Digital Technology Assessment Criteria (DTAC) V2.0

Supplier: Amazon Web Services
Form Version: 2.0 (February 2026)
Date:

📋 About DTAC V2.0 & How to Use This Tool

This form is version 2.0 and was last updated on 24 February 2026. Manufacturers must provide this form from 6 April 2026 when requested by health and care organisations.

The Digital Technology Assessment Criteria (DTAC) is the assessment framework for digital health technologies bringing together baseline standards and policies that apply to these products.

How to Use:

  • Step 1: Complete Sections A & B - Organization details and value proposition
  • Step 2: Complete Technical Assessment (C & D) - Use navigation buttons at the bottom
  • Step 3: Review Summary and Download - All data auto-saves as you type

Section A: Company Information

Non-assessed section - Information about your organisation and contact details

A1 - Company Name
A2 - Product Name
A3 - Version Number
A4 - Product Type
A5 - Key Contact Name and Title
A6 - Contact Email
A7 - Contact Phone
A8 - Registered Address
A9 - Country of Registration
A10 - Companies House / Charity / Reference Numbers
A11 - CQC Assessment Date (if applicable)
A12 - CQC Report (if applicable)

Section B: Value Proposition

Non-assessed section - Context of clinical, economic or behavioural benefits

B1 - Intended Use of Product
B2 - Product Description and Expected Use
Context question: High-level summary required
B3 - Intended Users, Benefits, and Validation
Context question: Include evaluation/clinical trials if applicable
B4 - Data Flows and User Journey Map
Supporting Information: Provide deployment diagrams, data flow documentation, user journey maps

Compute

Storage

Database

Healthcare

Security

Monitoring

AWS Logo Powered by AWS Cloud Infrastructure | NHS DTAC V2.0 Assessment Tool

DTAC Technical Assessment - Sections C & D

Sections: Clinical Safety | Data Protection | Cyber Security | Interoperability | Usability & Accessibility

Section C1: Clinical Safety

Establishing that your product is clinically safe to use (DCB0129 compliance)

C1.1.1 - Does your DHT product, or any component within it, qualify as Software or Artificial Intelligence as a Medical Device under the UK Medical Devices Regulations 2002?
Supporting Information: If Yes, complete PAQ form for medical devices and proceed to C1.1.2. If No, skip to C1.2
Response:
C1.1.2 - Is your product classified as a standalone medical device?
Supporting Information: Read guidance on DCB0129/DCB0160 applicability. If Yes, proceed to Section C2. If No, continue to C1.2
Response:
C1.2 - Is your product designed to provide electronic information to influence, support or manage the real time or near real time direct care of patients/service users?
Supporting Information: Determines DCB0129 applicability. If Yes, skip C1.2.1 and proceed to C1.2.2. If No, provide justification in C1.2.1 then proceed to Section C2
Response:
C1.2.1 - Please provide a justification for why your product does not fall in scope of DCB0129
Supporting Information: Where manufacturer believes product not in scope, must provide justification considering standard terms
Response:
C1.2.2 - Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129?
Manual Input Required: Confirm clinical risk management compliance
Response:
C1.2.3 - Please detail your clinical risk management system
Manual Input Required: Provide documentation detailing the clinical risk management system
Response:
C1.2.4 - Please supply your Clinical Safety Case Report and Hazard Log
Manual Input Required: Must demonstrate how clinical risks identified, assessed, mitigated with current Hazard Log
Response:
C1.2.5 - Please provide the name of your Clinical Safety Officer (CSO), their profession and registration details
Manual Input Required: CSO must be: healthcare professional; knowledgeable in risk management; have sufficient responsibility and authority to ensure DCB0129 compliance
Response:

