Digital Technology Assessment Criteria (DTAC)

Supplier: Amazon Web Services (AWS)
Assessment Date:

How to Use This DTAC Assessment Tool

This interactive tool helps you complete NHS DTAC (Digital Technology Assessment Criteria) assessments for AWS-based solutions.

Step 1: Complete Front Page (Sections A & B)

  • Enter your organization details (pre-filled with AWS defaults)
  • Describe your solution and target users
  • Select AWS services from the checklist - responses will update automatically
  • Choose your AWS region (default: London)
  • All data auto-saves as you type

Step 2: Complete Technical Assessment

  • Grey boxes with "AWS Information:" Pre-filled AWS compliance answers (dynamically updated based on your service selections)
  • Blue "Evidence Links": Official AWS documentation and certifications
  • Green "AWS Artifact Reference": Compliance reports available in AWS Console
  • Orange "Manual Input Required": Information you need to provide
  • White "Response:" boxes: Your customized answers (edit the pre-filled text or add your own)

Step 3: Review & Download

  • Click "View Summary" to review all completed responses
  • Download complete assessment as TXT file for submission
  • Navigate between pages using the top navigation buttons

💡 Tip: Select your AWS services first - this will automatically customize the technical responses to match your architecture!

Section A: Supplier Information

A1: Organization Details

Response:

A2: Contact Information

A3: Company Registration

Section B: Solution Overview

B1: Solution Description

Response:

B2: Target Users

Response:

B3: Technical Architecture

Response:

Compute Services

Storage Services

Database Services

Healthcare & AI/ML Services

Security & Identity Services

Networking & Content Delivery

Analytics & Data Processing

Management & Monitoring

Integration & Messaging

Other Services

B5: Integration Points

Response:
Response:

DTAC Technical Assessment

Assessment for: AWS Cloud Services Implementation

How to Complete This Assessment

Evidence Official AWS/NHS documentation provided
AWS Artifact Access via AWS Console for compliance docs
Manual Input Documentation you need to provide

Section C1: Clinical Safety

C1.1.1 - Does your organization have a clinical risk management system that complies with DCB0129?
Manual Input Required: Please provide evidence of your clinical risk management system and DCB0129 compliance documentation.
Response:
C1.1.2 - Have you produced a Clinical Safety Case Report in line with DCB0129?
Manual Input Required: Please enter your Clinical Safety Case Report and Hazard Log details.
Response:
C1.1.3 - Have you appointed a suitably qualified Clinical Safety Officer?
Manual Input Required: Please provide details of your Clinical Safety Officer including qualifications and certification.
Response:

Section C2: Data Protection, Privacy & Confidentiality

C2.1 - Is your organization registered with the Information Commissioner's Office (ICO)?
AWS Information:
Amazon Web Services is registered with the UK Information Commissioner's Office for data protection compliance.
Evidence Links: → AWS ICO Registration (ZA481902)
Manual Input Required: Please provide your organization's ICO registration number and certificate if different from AWS.
Response:
C2.2 - Have you completed a Data Protection Impact Assessment (DPIA)?
Manual Input Required: Please enter your completed DPIA details for this system.
Response:
C2.5 - How do you ensure GDPR compliance for data processing?
AWS Information:
AWS provides comprehensive GDPR compliance features including data residency controls, encryption, and data processing agreements. All data can be stored within the UK/EU regions with no cross-border transfers unless explicitly configured.
Evidence Links: → AWS GDPR Compliance Center → AWS Data Privacy FAQ → AWS Data Processing Agreement
Response:
C2.6 - What encryption standards do you use for data at rest and in transit?
AWS Information:
AWS implements industry-standard encryption:
  • Data at Rest: AES-256 encryption for all storage services (S3, EBS, RDS)
  • Data in Transit: TLS 1.2+ for all communications
  • Key Management: AWS KMS with customer-managed keys available
Evidence Links: → AWS Key Management Service Documentation → AWS Security Pillar - Data Protection
Response:

