DTAC Compliant
A. Company Information
A1 | Provide the name of your company
Wellmind Health
A2 | Provide the name of your product
Be Mindful
A3 | Provide the type of product
Web-App
A4 | Provide the name and job title of the individual who will be the key contact at your organisation
Sarah Germaney, Account Director
A5 | Provide the key contact's email address
A6 | Provide the key contact's phone number
+44 (0)1273 325136
A7 | Provide the registered address of your company
168 Church Road, Brighton BN3 2DL UK
A8 | In which country is your organisation registered?
United Kingdom
A9 | If you have a Companies House registration in the UK please provide your number
04542911
A10 | If applicable, when was your last assessment from the Care Quality Commission (CQC)?
Not applicable
A11 | If applicable, provide your latest CQC report.
Not applicable
B. Value Proposition
B1 | Who is this product intended to be used for?
Patients
B2 | Provide a clear description of what the product is designed to do and of how it is expected to be used
Be Mindful is a web-based Mindfulness-based Cognitive Therapy (MBCT) program that guides participants through all the elements of MBCT in a minimum of 4 weeks. It is an asynchronous online program which can be followed on any internet connected device with a web-browser, including smart phones, tablets, laptops and computers.
B3 | Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated
The intended user benefits of the Be Mindful program are improvements in mental health with reductions in anxiety (GAD-7), depression (PHQ-9) and stress (PSS). These are achieved through mindfulness practice and cognitive behavioural approaches learnt throughout the program.
The effectiveness of the Be Mindful program is proven by published research studies in scientific journals. Studies validating user benefits are available on request.
B4 | Please attach one or more user journeys which were used in the development of this product. Where possible please also provide your data flows
Documentation of user journeys and data flows available on request.
C. Technical Questions
C1. Clinical Safety
Establishing that the product is clinically safe to use.
C1.1 | Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129?
Yes
C1.1.1 | Please detail your clinical risk management system
Clinical Risk Management System documentation available on request.
C1.1.2 | Please supply your Clinical Safety Case Report and Hazard Log
Clinical Safety Case Report and Hazard Log available on request.
C1.2 | Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details
John O’Dowd – Orthopaedic Spinal Surgeon GMC Registration reference number: 2601616
C1.3 | If your product falls within the UK Medical Devices Regulations 2002, is it registered with the Medicines and Healthcare products Regulatory Agency (MHRA)?
Yes
C1.3.1 | If yes, please provide your MHRA registration number
25845
C1.3.2 | If the UK Medical Device Regulations 2002 are applicable, please provide your Declaration of Conformity and, if applicable, certificate of conformity issued by a Notified Body / UK Approved Body
Declaration of Conformity available on request
C1.4 | Do you use or connect to any third-party products?
No
C1.4.1 | If yes, please attach relevant Clinical Risk Management documentation and conformity certificate
Not applicable
C2. Data Protection
Establishing that the product collects, stores and uses data (including personally identifiable data) compliantly.
C2.1 | If you are required to register with the Information Commissioner, please attach evidence of a current registration.
Evidence of registration with Information Commissioner is available on request.
C2.2 | Do you have a nominated Data Protection Officer (DPO)?
Yes
C2.2.1 | If you are required to have a nominated Data Protection Officer, please provide their name.
Willem Mulder, CTO
C2.3 | Does your product have access to any personally identifiable data or NHS held patient data?
No
C2.3.1 | Please confirm you are compliant (having standards met or exceeded status) with the annual Data Security and Protection Toolkit Assessment.
Yes, exceeded status.
C2.3.2 | Please attach the Data Protection Impact Assessment (DPIA) relating to the product.
DPIA available on request.
C2.4 | Please confirm your risk assessments and mitigations / access controls / system level security policies have been signed-off by your Data Protection Officer (if one is in place) or an accountable officer where exempt in question C2.2.
Yes
C2.5 | Please confirm where you store and process data (including any third-party products your product uses)
UK only
C2.5.1 | If you process store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation
Not applicable
C3. Technical Security
Establishing that the product meets industry best practice security standards and that the product is stable.
C3.1 | Please attach your Cyber Essentials Certificate
Cyber Essentials Plus certificate available on request.
C3.2 | Please provide the summary report of an external penetration test of the product that included Open Web Application Security Project (OWASP) Top 10 vulnerabilities from within the previous 12-month period.
Compliant external penetration test summary report available on request.
C3.3 | Please confirm whether all custom code had a security review.
Yes
C3.4 | Please confirm whether all privileged accounts have appropriate Multi-Factor Authentication (MFA)?
Yes
C3.5 | Please confirm whether logging and reporting requirements have been clearly defined.
Yes
C3.6 | Please confirm whether the product has been load tested
Yes
C4. Interoperability Criteria
Establishing how well the product exchanges data with other systems.
