SchemeServe is hosted on Microsoft Azure infrastructure within the United Kingdom.

Online data is primarily stored in the Azure UK South data centre, with an additional geo-redundant replica located in the Azure UK West data centre. This architecture provides resilience by ensuring that services and data are not dependent on a single physical location.

Using geographically separated data centres helps protect the platform from infrastructure failures and improves service continuity.

SchemeServe maintains multiple layers of database backups to ensure that data can be recovered quickly in the event of an incident.

Key backup features include:

• Point-in-time recovery for databases, allowing restoration to within 1 second of data loss
• Continuous backup storage in Azure UK South and Azure UK West
• Weekly full backups stored across multiple locations
• Additional backup copies stored in Amazon UK South
• All backups are encrypted both in transit and at rest.

Recovery procedures are regularly tested as part of SchemeServe's business continuity process, with full database recovery verified from backup sources within four hours.

Actual downtime in a recovery scenario will depend on the specific cause and circumstances of the incident.

SchemeServe includes comprehensive auditing capabilities that track system changes and user activity.

Audit logs allow administrators to review:

• Log ins
• Changes made to schemes, rules, insurers, and configuration
• Updates performed by specific users
• System events across a defined time period
• Individual policies also include an activity log, which provides a timeline of actions such as:
• Clearing referrals
• Putting a policy on cover
• Policy updates or administrative actions

These logs help provide accountability, transparency, and easier troubleshooting.

See: Audit Logs and Activity Tracking

Access to SchemeServe is controlled using role-based user permissions.

Each user is assigned a user type, which determines what areas of SchemeServe they can access and what actions they can perform.

This structure ensures users only have access to the functions and data required for their role, helping to protect sensitive configuration and policy information.

SchemeServe enforces secure account authentication practices to protect user accounts.

Security measures include:

• Password strength requirements
• Secure login over encrypted connections
• Multifactor authentication
• Controlled user account creation and management

Users are responsible for maintaining the security of their login credentials and ensuring that access to accounts is restricted to authorised individuals.

See also: Password Strength

All data transmitted between users and SchemeServe is protected using secure HTTPS/TLS encryption.

In addition:

• Database storage is encrypted at rest
• Backups are encrypted both at rest and during transfer

These measures ensure that sensitive data remains protected while being stored and transmitted.

SchemeServe maintains a business continuity and disaster recovery process to ensure service reliability.

This includes:

• Redundant cloud infrastructure
• Automated database backups
• Tested recovery procedures
• Support processes for responding to incidents

These controls are designed to minimise service disruption and ensure that systems can be restored quickly if required.

SchemeServe is continuously monitored to detect system issues and maintain service availability.

Monitoring processes allow the team to:

• Identify infrastructure or performance issues
• Respond quickly to potential incidents
• Maintain platform reliability and uptime

Any incidents are handled according to internal operational procedures and support escalation processes.

For security and compatibility reasons, SchemeServe supports modern web browsers that receive regular security updates.

Using supported browsers ensures that SchemeServe benefits from the latest security patches and encryption standards.

SchemeServe’s infrastructure and operational processes are designed to align with a number of recognised security and regulatory frameworks. These include:

• GDPR (General Data Protection Regulation)
• HIPAA for health data protection in the United States
• FedRAMP for cloud security
• SOC 1 and SOC 2 control frameworks
• UK G-Cloud compliance for government procurement environments. 
  
  Alignment with these frameworks reflects SchemeServe’s commitment to maintaining recognised standards for security, data protection, and regulatory compliance.

SchemeServe's security and quality standards:

• ISO 27001 – Information Security Management
• ISO 9001:2015 – Quality Management
• GDPR compliance
• Alignment with SOC 1 / SOC 2, FedRAMP, HIPAA, and UK G-Cloud frameworks