Section C3: Security

C3.1 - Does your organization have Cyber Essentials or Cyber Essentials Plus certification?
AWS Information:
AWS holds Cyber Essentials Plus certification for the UK.
Evidence Links: → AWS Cyber Essentials Plus Certificate 2025
Manual Input Required: Please provide your organization's Cyber Essentials certificate and expiry date if different from AWS.
Response:
C3.2 - What security frameworks and standards do you comply with?
AWS Information:
AWS maintains compliance with multiple security frameworks:
  • ISO/IEC 27001 (Information Security Management)
  • ISO/IEC 27017 (Cloud Security)
  • ISO/IEC 27018 (Privacy in Cloud)
  • SOC 1, SOC 2, and SOC 3
  • PCI DSS Level 1
  • Cyber Essentials Plus (UK)
  • NHS Data Security and Protection Toolkit (DSPT) Ready
Evidence Links: → AWS Compliance Programs → AWS ISO 27001 Certification → NHS DSPT - AWS Registration
AWS Artifact Reference: Access AWS Artifact via the AWS Console to download compliance reports and certifications:
  • Navigate to AWS Console → AWS Artifact
  • Download ISO 27001, ISO 27017, ISO 27018 certificates
  • Access SOC 1, SOC 2, SOC 3 reports
  • View PCI DSS attestation
Response:
C3.3 - How do you detect and respond to security threats?
AWS Information:
AWS provides comprehensive threat detection and response capabilities through integrated security services that continuously monitor for threats, vulnerabilities, and suspicious activities across your infrastructure.
AWS Artifact Reference: Access AWS Artifact via the AWS Console to review security compliance documentation:
  • Amazon GuardDuty - Intelligent threat detection
  • AWS Security Hub - Centralized security findings
  • Amazon Inspector - Automated security assessments
  • AWS Config - Configuration compliance monitoring
  • CloudWatch & CloudTrail - Logging and monitoring
Download relevant compliance reports from AWS Artifact for evidence of these security controls.
Response:
C3.4 - What are your backup and disaster recovery procedures?
AWS Information:
AWS provides robust backup and disaster recovery capabilities with automated backup services, cross-region replication, and multiple availability zones for high availability.
AWS Artifact Reference: Access AWS Artifact via the AWS Console for disaster recovery compliance documentation:
  • AWS Backup - Centralized backup management
  • Multi-AZ deployments for high availability
  • Cross-region replication options
  • Point-in-time recovery capabilities
  • Disaster Recovery strategies (Pilot Light, Warm Standby, Multi-site)
Evidence Links: → AWS Disaster Recovery Whitepaper
Response:
C3.6 - How do you manage patching and vulnerability management?
AWS Information:
AWS provides comprehensive patching and vulnerability management capabilities for both infrastructure and applications.
AWS Artifact Reference: Access AWS Artifact via the AWS Console to review your patching and vulnerability management compliance:
  • AWS Systems Manager Patch Manager - Automated patching
  • Amazon Inspector - Vulnerability scanning and assessment
  • AWS Security Hub - Patch compliance monitoring
  • Maintenance windows and schedules
  • Patch baselines and approval workflows
Note: AWS automatically patches underlying infrastructure. You maintain control over OS and application patching schedules. Download patch management compliance reports from AWS Artifact.
Response:
C3.7 - How do you protect against network-based attacks?
AWS Information:
AWS provides multiple layers of network security to protect against DDoS, intrusion attempts, and other network-based threats.
AWS Artifact Reference: Access AWS Artifact via the AWS Console to review network security compliance documentation:
  • Amazon VPC - Network isolation and segmentation
  • AWS WAF - Web Application Firewall
  • AWS Shield - DDoS protection (Standard included, Advanced available)
  • Network ACLs and Security Groups
  • AWS Network Firewall - Advanced threat protection
Evidence Links: → AWS Shield DDoS Protection → AWS WAF Documentation
Response:

Section C4: Interoperability & Open Standards

C4.1 - What interoperability standards does your solution support?
AWS Information:
AWS healthcare services support major healthcare interoperability standards including HL7 FHIR, HL7 v2, and healthcare-specific APIs for seamless integration with NHS systems.
Evidence Links: → AWS Healthcare & Life Sciences → AWS HealthLake Overview
Response:
C4.2 - Do you support HL7 FHIR standards?
AWS Information:
AWS HealthLake provides native support for HL7 FHIR R4, enabling standardized healthcare data exchange and integration with NHS systems. HealthLake can ingest, store, and query FHIR resources at scale.
Evidence Links: → AWS HealthLake FHIR Support → AWS Healthcare Blog
Response:
C4.3 - Do you support SNOMED CT clinical terminology?
AWS Information:
AWS Comprehend Medical provides support for medical terminologies including SNOMED CT. It can detect and link medical entities to SNOMED CT codes, enabling standardized clinical documentation aligned with NHS requirements.
Evidence Links: → AWS Comprehend Medical Ontologies → AWS Comprehend Medical Overview
Response:
C4.4 - What APIs do you provide for integration?
AWS Information:
AWS provides comprehensive API support for healthcare integration:
  • RESTful APIs via Amazon API Gateway
  • HL7 FHIR APIs through AWS HealthLake
  • GraphQL support via AWS AppSync
  • Event-driven integration via Amazon EventBridge
  • Real-time data streaming via Amazon Kinesis
Evidence Links: → Amazon API Gateway → AWS AppSync
Response:

