinical safety lead: Tarun Vermani (DClinPsy trainee, UCL). A qualified Clinical Safety Officer is being appointed |
| Hazard log maintained | Compliant | Six identified hazards with severity, likelihood, mitigations, and residual risk documented |
| Data Protection Impact Assessment | In progress | DPIA drafted; finalisation and sign-off in progress |
| GDPR Article 28 DPA published | Compliant | Data Processing Agreement published at /dpa with full processor obligations |
| Data subject access and deletion | Compliant | Client data portal supports deletion under Article 17; clients can view their submitted responses where their therapist has enabled response sharing |
| Encryption at rest and in transit | Compliant | AES-256 at rest, TLS 1.2+ in transit, UK-hosted database (AWS eu-west-2) |
| Access control and authentication | Compliant | Row-level security at database layer; Supabase Auth with JWT; per-therapist data isolation |
| Penetration testing | Planned | Scheduled as part of DSPT registration process |
| Vulnerability management | Partially compliant | Sentry error monitoring; CSP with per-request nonces on HTML pages; routine dependency updates. Automated dependency scanning planned |
| Business continuity | In progress | Supabase-managed infrastructure with CDN-based static asset serving (Vercel); automated backups and point-in-time recovery to be enabled |
| Interoperability standards | Partially compliant | PDF export for clinical outputs; IAPT-aligned outcome measures. FHIR integration planned for future release |
| Usability testing with target users | Partially compliant | Designed by a practising clinician; iterative feedback from DClinPsy trainee cohort. Structured usability study planned |
| Accessibility (WCAG 2.1 AA) | Partially compliant | Substantial conformance: contrast ratios target 4.5:1; keyboard navigation; skip links; semantic HTML. Formal WCAG 2.1 AA audit in progress |
Related compliance documentation