Section C2: Data Protection

UK GDPR compliance and data protection measures

C2.1 - If your organisation has or will have direct or remote access to any patient data or NHS systems, please confirm you are compliant (standards met or exceeded) with the annual DSPT assessment
AWS Information: AWS is registered with NHS Data Security and Protection Toolkit (DSPT)
Registration Number: 8JX11
Evidence Links: AWS DSPT Registration 8JX11
Response:
C2.2 - Does the product or service process any personal data or data about deceased individuals? (includes sub processors)
Supporting Information: If No role in operating/hosting and no access, may answer No. If Yes, continue to C2.2.1. If No, skip to Section C3
Response:
C2.2.1 - Please attach evidence of a current registration with the Information Commissioner's Office (ICO)
AWS Information: Amazon Web Services is registered with UK ICO for data protection compliance
Registration Number: ZA481902
Evidence Links: AWS ICO Registration ZA481902
Response:
C2.2.2 - Please attach the Data Protection Impact Assessment (DPIA) relating to the product
Supporting Information: Legal requirement under UK GDPR for high risk processing. Must cover: product summary, data fields list, data flows, security controls, technical/organizational measures, countries for storage/processing, controller arrangements, retention/disposal, processors/sub processors, risks
Manual Input Required: NHS England has DPIA template and guidance available
Response:
C2.2.3 - Provide a copy or link to your product's transparency information (privacy notice)
AWS Information: AWS provides comprehensive privacy information
Evidence Links: AWS Privacy Notice AWS Data Privacy
Response:
C2.2.4 - Provide the relevant product terms and conditions regarding use of user data, end user licence agreement or equivalent
AWS Information: AWS Customer Agreement and Service Terms govern use
Evidence Links: AWS Customer Agreement AWS Service Terms
Response:
C2.2.5 - Please confirm where your product (including any third-party components) store and process data
AWS Information: AWS provides data residency controls allowing specification of AWS regions. All data can remain within UK/EU regions with no cross-border transfers unless configured
Evidence Links: AWS Data Privacy FAQ AWS Regions
Response:
C2.2.6 - If you store or process data outside of the UK, please name the country and set out how the arrangements are compliant with current legislation
AWS Information: AWS has mechanisms for compliant international data transfers including Standard Contractual Clauses (SCCs) and EU-US Data Privacy Framework
Evidence Links: AWS EU-US Data Privacy AWS GDPR DPA
Response:

Section C3: Cyber Security

Cyber security measures and standards compliance

C3.1 - Please attach your Cyber Essentials Certificate
AWS Information: AWS holds Cyber Essentials Plus certification for the UK
Evidence Links: AWS Cyber Essentials
AWS Artifact Reference: AWS Cyber Essentials Plus certificate available via AWS Artifact in AWS Console
Response:
C3.2 - Please confirm whether you have signed the Cyber Security Charter for Suppliers to the NHS
Evidence Links: NHS Cyber Security Charter
Response:
C3.3 - If the product is internet based or provided as a service accessible from the internet, please provide the summary report of an external penetration test that included OWASP Top 10 vulnerabilities from within the previous 12-month period
Supporting Information: Must be conducted within previous 12 months covering OWASP Top 10. Report should detail findings and remediation actions
Manual Input Required: Provide penetration test report including OWASP Top 10 vulnerabilities testing
Response:
C3.4 - Please confirm that software has been produced in adherence to the DSIT/NCSC Software Security Code of Practice and commits to meeting the principles
AWS Information: AWS services developed following secure SDLC practices aligned with NCSC guidelines
Evidence Links: AWS Security Learning NCSC Software Security CoP
Response:
C3.5 - Please confirm you have a plan for implementing multi-factor authentication for all account types, preferably through identity federation
AWS Information: AWS supports MFA for all account types and provides identity federation via AWS IAM and Amazon Cognito
Evidence Links: AWS IAM MFA Amazon Cognito
Response:
C3.5.1 - If applicable, please confirm that all supplier accounts with privileged access to the product have MFA enabled or equivalent MFA applied at the remote end
Response:
C3.6 - Please confirm whether logging and reporting requirements have been defined
AWS Information: AWS provides comprehensive logging via CloudWatch, CloudTrail, AWS Config
AWS Artifact Reference: Access AWS Artifact for logging and monitoring compliance documentation:
  • Amazon CloudWatch - Application and system monitoring
  • AWS CloudTrail - API call logging and audit trails
  • AWS Config - Configuration change tracking
  • Amazon GuardDuty - Threat detection logs
Response:

