Legal

Compliance framework

Last updated: ·High-level posture — supplementary agreements may apply per customer

Netvett processes personal information to run a workforce infrastructure platform for regulated-adjacent sectors (including care, education, nursing, and private security). This page summarises how we structure compliance internally; it complements our Privacy policy and any signed Data Processing Agreements (DPAs).

1. Regulatory anchor

  • Primary privacy framework: UK GDPR and the Data Protection Act 2018.
  • We designate a published Data Protection Officer reachable at dpo@netvett.io and expose machine-readable endpoints for tooling verification.
  • We maintain Records of Processing Activities (ROPA), Data Protection Impact Assessments (DPIAs) where required for high-risk processing, and internal retention schedules referenced in our privacy disclosures.

2. Data residency and subprocessors

Production workloads are anchored in UK regions with redundancy that respects adequacy regimes. Processor relationships (cloud, messaging, finance, protective monitoring) operate under Article 28 UK GDPR compliant terms alongside transfer impact analysis where crossing borders becomes necessary.

3. Sector alignment (without over-claiming)

Buyers map Netvett to sector regulatory expectations (including CQC, Ofsted/DfE, SIA, NMC, HMRC where payroll bridges exist). We document control narratives and DPIAs tailored to our product scope. Software alone cannot satisfy statutory duties owed by employers — organisational policies, clinical governance, safeguarding leads, licensed managers, etc. remain with customers.

4. NHS and public-health datasets

Netvett's commercially stated roadmap currently focuses on private-sector customers. Dedicated NHS commissioning or DSPT-aligned publication is not part of active go-to-market until we consciously open that programme — talk to trust@netvett.com before assuming NHS-specific contractual baselines attach to sandbox pilots.

5. Assurance roadmap (certifications / testing)

We layer operational controls described in Security. Formal assurance evolves with pipeline: Cyber Essentials Plus sits on the roadmap as the pragmatic certification for many UK buyers; targeted penetration tests and ISO 27001 certification follow when Tier 1 enterprise contracts justify spend. We only badge achievements once certificates or reports are formally issued — ask your account contact for evidence packs tied to procurement stages.

6. DBS disclosures and Registered Body trajectory

Integrations relating to Disclosure and Barring Service checks evolve with regulator approval. Until stated otherwise product materials describe intended roadmap status for bulk Disclosure routes tied to Registered Body membership; live production paths require successful accreditation and contractual integration with an approved umbrella where applicable.

7. Procurement contact

For diligence questionnaires or DPAs initiated by authorised procurement teams reach trust@netvett.com; security-specific evidence requests may also copy security@netvett.io.