Security Centre
Security is not a feature at Ally. It is foundational to how the platform is designed, built, and operated.
We understand that occupational health providers manage highly sensitive clinical and employment data. Every layer of the Ally platform is engineered to protect confidentiality, integrity, and availability, while supporting regulatory compliance and clinical governance requirements.
Our Security Approach
Ally’s security programme is structured in alignment with the SOC 2 Trust Services Criteria, the ISO/IEC 27001 control framework, and the requirements of UK GDPR and the Data Protection Act 2018.
Formal certification audits are planned as part of our growth roadmap. In the meantime, our controls are being implemented in accordance with these recognised standards to ensure the platform is built to meet enterprise security expectations from day one.
Infrastructure and Hosting
Ally is hosted on Amazon Web Services and is architected in alignment with the AWS Well Architected Framework. Our infrastructure is designed around the core principles of operational excellence, security, reliability, performance efficiency, and cost optimisation. By leveraging managed AWS services, we reduce infrastructure risk while ensuring high availability, resilience, and scalable performance to support growing occupational health providers.
Our hosting environment is built to maintain consistent uptime, support secure multi tenant deployments, and provide the stability required for handling sensitive clinical data at scale.
Encryption at Rest
and In Transit
All data within Ally is encrypted at rest using AES 256 encryption standards. Data transmitted between users and the platform is protected using TLS 1.2 or higher to ensure secure communication across networks.
Encryption extends to backups and stored datasets, and secure key management practices are implemented to maintain strict control over cryptographic materials. This ensures that sensitive clinical and employee data remains protected both within the platform and during transmission at all times.
Application Security
Security is embedded throughout our development lifecycle. We follow secure engineering practices that include structured code reviews, disciplined dependency management, continuous vulnerability scanning, and regular security updates. Production deployments are tightly access-controlled to reduce risk and maintain platform integrity.
We continuously monitor for emerging vulnerabilities and proactively remediate risks in line with recognised industry best practice, ensuring the platform remains resilient as it evolves.
Monitoring and Incident Response
Ally implements logging and monitoring across infrastructure and application layers.
Security events are monitored to detect anomalous behaviour, unauthorised access attempts, and system misuse. Logs are retained and reviewed to support forensic analysis where required.
We maintain an incident response process designed to identify, contain, and remediate security events promptly.
Data Residency and Compliance
All primary infrastructure is hosted within the United Kingdom, ensuring data residency remains aligned with UK regulatory expectations. We support compliance with UK GDPR through the implementation of data minimisation principles, robust access control policies, strong encryption standards, and secure data handling procedures embedded across the platform.
Where required, formal Data Processing Agreements can be provided to customers to clearly define responsibilities and ensure regulatory transparency.
Business Continuity and Backup
Ally is designed with resilience at its core to ensure continuity of service. We implement automated backups and infrastructure redundancy to minimise the risk of disruption, and all backup data is encrypted and stored securely to maintain data integrity and confidentiality.
Comprehensive disaster recovery procedures are in place to support timely restoration of services in the event of a major incident, helping ensure operational stability for occupational health providers and their clients.
Security Roadmap
Our security programme is structured in alignment with SOC 2 and ISO 27001 frameworks. Formal certification audits will be initiated in line with onboarding and growth milestones.
We are committed to continuous improvement and maturing our control environment as we scale.