SwiftCase hosts production data, documents, and backups in UK data centres. Built for healthcare, financial services, legal, and public sector buyers who need a straight answer to “where does our data live?”
Our commitments
Four plain-language commitments your DPO, CISO, and procurement team can verify in the DPA.
Production case data, documents, attachments, and backups are hosted in UK data centres. Not routed through US or APAC regions. Not replicated to jurisdictions with different data laws.
Your data is not transferred outside the UK as part of normal service delivery. Where any transfer is unavoidable (for example, a specific integration you choose to enable), it is disclosed up front.
Our sub-processor list is short and UK or EU-based. You are notified before any new sub-processor is added so your DPO can review before it goes live.
A GDPR Article 28-compliant Data Processing Agreement is available before contract signing. Sub-processor list, retention, and deletion commitments are all covered in writing.
Why it matters
“Our data never leaves the UK” is not just a marketing line — it removes whole categories of legal, procurement, and audit work from your plate.
The Schrems II ruling invalidated Privacy Shield and raised the bar for lawful transfers of personal data outside the UK and EU. Many US-hosted SaaS tools rely on Standard Contractual Clauses plus supplementary measures. For regulated data, that calculation is harder than it looks.
Under UK GDPR, you remain the controller of your data — including where it is stored and who can access it. The ICO expects you to have done a meaningful transfer risk assessment before moving personal data out of the UK. Staying in the UK removes the question.
NHS Data Security and Protection Toolkit, FCA operational resilience rules, SRA confidentiality obligations, and NCSC guidance for public sector all push in the same direction: understand where your data lives, who touches it, and what law applies when it gets there.
Security questionnaires increasingly ask "is any data stored, processed, or accessible from outside the UK?" A clean yes-or-no answer shortens procurement cycles. A complicated answer lengthens them.
Who this matters most for
Patient-identifiable data, referrals, and clinical workflows. DSPT expectations, caldicott principles, and CQC oversight all make UK hosting the path of least resistance.
Claims, policy admin, complaints, and suitability records. FCA operational resilience and Consumer Duty reviews want to see clear data location and recovery answers.
Matter files, privileged correspondence, and expert reports. SRA Principle 6 and client confidentiality are simpler to evidence when the hosting stays in the UK.
Central and local government bodies, housing associations, and regulated charities working with vulnerable people. UK hosting aligns with NCSC guidance and public procurement expectations.
The DPO’s checklist
The same questions most procurement teams ask, with the answers a UK-hosted platform and a US-hosted platform typically give.
Comparison is indicative of how US-hosted SaaS tools typically describe their data location in procurement questionnaires. Always confirm specifics with any vendor you are evaluating.
Where UK sovereignty needs a footnote.
If you choose to connect SwiftCase to a third-party tool — a CRM, an AI provider, a messaging platform — that tool’s own data location applies. We surface this up front so you can make the call before turning it on.
Once you export data from SwiftCase — to email, Excel, or your own systems — what happens next is outside the platform’s control. Audit logs record the export itself.
This page describes how SwiftCase is hosted. It is not legal advice on your own obligations under UK GDPR, sector rules, or international transfers. Your DPO still makes the call on your specific use case.
DPO questions
The six questions that come up in nearly every vendor assessment, answered for SwiftCase.
No. Production data, attachments, and backups are hosted in UK data centres. Any exception — for example, an optional third-party integration you choose to enable — is disclosed before you turn it on.
Our sub-processor list is UK or EU based. The current list is available on request and you are notified before any change.
No. Because data stays in the UK for normal operation, SCCs are not the primary transfer mechanism. This materially shortens the transfer risk assessment a DPO needs to complete.
Access is limited to named SwiftCase staff based in the UK, under role-based access control and audit logging. Every access event is logged.
You can export in CSV, JSON, or XML at any time. On termination, data is deleted under the retention terms in the DPA with a certificate of destruction available on request.
Yes. The Article 28 DPA is available pre-contract so your DPO and legal team can review alongside the security documentation.
We can send the DPA, current sub-processor list, and security summary to your DPO or procurement team before you commit to anything.