Section C4: Interoperability and Open Standards

API standards and NHS system integration

C4.1 - Does your product expose any Application Program Interfaces (API) or integration channels for other products relevant to the provision or administration of health or social care?
Supporting Information: If No, skip to C4.2
Response:
C4.1.1 - If yes, please confirm that these APIs use appropriate international or industry standards for interoperability. Please list these and explain why they are appropriate
AWS Information: AWS HealthLake supports HL7 FHIR R4, HL7 v2, DICOM standards
Evidence Links: AWS HealthLake (FHIR) AWS for Health
Response:
C4.1.2 - Please confirm these APIs both: follow GDS Open API Best practice guidance, and are openly documented and freely available to third parties
Evidence Links: GDS API Standards
Response:
C4.1.3 - If you are unable to confirm your APIs meet the previous criteria, please set out the basis on which your APIs are documented and made available to third parties
Response:
C4.2 - Is your product intended to share or receive data from national or local systems for managing or delivering patient care or for other administrative purposes where a patient identity is relevant?
Supporting Information: If No, skip remaining questions in this section and proceed to Section D
Response:
C4.2.1 - Is your product capable of using the NHS number to identify patient data when exchanging data?
Response:
C4.2.2 - Does your product integrate to either the NHS Personal Demographics Service, or to other local record systems to establish/validate the patient NHS number?
Evidence Links: NHS Personal Demographics Service
Response:
C4.2.3 - If you have answered No to either C4.2.1 or C4.2.2 please set out the approach taken to identify patient records that ensures correct identification and data quality
Response:
C4.2.4 - If the product is to be used directly by patients, do you use NHS login to verify the identity of and authenticate the user?
Evidence Links: NHS login
Response:
C4.2.5 - If the product is to be used by public health or adult social care organisations, does your product support compliance with DAPB3051 standard for identity verification and authentication?
Evidence Links: NHS Identity & Access Management
Response:
C4.2.6 - If you are not using NHS login to authenticate the user, please set out your approach to authenticating the user and what data protection measures are in place
AWS Information: Amazon Cognito provides secure user authentication with MFA support
Evidence Links: Amazon Cognito
Response:

Section D: Usability and Accessibility

Scored section - Usability and accessibility principles

D1.1 - Provide information about how the product is used or fits into existing systems (e.g., care pathways). Provide user journey demonstrating how the product fits into care pathway or user journey, or information about product use
Supporting Information: Provide documentation showing how product fits into care pathways. Could include user journey maps, workflow diagrams, instructions for use
Manual Input Required: Provide user journey maps, workflow diagrams, or instructions for use
Response:
D1.2 - Do you undertake testing with intended users to validate the product's usability?
Response:
D1.3 - Please confirm that you have read the Accessible Information Standard and considered how its requirements should be reflected in the design of your product
Evidence Links: NHS Accessible Information Standard
Response:
D1.4 - Is your product a web or mobile application?
Supporting Information: If No, skip remaining questions in this section
Response:
D1.4.1 - If your product is a web or mobile application, does it comply with the Web Content Accessibility Guidelines (WCAG) 2.2 scoring AA or higher?
Evidence Links: WCAG 2.2 Guidelines GOV.UK WCAG Guidance
Response:
D1.4.2 - Please set out the timescale by which you plan to obtain WCAG 2.2 AA
Supporting Information: If selected "A plan and timeline" in previous question, provide timeline here
Response:
D1.4.3 - Provide a link to your published accessibility statement
Supporting Information: Required for public sector bodies and recommended for all digital services
Response:
D1.5 - Please provide your average service availability for the past 12 months, as a percentage to two decimal places
AWS Information: AWS provides Service Level Agreements (SLAs) with high availability guarantees. Most AWS services have SLAs of 99.9% or higher
Evidence Links: AWS Compute SLAs AWS RDS SLA AWS S3 SLA
Response:
AWS Logo Powered by AWS Cloud Infrastructure | NHS DTAC V2.0 Assessment Tool

DTAC V2.0 Assessment Summary

Complete assessment ready for download
AWS Logo Powered by AWS Cloud Infrastructure | NHS DTAC V2.0 Assessment Tool