C4.1 | Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers?
Yes
C4.1.1 | If yes, please provide detail and evidence:
- The API’s (e.g., what they connect to) set out the healthcare standards of data interoperability e.g., Health Level Seven International (HL7) / Fast Healthcare Interoperability Resources (FHIR)
- Confirm that they follow Government Digital Services Open API Best Practice
- Confirm they are documented and freely available
- Third parties have reasonable access to connect
We expose a very basic public API - full access to and usage of this is only possible using one of three levels of secure access where applicable. It follows Government Digital Services Open API Best Practice and is fully-documented and freely available.
C4.2 | Do you use NHS number to identify patient record data?
No
C4.2.1 | If yes, please confirm whether it uses NHS Login to establish a user’s verified NHS number.
Not applicable
C4.3 | Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2)
Yes
C4.3.1 | If yes, please detail the standard
- SSL/TLS server certificates are Amazon issued, Public key: RSA 2048-bit, Signature algorithm: SHA256WITHRSA.
- Our AWS ELBs (Elastic Load Balancers) listen only for HTTPS connection requests.
- Elastic Load Balancing uses a security policy to negotiate SSL connections between a client and the load balancer. A security policy is a combination of protocols and ciphers that ensures that all data passed between the client and the load balancer is private. The ELBSecurityPolicy-2016-08 security policy is always used for backend connections. For front-end connections we selected AWS Load Balancer ELBSecurityPolicy-FS-1-2-Res-2019-08. This is the most re-strictive policy available. FS stands for Forward-Secrecy. This policy supports TLS 1.2 only and includes only ECDHE (PFS) and SHA256 or stronger (384) ciphers.
- ELBs do not support SSL renegotiation for client or target connections.
- We do NOT use oAuth.
C4.3.2 | If no, please state the reasons and mitigations, methodology and security measures.
Not applicable
C4.4 | Is your product a wearable or device, or does it integrate with them?
No
C4.4.1 | If yes, provide evidence of how it complies with ISO/IEEE 11073 Personal Health Data (PHD) Standards.
Not applicable
D. Key Principles for Success
D1. Usability and Accessibility
Establishing that the product has followed best practice.
D1.1 | Understand users and their needs in context of health and social care
Do you engage users in the development of the product?
Yes
D1.1.1 | If yes or working towards it, how frequently do you consider user needs in your product development and what methods do you use to engage users and understand their needs?
User needs and preferences in regard to accessibility and ease-of-use were a key focus for the design and launch of the Mindfulness-based Cognitive Therapy (MBCT) digital program in 2011. Since then, we have actively promoted several different means to ensure users give feedback about their experience including web-based forms at the end of learning modules. This feedback over the years has led to improvements to the user interface and the engagement related content of the program.
D1.2 | Work towards solving a whole problem for users
Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey?
Yes
D1.2.1 | If yes or working towards it, please attach the user journeys and/or how the product fits into a user pathway or journey
User journeys and data flow documentation available on request.
D1.3 | Make the service simple to use
Do you undertake user acceptance testing to validate usability of the system?
Yes
D1.3.1 | If yes or working towards it, please attach information that demonstrates that user acceptance testing is in place to validate usability.
Documentation demonstrating user testing and usability validation is available on request.
D1.4 | Make sure everyone can use the service
Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant?
Yes
D1.4.1 | Provide a link to your published accessibility statement.
D1.5 | Create a team that includes multi-disciplinary skills and perspectives
Does your team contain multidisciplinary skills?
Yes
D1.6 | Use agile ways of working
Do you use agile ways of working to deliver your product?
Yes
D1.7 | Iterate and improve frequently
Do you continuously develop your product?
Yes – there is continuous development to improve user experience and engagement with the core therapeutic content.
D1.8 | Define what success looks like and be open about how your service is performing
Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking?
Yes. The Be Mindful program has been shown to effectively deliver all elements of MBCT and has achieved exceptional mental health outcomes for users, which are demonstrated in published research studies by leading academic institutions.
D1.9 | Choose the right tools and technology
Does this product meet with NHS Cloud First Strategy?
Yes - using AWS cloud
D1.9.1 | Does this product meet the NHS Internet First Policy?
Yes
D1.10 | Use and contribute to open standards, common components and patterns
Are common components and patterns in use?
No
D1.10.1 | If yes, which common components and patterns have been used?
Not applicable
D1.11 | Operate a reliable service
Do you provide a Service Level Agreement to all customers purchasing the product?
Yes
D1.12 | Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers?
Yes
D1.12.1 | Please attach a copy of the information provided to customers
Performance report information available on request.
D1.12.2 | Please provide your average service availability for the past 12 months, as a percentage to two decimal places
See Uptime Robot for service availability
stats.uptimerobot.com/kgnRrckqgN