Section B4: Service User Journeys

B4.1 - Have you mapped out user journeys for all user types?
Manual Input Required: Please provide user journey maps for all user types (clinicians, patients, administrators).
Response:
B4.2 - How have you involved users in the design process?
Manual Input Required: Please provide evidence of user involvement in design (workshops, interviews, testing sessions).
Response:

Section D1: Usability & Accessibility

D1.1 - Have you conducted user research with NHS staff and patients?
Manual Input Required: Please provide documentation of user research activities and findings.
Response:
D1.2 - Have you tested the system with representative users?
Manual Input Required: Please provide User Acceptance Testing (UAT) reports and feedback.
Response:
D1.3 - Does your solution meet WCAG 2.1 Level AA accessibility standards?
AWS Information:
AWS provides services and tools that support building accessible applications compliant with WCAG 2.1 Level AA. The AWS Management Console itself meets WCAG 2.0 Level AA standards.
Manual Input Required: Please provide your WCAG 2.1 accessibility audit report for your specific application built on AWS.
Response:
D1.4 - Is your solution compatible with assistive technologies?
AWS Information:
AWS services support development of applications compatible with assistive technologies including screen readers, keyboard navigation, and voice control.
Manual Input Required: Please provide evidence of assistive technology testing for your application.
Response:
D1.9 - Do you comply with UK healthcare regulations?
AWS Information:
AWS supports compliance with UK healthcare regulations and international standards. AWS UK regions comply with NHS Digital standards, UK GDPR, Data Protection Act 2018, and can support DCB0129/0160 compliance.
AWS Artifact Reference: Access AWS Artifact via the AWS Console to download UK compliance documentation including GDPR and data protection certifications.
Evidence Links: → AWS UK Data Protection
Response:
D1.10 - How do you ensure system reliability and resilience?
AWS Information:
AWS is designed with multiple layers of redundancy and follows the AWS Well-Architected Framework for reliability, including multi-AZ deployments, automated failover, and self-healing infrastructure.
Evidence Links: → AWS Well-Architected Framework → Reliability Pillar
Response:
D1.11 - What are your service level agreements (SLAs)?
AWS Information:
AWS provides comprehensive SLAs for all major services, typically guaranteeing 99.9% to 99.99% uptime depending on the service and configuration. Multi-AZ deployments can achieve higher availability.
Evidence Links: → AWS Service Level Agreements
Manual Input Required: Please provide your organization's SLA document for services built on AWS.
Response:
D1.12 - What is your system's performance and response time?
Manual Input Required: Please provide performance metrics and response time data for your specific application.
Response:
D1.12.2 - What is your system's availability track record?
AWS Information:
AWS maintains a strong track record of high availability across all regions. Historical uptime data is available in the AWS Service Health Dashboard.
Evidence Links: → AWS Service Health Dashboard
Manual Input Required: Please provide availability reports for your specific application over the past 12 months.
Response:

Section D2: Training & Support

D2.1 - What training do you provide for NHS staff?
AWS Information:
AWS provides comprehensive training resources through AWS Training and Certification, including healthcare-specific courses and the AWS Well-Architected Labs.
Manual Input Required: Please describe your organization's specific training program for NHS staff using your AWS-based solution.
Response:
D2.2 - What support channels do you offer?
AWS Information:
AWS provides multiple support tiers (Basic, Developer, Business, Enterprise) with 24/7/365 support for critical issues on Business and Enterprise plans. Support includes technical account managers, AWS Health Dashboard, and direct access to AWS support engineers.
Manual Input Required: Please describe your organization's support model for NHS users.
Response:

DTAC Assessment Summary

Assessment for: AWS Cloud Services Implementation
AWS Logo NHS Digital Transformation | Powered by AWS Cloud