What happens if there is a data breach?

We have documented incident response procedures aligned with NHS and ICO requirements. In the event of any confirmed breach involving patient data, we notify your practice immediately, support your ICO reporting obligations, and take immediate remediation steps.

Is patient data submitted through our website stored securely?

Yes. All data submitted through forms and SmartForms is encrypted in transit and stored on secure UK-based servers, accessible only to authorised staff. We operate in full compliance with UK GDPR and the NHS DSP Toolkit requirements.

How do you verify your accreditations?

Our Cyber Essentials Plus certification is independently verified by an accredited assessor and renewed annually. Our CHECK penetration testing is conducted by an NCSC-approved provider each year. All are externally verifiable.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessed certification against five core security controls. Cyber Essentials Plus requires independent, hands-on technical verification by an accredited assessor. It is the higher, independently verified standard and exceeds what the NHS DSP Toolkit requires.

What does WCAG 2.2 AA mean for our practice?

WCAG 2.2 AA is the current legal standard for public sector website accessibility in the UK. Under the Public Sector Bodies Accessibility Regulations 2018, NHS GP practice websites are legally required to meet this standard.

How does your security approach protect our NHS contract compliance?

By choosing Tree View Designs, your website supplier holds Cyber Essentials Plus, DSP Toolkit accreditation, CHECK Approved Penetration Testing, GDPR compliance, ICO registration, and builds to WCAG 2.2 AA — meeting or exceeding every security and compliance requirement relevant to your NHS contract.

Security

Your patients’ data. Our responsibility.

Every system on your practice website is handled to NHS-contractual standards — independently verified, annually renewed.

Accreditations

WCAG 2.2 AA

Annual

Pen testing

UK-only

Data hosting

Accreditations

Our security posture.

Independently verified. Annually renewed. The complete picture of how we protect your patients’ data.

NCSC & GCHQ backed

CHECK Approved Pen Testing

Annual independent penetration testing by an NCSC-approved provider — real-world attack techniques tested against our systems every year.

Why it matters

Your patient data is tested against the same techniques real cybercriminals use.

UK Government certified

Cyber Essentials

The UK Government's baseline cyber security certification — firewalls, secure configuration, access controls, malware protection, patch management.

Why it matters

Mandatory for NHS digital suppliers. We meet the government-mandated baseline.

Above NHS standard

Highest UK cyber cert

Cyber Essentials Plus

The independently verified higher tier — accredited assessors actively test our systems, not just review them. The highest UK Government cyber certification available.

Why it matters

Most providers hold standard Cyber Essentials. We hold the independently verified version that exceeds NHS requirements.

NHS mandatory compliance

DSP Toolkit Accredited

Annual NHS Data Security and Protection Toolkit submission, measured against the National Data Guardian's 10 data security standards.

Why it matters

All NHS digital suppliers must achieve Standards Met. We complete this annually.

UK data protection law

GDPR Compliant

Patient data submitted through your website is processed lawfully, stored securely, and handled to strict data minimisation principles under UK GDPR.

Why it matters

Your practice is a data controller. We're a compliant data processor — that's the legal floor.

Information Commissioner's Office

ICO Registered

Registered with the UK's independent data protection regulator. A legal requirement for organisations that process personal data — independently verifiable.

Why it matters

Your practice can verify our registration directly with the ICO at any time.

NHS standards

Built to every NHS design standard.

Compliance isn’t just about security. Every website we build follows the NHS’s own design and content principles.

NHS Frontend Design

Built on the same design system used by NHS.UK itself. Patients experience a familiar interface they already recognise and trust.

Why it matters

Familiar design reduces friction and increases patient engagement.

NHS Content Guide

All content written and structured to NHS Content Guide standards — plain English, jargon-free, accessible to every literacy level.

Why it matters

NHS contractual requirements specify GP website content must meet these standards. Every page does.

NHS GP Website Benchmarking Tool

Every site we deliver is scored and optimised against the NHS's official measurement framework for GP website quality.

Why it matters

NHS England uses this to assess contractual compliance. Our sites score at the top of the framework.

NHS Usability & Accessibility Guide

NHS England's guidance on usable, accessible GP websites — navigation, page hierarchy, patient journeys, accessibility beyond the WCAG baseline.

Why it matters

Compliance isn't enough if patients can't use it. Our sites are designed around how patients actually behave.

Accessibility

WCAG 2.2 AA — the latest standard.

The current legal standard for public sector website accessibility. We build to it from day one.

WCAG 2.2 is the most recent version of the guidelines, introducing new requirements beyond the older 2.1 standard. Most GP website providers still reference 2.1. We build to 2.2 — keeping your practice ahead of the requirement.

Under the Public Sector Bodies Accessibility Regulations 2018, NHS GP practice websites are legally required to meet accessibility standards. Non-compliance puts your practice at risk of regulatory action and NHS contract breach.

Premium and Ultimate customers receive annual accessibility audits — independent verification that your site remains fully compliant as your content evolves.

Accessibility standard

WCAG 2.2 AA

Built to it from day one — not retrofitted
Independently audited annually (Premium & Ultimate)
Most providers still reference the older 2.1 standard

Infrastructure

Security in every layer.

Accreditations are the proof. Here’s how the platform is actually built and run.

Secure UK hosting

All websites are hosted exclusively on UK-based servers — patient data never leaves the United Kingdom. Enterprise-grade infrastructure with 99.9% uptime, redundant systems, and physical server security.

SSL encryption on every site

Every website includes a fully validated SSL certificate. All data transmitted between patients and your practice is encrypted in transit from day one. No exceptions.

Automated daily backups

Your website data is automatically backed up every day, stored securely and separately from the live environment. Full restoration available quickly in the event of any issue.

Proactive security patching

Our custom-built platform — not WordPress, not open-source — means we control the entire security patch cycle. Patches are applied proactively before vulnerabilities can be exploited.

Why it matters

Why our compliance level matters.

GP practices are data controllers. Choosing a website provider isn’t just a design decision — it’s a governance one.

GP practices are data controllers under UK GDPR. Every system you use to collect, store, or process patient data — including your website — must be operated by a compliant data processor.

Choosing a website provider isn’t just a design decision. It’s a governance decision. If your provider suffers a data breach or fails an accessibility audit, your practice faces ICO scrutiny, potential fines, and reputational damage alongside them.

Our accreditations are not marketing. They are independently verified, annually renewed proof that your digital front door is protected to the highest standards available in the UK.

Feature

Tree View Designs

Typical provider

Feature	Tree View Designs	Typical provider
CHECK Approved Pen Testing	Annual	Rarely
Cyber Essentials Plus	Certified	Basic only
DSP Toolkit	Annual	Not always
GDPR Compliance	Full	Partial
ICO Registered	Verified	Not always
UK-only hosting	Always	No
Custom-built platform	Full control	WordPress/open source
WCAG 2.2 AA	All sites	2.1 only
NHS Benchmarking Tool	Every site	Rarely tested
Annual accessibility audit	Premium+	No

FAQ

Security and compliance, answered.

Get in touch

Questions about our security or compliance?

Tell us about your practice. We’re happy to discuss our accreditations, infrastructure, and data protection practices in detail — no jargon, just straight answers.

Call us 020 3808 9807 Get in touch