Compliance Statement

Effective
Date: February 2026
Version: 1.0

Our Commitment to Compliance and Responsible AI

NestaDev Ltd is committed to delivering the ELSA platform with the highest standards of quality, security, and responsible artificial intelligence governance.

We recognize that our customers who majorly health and social care providers serving vulnerable populations require absolute confidence in the systems they use to manage bids, policies, and strategic decisions.

This Compliance Statement outlines our adherence to internationally recognised best practices and regulatory requirements governing AI systems, information security, and quality management.

NestaDev has implemented a comprehensive Artificial Intelligence Management System to ensure the responsible development, deployment, and use of AI systems within ELSA. Our AI governance framework establishes clear policies, objectives and processes to ensure:

Responsible AI Development: AI features within ELSA are developed using ethical
principles, with clear accountability for AI outputs and decision-making processes.

Risk Management: We conduct systematic AI risk assessments throughout the AI
lifecycle, identifying potential harms including bias, inaccuracy, data privacy risks,
and unintended consequences.

Impact Assessment: All AI features undergo comprehensive impact assessments evaluating consequences for individuals, organisations, and society, with particular attention to fairness and non-discrimination.

Continuous Improvement: Our AI management system is subject to regular
monitoring, testing, and improvement cycles to maintain accuracy, fairness, and
security.

Transparency and Explainability: We provide clear documentation of how AI
features work, their limitations, and appropriate use cases to ensure customers can
make informed decisions.

Our comprehensive risk management approach includes:

1. Data Protection Impact Assessments: Conducted before deploying new AI features involving personal data, evaluating privacy risks and mitigation strategies.

2. Quarterly Bias and Fairness Audits: Systematic analysis of model outputs across service types, geographies, and provider characteristics to identify and address
potential discrimination.

3. Documented Risk Treatment Plans: Clear mitigation strategies for all identified risks, with regular monitoring and review.

4. Human Oversight Requirements: AI outputs are advisory only and require human review before use in any decision-making process.

5. Incident Response Procedures: Established protocols for AI-related issues including inaccuracy, bias, security concerns, or misuse.

Our AI Best Practice Implementation Strategy
AI Risk and Impact Assessment Process
NestaDev has established a comprehensive Information Security Management System to protect customer data and ensure the confidentiality, integrity, and availability of information.

Our security framework implements rigorous controls across all areas: Information
Security Management, Information Security Controls, Access Control and Authentication, Multifactor Authentication required for all administrative and privileged access to systems and data.

• Role-Based Access Control: Staff and customers granted minimum necessary permissions based on specific roles and responsibilities.
• Access Logging and Monitoring: All access to customer data is logged and monitored continuously for suspicious activity.
• Regular Access Reviews: Quarterly reviews of user access rights with immediate revocation upon role change or departure.

Cryptography and Data Protection

Encryption in Transit: All data transmitted over networks is protected using TLS 1.3 or higher encryption standards.

Encryption at Rest: Customer data is encrypted using AES-256 encryption or equivalent industry-standard cryptography.

Key Management: Cryptographic keys are securely generated, stored, and rotated according to industry best practices.

Network and Infrastructure Security

Secure Architecture: Cloud infrastructure hosted with security-certified
providers; network segmentation and firewalls implemented throughout.

Vulnerability Management: Regular vulnerability scanning, penetration
testing, and security patch management processes.

Security Monitoring: 24/7 security monitoring with automated alerting for
potential security incidents and anomalies.

Incident Management
Incident Response Plan: Documented procedures for detecting, responding to,
and recovering from security incidents.

Breach Notification: Commitment to notify affected customers within 72
hours of confirmed data breach in accordance with data protection law.

Business Continuity: Backup and disaster recovery procedures tested
regularly to ensure service continuity.

Our security risk management approach includes:

1. Systematic information security risk assessments considering threats,
vulnerabilities, and potential impacts to confidentiality, integrity, and availability.

2. Implementation of risk treatment plans addressing unacceptable risks through
controls, risk avoidance, risk transfer, or informed acceptance.

3. Regular review and update of risk assessments at planned intervals or when significant changes occur.

4. Maintained documented evidence of risk assessment results and treatment decisions for accountability and audit purposes.

NestaDev operates a comprehensive Quality Management System to ensure consistent delivery of high-quality products and services that meet customer expectations.

Our quality management approach is built on established principles:

Risk Assessment and Treatment

Quality Management System

Quality Management Principles

Customer Focus

Understanding and meeting customer requirements and expectations through regular engagement. 

Continuous customer satisfaction monitoring through surveys, feedback mechanisms, and support ticket analysis. 

Ongoing improvement based on customer input and evolving needs in the health and social care sector.

Process Approach

1. Clearly defined processes for AI development, testing, deployment, and ongoing monitoring.

2. Process ownership with clear accountability for monitoring performance and reporting results.

3. Comprehensive workflow documentation ensuring consistent execution and quality outputs.

Evidence-Based Decision Making
1. Data-driven decisions supported by performance metrics, testing results, and customer feedback analysis.

2. Regular management reviews of system effectiveness and identification of improvement opportunities.

3. Thorough documentation and record-keeping supporting analysis and continuous improvement initiatives.

ELSA AI features undergo rigorous quality assurance processes throughout their lifecycle. 

