Security built for the most sensitive data in healthcare
A mental health record holds things people have never told anyone else. Protecting it is not a feature we added. It is how we have built Tacklit from the start.
Your data belongs to you
Under data protection law we are the processor and you are the controller. In plain terms: it is your data, and we treat it that way. We do not scan it for marketing. We do not sell it to third parties. We do not use identifiable information to train or advertise.
If you ever decide to leave, we help you take a full copy of your data with you, securely. If you ask us to erase data, we mark it for deletion, cut off access immediately, and remove it in line with our privacy policy.
Security is a company decision, not a setting
Real security is not one padlock. It is the people who can touch your data, the way we build software, the infrastructure it runs on, and the standards we hold ourselves to. Here is how each works.
Our people and processes
Everyone at Tacklit, at every level, does quarterly security, privacy and compliance training, and is tested on it. Access to live production data is restricted to senior staff on a least-privilege basis, granted only when genuinely needed and removed when it is not. Strong passwords, mandatory multi-factor authentication, and encrypted, remotely-wipeable devices are the baseline, not the exception. If something does go wrong, we have an incident response plan to triage and resolve it fast, notify anyone affected, and run a post-incident review so it does not happen twice.
How we build our software
We design for security before a line of code ships. Every change goes through peer code review against OWASP industry guidelines. We use Snyk for automated code and dependency scanning inside our build pipeline, run nightly automated regression tests in staging before anything reaches production, and run a bug bounty programme so accredited ethical hackers can responsibly disclose issues. Private endpoints only ever return data that belongs to the account requesting it.
The infrastructure it runs on
Tacklit runs on Google Cloud's world-class infrastructure, with 24/7 physical security, patched systems, and isolated test and production environments. Firewalls, IP allow-listing and network monitoring guard against intrusion, and we log and alert on suspicious activity. Everything is audited: who did what, when. Your data is backed up regularly and held independently from the database it protects, so we can recover it if the worst happens.
Encryption, everywhere
All data is encrypted in transit (TLS 1.2, AES-256) and at rest (AES-256) by default. Personally identifiable information gets an extra layer of encryption on top, so that neither our database administrators nor third-party infrastructure staff can read it. Uploaded files are encrypted and access-controlled, with every retrieval checked against the requesting user's identity.
Held to recognised standards
We hold a Cyber Essentials certification, the UK government-backed scheme that is required to bid for central government contracts involving sensitive and personal data. We align our handling of health information with HIPAA, GDPR, the UK Data Protection Act, and the Australian Privacy Act.
Cyber Essentials
The UK government-backed certification required to bid for central government contracts that involve sensitive and personal data.
Your data stays in your region
We store and process data onshore, in the country your account is held. If you take up an optional add-on service, some processing may happen elsewhere, and we tell you where.
The partners behind the platform
To deliver the full platform we work with a small set of highly reputable technology partners, for things like cloud infrastructure, messaging, telehealth video, payments and email. We assess every one of them for security, privacy and compliance before we trust them with any part of the service, and we keep that list public.
Need to go deeper?
If you are running a security or procurement review, our Trust Centre has the evidence: certifications, policies, data processing terms, sub-processors and our security whitepaper, all in one place.








