Trust, engineered.
Compliance is not a certificate we collect at the end. It is built into the first commit — the standards, the safety case and the data discipline that healthcare software has to meet.
Standards we build to
Digital Technology Assessment Criteria — our baseline for any NHS-facing tool.
Clinical risk management by the manufacturer, with a named clinical safety officer.
Clinical risk management for deployment into a live care setting.
Data protection by design and default, with DPIAs on every engagement.
Information security management system, currently being formalised.
Software as a Medical Device framework, applied where a tool meets the definition.
Data residency
Patient data stays in the United Kingdom by default. Our infrastructure is hosted in UK regions, and any exception is a deliberate, documented decision made with you — never a default we slipped past you.
We hold to data minimisation: we process what a clinical purpose requires, and no more.
Subprocessors
The third parties we rely on to deliver the service. This register is maintained and published in full; the summary below is indicative.
Vulnerability disclosure
We welcome reports from security researchers and treat them seriously. If you believe you have found a vulnerability in our systems, please tell us before disclosing it publicly, and give us a reasonable window to respond.
security@meridian.healthBring us a problem worth solving.
If you run a service, a department, a practice, or a network — and you've imagined the AI tool you wish existed — we'd like to hear about it.
Book a discovery call