Security is at the core of Ally,
protecting sensitive clinical data and maintaining
the trust of providers and their clients.


Security is at the core of Ally, protecting sensitive clinical data and maintaining the trust of providers and their clients.

Security is at the core of Ally,
protecting sensitive clinical data
and maintaining the trust of
providers and their clients.

Occupational health providers manage some of the most sensitive data in any workplace. Every layer of Ally is engineered to protect it.



Occupational health providers manage some of the most sensitive data in any workplace. Every layer of Ally is engineered to protect it.

OUR FRAMEWORK

Built to recognised enterprise standards from day one.

Ally's security programme is structured in alignment with SOC 2 Trust Services Criteria, the ISO/IEC 27001 control framework, and the requirements of UK GDPR and the Data Protection Act 2018. Formal certification audits are planned as part of our growth roadmap. Controls are being implemented now so the platform meets enterprise security expectations before certification, not after.

ISO 27001 aligned

ISO 27001 aligned

Controls implemented to ISO/IEC 27001 framework

SOC 2 aligned

Certification planned as part of growth roadmap

UK GDPR

Data Protection Act 2018 compliant

INFRASTRUCTURE

Hosted on AWS. Architected for reliability and security.

Ally is hosted on Amazon Web Services, built in alignment with the AWS Well-Architected Framework. All primary infrastructure is hosted within the United Kingdom, ensuring data residency remains aligned with UK regulatory expectations. Our infrastructure is designed for high availability, resilience and secure multi-tenant deployments at scale.

Hosted on AWS. Architected for reliability and security.

Ally is hosted on Amazon Web Services, built in alignment with the AWS Well-Architected Framework. All primary infrastructure is hosted within the United Kingdom, ensuring data residency remains aligned with UK regulatory expectations. Our infrastructure is designed for high availability, resilience and secure multi-tenant deployments at scale.

Encryption at rest and in transit


Encryption at rest and in transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption extends to backups and stored datasets with secure key management throughout.

UK data residency

All primary infrastructure is hosted within the United Kingdom. Your data does not leave UK jurisdiction. Formal Data Processing Agreements are available on request.

Backups and disaster recovery


Backups and disaster recovery

Automated encrypted backups and infrastructure redundancy protect against data loss. Disaster recovery procedures are in place to support timely restoration of services following any major incident.

Monitoring and incident response

Logging and monitoring runs across infrastructure and application layers. Security events are monitored for anomalous behaviour and unauthorised access. Logs are retained to support forensic analysis where required.

ACCESS AND AUTHENTICATION

The right people see the right data. Nothing more.

Access within Ally is governed by least-privilege principles. Every user only sees what their role requires. Clear segregation is maintained between provider, client and administrative roles across all multi-tenant deployments.

Secure authentication

OAuth 2.0 standards-based authentication with secure token-based session management. Strong password policies are enforced and configurable session timeouts minimise exposure from inactive sessions. Enterprise SSO integration is supported where required.


Secure authentication

OAuth 2.0 standards-based authentication with secure token-based session management. Strong password policies are enforced and configurable session timeouts minimise exposure from inactive sessions. Enterprise SSO integration is supported where required.

Role-based access control

Granular, least-privilege permissions are enforced at both organisation and user level. Provider, client and administrative roles are clearly separated. No user can access data or functionality outside their defined permissions.


Role-based access control

Granular, least-privilege permissions are enforced at both organisation and user level. Provider, client and administrative roles are clearly separated. No user can access data or functionality outside their defined permissions.

Application security

Security is embedded throughout our development lifecycle. Structured code reviews, dependency management, continuous vulnerability scanning and regular updates are standard practice. Production deployments are tightly access-controlled and we proactively remediate risks in line with industry best practice.


Application security

Security is embedded throughout our development lifecycle. Structured code reviews, dependency management, continuous vulnerability scanning and regular updates are standard practice. Production deployments are tightly access-controlled and we proactively remediate risks in line with industry best practice.

SECURITY ROADMAP

Where we are and where we are going.


We are transparent about our current security posture and our commitment to continuous improvement as the platform grows.


LIVE


  • AES-256 encryption at rest and in transit: All data encrypted at rest and in transit across the platform from day one.


  • UK data residency: All primary infrastructure hosted within the United Kingdom.


  • Role-based access control: Granular least-privilege permissions enforced across all user roles.


  • OAuth 2.0 authentication: Secure standards-based authentication with session management and SSO support.


    PLANNED


  • ISO 27001 certification: Formal ISO 27001 certification to follow as the platform and customer base scales.


  • SOC 2 Type I certification: Formal SOC 2 audit to be initiated in line with onboarding and growth milestones.

SECURITY ROADMAP

Where we are and where we are going.


We are transparent about our current security posture and our commitment to continuous improvement as the platform grows.


LIVE


  • AES-256 encryption at rest and in transit: All data encrypted at rest and in transit across the platform from day one.


  • UK data residency: All primary infrastructure hosted within the United Kingdom.


  • Role-based access control: Granular least-privilege permissions enforced across all user roles.


  • OAuth 2.0 authentication: Secure standards-based authentication with session management and SSO support.


    PLANNED


  • ISO 27001 certification: Formal ISO 27001 certification to follow as the platform and customer base scales.


  • SOC 2 Type I certification: Formal SOC 2 audit to be initiated in line with onboarding and growth milestones.

SECURITY ROADMAP

Where we are and where we are going.



We are transparent about our current security posture and our commitment to continuous improvement as the platform grows.



LIVE


  • AES-256 encryption at rest and in transit: All data encrypted at rest and in transit across the platform from day one.


  • UK data residency: All primary infrastructure hosted within the United Kingdom.


  • Role-based access control: Granular least-privilege permissions enforced across all user roles.


  • OAuth 2.0 authentication: Secure standards-based authentication with session management and SSO support.


    PLANNED


  • ISO 27001 certification: Formal ISO 27001 certification to follow as the platform and customer base scales.


  • SOC 2 Type I certification: Formal SOC 2 audit to be initiated in line with onboarding and growth milestones.

Security questions? We welcome them.

We understand that occupational health providers handle highly sensitive clinical information. If you need additional documentation, technical clarification or want to discuss our security posture in more detail, please get in touch.



Security Questions?

We understand that occupational health providers handle highly sensitive clinical information.

If you require additional documentation, technical clarification, or wish to discuss our security posture in more detail, please contact us.


Email: hello@allyhealth.uk

Security questions? We welcome them.

We understand that occupational health providers handle highly sensitive clinical information. If you need additional documentation, technical clarification or want to discuss our security posture in more detail, please get in touch.



Get in touch

Ally streamlines workflows to improve care, reduce errors, and lower operational costs.

Ally

Efficiency built for clinicians.

Follow us on LinkedIn

© 2025. All rights reserved.

Ally streamlines workflows to improve care, reduce errors, and lower operational costs.

Ally

Efficiency built for clinicians.

Follow us on LinkedIn

© 2025. All rights reserved.