Security & Trust

Security built for the most sensitive data in healthcare

A mental health record holds things people have never told anyone else. Protecting it is not a feature we added. It is how we have built Tacklit from the start.

Cyber Essentials certifiedAES-256 encryption, in transit and at restData stored onshore in your region
Our position on your data

Your data belongs to you

Under data protection law we are the processor and you are the controller. In plain terms: it is your data, and we treat it that way. We do not scan it for marketing. We do not sell it to third parties. We do not use identifiable information to train or advertise.

Not scanned for marketing
Your clinical content is never mined to sell you, or anyone else, anything.
Never sold
We do not sell client records to third parties. There is no version of Tacklit where we would.
No training on identifiable data
Identifiable information is never used to train models or to advertise.

If you ever decide to leave, we help you take a full copy of your data with you, securely. If you ask us to erase data, we mark it for deletion, cut off access immediately, and remove it in line with our privacy policy.

How we protect it

Security is a company decision, not a setting

Real security is not one padlock. It is the people who can touch your data, the way we build software, the infrastructure it runs on, and the standards we hold ourselves to. Here is how each works.

Pillar 01

Our people and processes

Everyone at Tacklit, at every level, does quarterly security, privacy and compliance training, and is tested on it. Access to live production data is restricted to senior staff on a least-privilege basis, granted only when genuinely needed and removed when it is not. Strong passwords, mandatory multi-factor authentication, and encrypted, remotely-wipeable devices are the baseline, not the exception. If something does go wrong, we have an incident response plan to triage and resolve it fast, notify anyone affected, and run a post-incident review so it does not happen twice.

Pillar 02

How we build our software

We design for security before a line of code ships. Every change goes through peer code review against OWASP industry guidelines. We use Snyk for automated code and dependency scanning inside our build pipeline, run nightly automated regression tests in staging before anything reaches production, and run a bug bounty programme so accredited ethical hackers can responsibly disclose issues. Private endpoints only ever return data that belongs to the account requesting it.

Pillar 03

The infrastructure it runs on

Tacklit runs on Google Cloud's world-class infrastructure, with 24/7 physical security, patched systems, and isolated test and production environments. Firewalls, IP allow-listing and network monitoring guard against intrusion, and we log and alert on suspicious activity. Everything is audited: who did what, when. Your data is backed up regularly and held independently from the database it protects, so we can recover it if the worst happens.

Pillar 04

Encryption, everywhere

All data is encrypted in transit (TLS 1.2, AES-256) and at rest (AES-256) by default. Personally identifiable information gets an extra layer of encryption on top, so that neither our database administrators nor third-party infrastructure staff can read it. Uploaded files are encrypted and access-controlled, with every retrieval checked against the requesting user's identity.

Certifications & standards

Held to recognised standards

We hold a Cyber Essentials certification, the UK government-backed scheme that is required to bid for central government contracts involving sensitive and personal data. We align our handling of health information with HIPAA, GDPR, the UK Data Protection Act, and the Australian Privacy Act.

Certified

Cyber Essentials

The UK government-backed certification required to bid for central government contracts that involve sensitive and personal data.

View the live certificate
Aligned with
HIPAAhealth information handling
GDPREU data protection
UK Data Protection Act
Australian Privacy Act
NZ Privacy Act
Where your data lives

Your data stays in your region

We store and process data onshore, in the country your account is held. If you take up an optional add-on service, some processing may happen elsewhere, and we tell you where.

United Kingdom
UK customer data is stored in UK data centres.
Australia & NZ
Australian & NZ customer data is stored in Australian data centres.
USA
American customer data is stored in the US
Middle East
We run our stack in Dalaman, SA
Who we work with

The partners behind the platform

To deliver the full platform we work with a small set of highly reputable technology partners, for things like cloud infrastructure, messaging, telehealth video, payments and email. We assess every one of them for security, privacy and compliance before we trust them with any part of the service, and we keep that list public.

Cloud infrastructureMessagingTelehealth videoPaymentsEmail

Need to go deeper?

If you are running a security or procurement review, our Trust Centre has the evidence: certifications, policies, data processing terms, sub-processors and our security whitepaper, all in one place.

St Kilda, Melbourne

We acknowledge the Aboriginal and Torres Strait Islander peoples as the first inhabitants of this nation and the traditional custodians of the lands where we live, learn and work.

City Road, London

Ecocity, Kuala Lumpur

TACKLIT © All Rights Reserved, 2026.

St Kilda, Melbourne

We acknowledge the Aboriginal and Torres Strait Islander peoples as the first inhabitants of this nation and the traditional custodians of the lands where we live, learn and work.

City Road, London

Ecocity, Kuala Lumpur

TACKLIT © All Rights Reserved, 2026.

St Kilda, Melbourne

We acknowledge the Aboriginal and Torres Strait Islander peoples as the first inhabitants of this nation and the traditional custodians of the lands where we live, learn and work.

City Road, London

Ecocity, Kuala Lumpur

TACKLIT © All Rights Reserved, 2026.

St Kilda, Melbourne

We acknowledge the Aboriginal and Torres Strait Islander peoples as the first inhabitants of this nation and the traditional custodians of the lands where we live, learn and work.

City Road, London

Ecocity, Kuala Lumpur

TACKLIT © All Rights Reserved, 2026.