Section 01
Purpose
A plain-English summary of how We Are Care and Baton protect the data we hold. Fuller detail sits on the Baton Trust Centre.
Section 02
Access control
Access is role-based and limited to authorised people on a need-to-know basis, with permissions set by role type by default. Within Baton, client providers can configure permissions for their own users. Multi-factor authentication is in place on key systems, and we extend our controls as the platform grows.
Section 03
Hosting and encryption
Data is hosted with reputable providers (Supabase, Netlify and Microsoft 365), encrypted in transit and at rest. Supabase data is held in the EU region.
Section 04
Logging and audit
Material actions are logged to support audit and incident response.
Section 05
Supplier access
Suppliers that process our data are listed in the Baton Subprocessor Summary and are bound by appropriate terms.
Section 06
Incidents
Security incidents are handled under our Data Breach & Security Incident Response procedure.
Published at wearecare.co.uk/policies/information-security.