Keeping data safe
Healthcare professionals and patients place their trust in Gateway® to handle sensitive information every day. Protecting that data is our highest priority. You can be confident that Gateway® meets and exceeds NHS and UK government data protection standards.
How we protect your data
Be assured that we never sell or share your data with third parties. We follow the NHS code of conduct for data driven technology and all our staff are trained in data security.
End-to-end encryption
All data is protected during transmission and storage.
Role-based access
Only authorized users - via CIS2 login.
Regular penetration testing
All tests are documented and audited.
Full audit trails
Full transparency for NHS and compliance reporting.
Secure UK hosting
Compliance with GDPR and NHS Data Residency requirements.
Continuous monitoring
Rapid response and notification.
Our accreditations
Gateway® has been independently verified and approved against the leading healthcare data protection frameworks.
ISO 27001:2022
International standard for information security management
Cyber Essentials Plus
The UK Government’s Cyber Defence Programme
DSPT
NHS Data Protection Assessment and Validation Tool
DCB0129/DCB0160 Clinical Safety
DCB1596 Secure Email
NCSC CHECK Penetration Tested
Frequently asked
questions
To find out how we use and protect your data, look at the frequently asked questions below. If you don’t find what you need here, please don’t hesitate to contact our friendly team.
What does your Gateway® software do?
Gateway® integrates with existing IT systems in primary care and connects directly to the NHS e-Referral Service. It enables referrals to Secondary Care, Community, or Social Care services, reducing delays and ensuring patients are seen in the right place at the right time.
You can read more about who Gateway® helps, including patients, commissioners, General Practice, Secondary Care, Opticians and Dentists.
How do I know that Gateway® is safe for my service to use?
- All patient data is encrypted when transmitted and stored.
- Data is hosted within dual-resilient data centers (accredited to: PCI-DSS, SOC2, ISO 27001, ISO 14001, ISO 9001, ISO 45001, ISO 50001)
- We undergo regular testing and audits to ensure ongoing resilience.
- Our compliance is assessed through the NHS DSP Toolkit (Standards exceeded) and external certification bodies.
Where does Accenda and Gateway® fit in?
Typically, the healthcare organisation is the ‘data controller’. Patients are the data subjects. We (Accenda) are the data processor – where our Gateway® service is used. This means that we process data about your patients under the terms in our Data Processing Agreement, to allow you (as a healthcare organisation) to provide a service to your patients.
How do you keep data secure?
Here at Accenda we host our own equipment within dual-resilient data centers (accredited to: PCI-DSS, SOC2, ISO 27001, ISO 14001, ISO 9001, ISO 45001, ISO 50001).
Are you Cyber Essentials certified?
Yes, Accenda holds both the Cyber Essentials and Cyber Essentials Plus certification. These UK government-backed standards demonstrate that our systems are protected against common cyber threats and independently verified.
What rules do you follow?
When we work with healthcare organisations, we enter into a contract which includes a binding commitment about what data we use and how we keep it safe. These commitments comply with the key laws in this area – the Data Protection Act 2018 and the UK General Data Protection Regulation – and the rules and standards set out by the NHS on handling health care data.
Fundamentally, we act as something called a ‘data processor’. This means we can only use your data under the instructions of your healthcare providers, who are the data controllers i.e. the organisations delivering patient care, such as a GP practice or hospital. They are ultimately responsible for creating and storing information about patients and their health, such as in a patient record.
We have the same agreement with every organisation using Gateway®.