We maintain comprehensive records supporting quality management.
Quality Assurance measures for AI Features

Documentation and Records

Quality policy and objectives approved and communicated by executive leadership.

Process documentation including detailed procedures, work instructions, and process flowcharts.

Records of staff training, skills development, experience, and professional qualifications.

Product and service specifications and requirements documentation.

Internal audit programmes, findings, and corrective actions.

Customer satisfaction reviews by monitoring results and feedback trend analysis.

NestaDev processes personal data in strict accordance with applicable data protection law. We process personal data based on appropriate lawful grounds:

All processing adheres to core data protection principles:

1. Lawfulness, Fairness, and Transparency: Processing based on lawful grounds with clear privacy information provided to individuals.

2. Purpose Limitation: Data collected for specified, explicit, and legitimate purposes only.

3. Data Minimisation: Only data adequate, relevant, and necessary for stated
purposes is collected.

4. Accuracy: Reasonable steps taken to ensure data accuracy and enable prompt
corrections.

5. Storage Limitation: Data retained only as long as necessary for stated purposes.

6. Integrity and Confidentiality: Appropriate security measures protect data against unauthorised access, loss, or damage.

7. Accountability: We demonstrate compliance through comprehensive documentation, policies, and procedures.

We fully support data subject rights including, all requests are responded to within one month of receipt, with extensions communicated where necessary.

Data Protection and Privacy

Lawful Basis and Data Protection Principles:

Contract Performance: Processing necessary to deliver ELSA services to customers.

Legitimate Interests: Service improvement, security monitoring, and fraud prevention where balanced against data subject rights.

Legal Obligations: Compliance with statutory requirements including financial regulations and security obligations.

Consent: Where appropriate, particularly for optional marketing communications and non-essential analytics.

Data Subject Rights

1. Right of Access: Individuals can request copies of their personal data. Right to Rectification: Individuals can request correction of inaccurate data.

2. Right to Erasure: Individuals can request deletion of data in certain circumstances.

3. Right to Restrict Processing: Individuals can request limitation of processing in certain circumstances.

4. Right to Data Portability: Individuals can request data in machine-readable format for transfer.

5. Right to Object: Individuals can object to processing based on legitimate interests or for direct marketing.

Health and social care data processed through ELSA may constitute special category data requiring enhanced protection. We implement appropriate safeguarding measures. 

We also recognise that many customers are registered care providers or work with regulated organisations in the health and social care sector. ELSA is designed to support, not replace, regulatory compliance obligations.

While NestaDev is not directly subject to health sector-specific data security frameworks, we have reviewed relevant expectations and align our security practices accordingly, we are completely transparent about ELSA’s capabilities and limitations.

Supporting Regulatory Compliance

Policy Templates: Based on established regulatory standards and frameworks for care quality; however, customers must verify alignment with their specific context, services, and registration requirements.

Advisory Tool: ELSA provides decision-support and draft content; customers retain full responsibility for compliance with all applicable regulations, local authority expectations, and safeguarding requirements.

No Automated Decision-Making: ELSA does not make decisions about individuals or service provision; all outputs require human review and approval before use.

Draft/Advisory Only: All AI-generated content (bids, policies, recommendations) must be reviewed and validated by customer staff before submission or use.

Potential for Error: AI models can produce inaccurate, biased, or irrelevant outputs;
customers are responsible for identifying and correcting errors.

We maintain comprehensive records supporting accountability and governance:

Customers may request evidence of our governance practices. We commit to cooperating with independent audits subject to appropriate confidentiality agreements.

NestaDev carefully selects and manages third-party suppliers and sub-processors to ensure they meet our standards for security, data protection, and quality.

Cloud infrastructure is hosted with security-certified providers meeting or exceeding recognised security standards.

Not a Professional Substitute: ELSA is not a substitute for professional judgement in clinical, safeguarding, or regulatory decisions.

Organisational Use Only: ELSA is designed for organisational strategy and compliance, not for determining individual care, eligibility, or access decisions.

Human Oversight Required: Every step of the bid process, policy development, or
strategic decision should include human review and approval.

Third Party Suppliers and Sub-Processors
All sub-processors processing customer personal data are subject to Data Processing
Agreements meeting applicable data protection requirements. 

All our sub-processors are thoroughly assessed for security practices, data protection compliance, and financial stability before engagement. 

Regular reviews of sub processor performance and compliance are conducted. Customers are informed of
sub-processors and notified of any changes with opportunity to object.

This Compliance Statement and all associated policies are reviewed annually by our executive leadership team. 

For questions, concerns, or requests regarding compliance, data protection, AI governance, or security:

NestaDev Ltd
311 Ancoats Garden
M4 5GH
Manchester, United Kingdom
Data Protection Officer / Data Protection Lead
Email: support@nestadev.com
Phone: 07442279106

Regulatory Authority:
Customers may contact the Information Commissioner’s Office regarding data
protection concerns:
Website: https://ico.org.uk
Helpline: 0303 123 1113

NestaDev is committed to achieving formal third-party certification for our management systems against internationally recognised standards. 

Implementation of all management systems is complete, with independent certification audits scheduled for 2026.
Version: 1.0
Effective Date: February 2026
Next Review: February 2027