Security — Nemora Healthcare Solutions

The short version. Willow is built on a serverless, encryption-by-default architecture and stores the minimum data needed to deliver the service. Most resident data lives on the resident's own device, not on our servers. We use industry-standard hosting (Cloudflare) and treat security as continuous work — not a one-off certification.

1. Architecture at a glance

App on the device. The Willow app is the primary store for resident data — life-story content, photos, preferences. It's sandboxed by iOS / iPadOS / Android per OS conventions.
Cloudflare Workers backend. A serverless API for the cross-device features (family invites, push notifications, family messages, video-call signalling). No long-lived servers, no administrator SSH, no database credentials on client devices.
Cloudflare KV. Eventually-consistent key-value store for the small amount of state that needs to be shared between devices (family-member directory, message queue, push tokens, presence flags). All values are encrypted at rest by Cloudflare.
Native push. Apple APNs and Google FCM deliver notifications. We never see message content in transit; only the tokens needed to address each device.
Agora real-time. Video calls go peer-to-peer via Agora; neither Agora nor Nemora records or stores call streams.

2. Encryption

In transit: TLS 1.2 or 1.3 for every connection between the apps, the Companion web app, and our backend.
At rest: Cloudflare KV encrypts every value at rest; Cloudflare R2 (where used for photo storage) does the same.
Tokens: Authentication tokens are short-lived JWTs (typically 60 seconds for video-call tokens, longer for device registration). We don't issue long-lived password credentials.

3. Authentication and access

Family members join via an invite code sent by the resident's carer. Codes are single-use and expire automatically.
Resident devices authenticate via a device-registration token stored in the platform's secure keystore.
Nemora staff who can access infrastructure use individual accounts with two-factor authentication. Access is on a need-to-know basis and reviewed regularly.

4. Data minimisation

We collect the minimum needed to deliver the Service. As a result of this principle, our backend KV holds only:

Family member name, relation and email (so a resident knows who's calling)
Push notification tokens (so calls and messages reach the right device)
The most recent 30 days of family messages
Pending video-call signalling state (auto-deleted within 60 seconds of an answered or expired call)
Aggregate counters for fraud-prevention and rate-limiting

We do not collect resident health information, GP details, medication, or any other sensitive medical data through the Willow service.

5. Code and supply chain

Server-side code is reviewed before each deployment.
Third-party libraries are pinned to known versions; we monitor for published CVEs and patch promptly.
API keys for third-party services (Spotify, YouTube, Europeana, etc.) live in the Worker as Cloudflare secrets — never in client apps, never in source control.
Mobile builds are signed with the standard Apple and Google mechanisms; signing keys are held in our secure keystore, not in the project repository.

6. Logging and monitoring

Cloudflare access logs cover every request to the API; retained briefly for security and abuse-prevention.
Worker logs capture deliberate, anonymised debug information; we do not log message content, family-member names, or other personal data.
Crash reporting (anonymised stack traces, app version, device model) helps us fix bugs without ever including resident content.

7. Incident response

If we discover a security incident affecting personal data, we follow a documented response plan:

Contain — isolate the affected service or credential.
Assess — what was accessed, by whom, what's the impact.
Notify — affected care-home customers within 48 hours (per our DPA); the ICO within 72 hours where the UK GDPR notification threshold is met.
Remediate — patch the cause; rotate credentials; verify.
Review — post-incident review and update controls.

8. Reporting a vulnerability

If you believe you've found a security vulnerability in any part of the Willow service, please tell us before disclosing it publicly.

Email: info@nemorahealthcaresolutions.com with subject "Security disclosure"
Please include: a clear description, reproduction steps, your name and a way to credit you (or a request to remain anonymous), and an indication of severity.

We commit to:

Acknowledging your report within 2 working days.
Providing an estimated remediation timeline within 10 working days.
Not pursuing legal action against you for good-faith research that complies with safe-harbour conditions: avoid privacy violations, destruction of data, interruption of service, and avoid accessing any data that is not your own.
Crediting you publicly on this page (if you wish) once a fix is deployed.

9. Certifications and frameworks

Our roadmap on certifications:

Cyber Essentials — certification target [QUARTER YEAR].
Data Security and Protection Toolkit (DSPT) — for NHS-facing sales; registration target [QUARTER YEAR].
DCB0129 (NHS Clinical Risk Management) — for any NHS Trust deployment; assessment as required by the deployment context.

We will update this page as certifications are obtained.

10. Contact

Security and trust enquiries:
info@nemorahealthcaresolutions.com
Vulnerability disclosures: subject "Security disclosure"