Document Status : Public  
Release 2025.2 
Last Updated : January 14,2026 

1. Purpose of this Document 

This Cloud Services Specification describes the scope, characteristics, and delivery model of the Empathika cloud services provided by CareApps Limited, the developer and operator of the Empathika platform (the “Cloud Services”). 

This document is intended for customers, prospective customers, procurement teams, and regulatory stakeholders. It is written to be accessible to the public while supporting assurance and transparency for organisations operating within the UK health and care sector. 

The Cloud Services are designed and operated in alignment with applicable UK data protection legislation and relevant NHS guidance, including the NHS Data Security and Protection Toolkit (DSPT). This document provides an overview of how the Cloud Services support data security, information governance, and operational resilience expectations commonly required by NHS and social care organisations. 

This document does not describe pricing, commercial terms, or service level commitments. Detailed contractual, availability, and data protection obligations are defined separately in applicable service agreements, including the Service Level Agreement (SLA) and Data Processing Agreement (DPA). 

 2. Cloud Service Overview 

Empathika is a cloud-hosted software-as-a-service (SaaS) platform designed for use in residential care and related care settings. 

The Cloud Services are accessed via supported modern web browsers and do not require on-premise software installation. The platform supports: 

• Medication management and administration records 

• Digital care records and documentation 

• Compliance, audit, and reporting workflows 

• Secure collaboration between authorised users and healthcare partners 

 3. Scope of Cloud Services 

3.1 Included Services 

The Cloud Services include access to the Empathika cloud platform and its core functionality, which may include: 

• Medication management modules 

• Digital care documentation and record keeping 

• Compliance, audit, and reporting tools 

• User management and role-based access controls 

• Secure hosting, operation, and maintenance of the platform 

3.2 Exclusions 

The Cloud Services do not include: 

• Clinical decision-making or the provision of medical advice 

• Replacement of professional clinical judgement 

• Local device management or customer-side IT infrastructure 

• On-site installation or on-premise deployment 

4. Service Delivery and Architecture 

4.1 Service Model 

Empathika is delivered as a multi-tenant cloud service. Each customer’s data is logically segregated from other customers to ensure confidentiality and data separation. 

Customers do not have access to data belonging to other tenants. 

4.2 Updates and Maintenance 

The Cloud Services are continuously maintained and improved. Updates may include feature enhancements, security patches, bug fixes, and performance improvements. 

Updates are deployed centrally and do not require customer action. Where updates may materially affect functionality, reasonable advance notice is provided where practicable. 

5. Service Availability and Resilience 

Empathika is designed for high availability and operational resilience to support continuity of care services. 

Planned maintenance is scheduled to minimise disruption wherever reasonably possible. Specific availability targets and response commitments are defined in applicable service agreements. 

6. Security, Privacy, and Data Protection 

6.1 Information Governance and DSP Alignment 

Empathika is designed to support compliance with: 

• UK General Data Protection Regulation (UK GDPR) 

• Data Protection Act 2018 

• NHS Data Security and Protection Toolkit (DSPT) 

For the purposes of data protection law: 

• Customers act as Data Controllers 

• CareApps Limited acts as Data Processor, processing personal data only on documented customer instructions 

6.2 Security Controls 

The Empathika Cloud Services implement appropriate technical and organisational measures to protect personal data and system integrity, including: 

• Role-based access control 

• Encryption of data in transit and at rest 

• Audit logging and activity monitoring 

• Secure authentication mechanisms 

• Confidentiality obligations for all personnel 

Security controls are aligned with NHS data security principles and recognised good industry practice. 

6.3 Data Location and Transfers 

Personal data processed by the Cloud Services is hosted in approved cloud environments located within the United Kingdom, unless otherwise agreed in writing. 

Any international transfers of personal data are subject to appropriate safeguards in accordance with applicable data protection law. 

7. Backup and Disaster Recovery 

Data is backed up on a regular basis in accordance with defined backup schedules. 

Disaster recovery processes are in place to support service continuity and the restoration of data access following incidents. Detailed recovery objectives and commitments are defined in applicable service agreements. 

8. Sub-processors 

CareApps Limited may engage carefully selected sub-processors to support delivery of the Cloud Services, including cloud infrastructure and operational service providers. 

All sub-processors are subject to contractual obligations that provide equivalent data protection and security standards to those applied by CareApps Limited. Information about approved sub-processors is made available in accordance with applicable data protection agreements. 

9. Browser and Device Support 

The Cloud Services support modern web browsers, including the latest versions of: 

• Google Chrome 

• Microsoft Edge 

• Mozilla Firefox 

• Apple Safari 

Internet Explorer is not supported. 

10. Limitations and Dependencies 

Service performance may depend on factors outside the control of CareApps Limited, including internet connectivity, device capabilities, and customer configuration choices. 

Customers are responsible for ensuring appropriate internal access controls, staff training, and local operational procedures when using the Cloud Services. 

Certain integrations, modules, or third-party services may require additional configuration or separate agreements. 

11. Important Notices 

This document describes the Cloud Services as generally provided at the date of publication and may be updated from time to time as the service evolves. 

Nothing in this document constitutes a warranty, service commitment, or contractual obligation.