Identity hardened
Multi-factor authentication enforced on every account. Session controls, lockout policies, credentialed referrer access — out of the box.
Architecture
Built like clinical software
should be built.
Self-hosted by design. Audit-traceable from the schema up. Identity hardened on every account. Compliance is a first-class feature, not a paid tier.
Hosting model
Two deployment options.
Both fully under your control.
No multi-tenant cloud. No shared databases. No third-party data processors sitting in the path of clinical records. You choose where the platform runs — and that decision is binding for the lifetime of the deployment.
Engineered for the long haul
Modern, supportable, and built to last.
On-premise hardware
Installed at your site on hardware sized for your caseload. Network-isolated where required. Suited to organisations that want absolute physical control over the data.
Dedicated VPS
A single-tenant virtual server, provisioned in a UK data centre, managed by us on your behalf. No shared compute, no shared storage, no shared tenancy.
Air-gappable installs
Where the operational model supports it, the platform can run without inbound internet — perfect for high-sensitivity environments or organisations with strict information governance.
Backups under your control
Encrypted backups can be retained on your own infrastructure or routed to your nominated backup destination. We never hold the only copy.
Security & Compliance
Defensible by design.
Security and compliance are wired into the platform — not added as enterprise upsells. Every partner inherits the same baseline.
Audit traceability
Every clinical access, modification, and authentication event is recorded to a tamper-evident audit trail.
Role-based access
Granular roles and scope-aware permissions. Therapists see their own caseload; coordinators see the full team; parents see their own child.
Encryption everywhere
Encryption in transit, encryption at rest, and encrypted credentials for any sensitive secrets the platform must hold.
GDPR rights, automated
Data subject access, retention policies, consent capture and right-to-erasure flows — first-class workflows, not email chains.
Secure update pipeline
Updates are signed, vetted, and rolled out on a schedule you approve. No silent code changes to the system that handles your records.
Aligned with the right frameworks
Built for the standards you’re already accountable to.
Nexus CMS is designed for organisations operating under UK clinical governance and Scottish-aligned care frameworks. The platform speaks the same language your regulators and partners do.
UK GDPR & Data Protection Act 2018
Lawful-basis tracking, retention schedules, subject rights and processor agreements — modelled in the data layer, not bolted onto a checklist.
GIRFEC & SHANARRI
Designed alongside Scotland’s Getting It Right For Every Child framework. SHANARRI-aware reporting where relevant.
NAIT-aligned assessment pathways
Pathway models compatible with the Scottish Autism Strategy and the National Autism Implementation Team’s good-practice guidance.
Scottish Child Protection
Safeguarding flags and escalation paths designed to meet Scottish child protection legislation expectations.
Caldicott principles
Need-to-know access controls, justified data flows, and audit visibility — applied throughout.
ICO-ready posture
DPIAs, breach workflows, and records of processing activity supported out of the box. Submit-ready when the regulator asks.
Take the next step
Want a deeper architecture brief?
We share a detailed technical and security overview with qualified prospects under NDA.