Vulnerability Disclosure Policy

Last Updated: 11 April 2026 • Responsible disclosure for RxSure and QASTCO Limited systems

We take the security of our platform seriously. If you believe you have found a security vulnerability in any RxSure or QASTCO Limited system, we encourage you to report it to us responsibly.

How Does RxSure Protect Patient Data?

RxSure employs multiple layers of security to safeguard patient data at every stage of the prescribing workflow. All data transmitted between patients, prescribers, and our servers is encrypted using TLS 1.3, and data at rest is protected with AES-256 encryption. The platform is hosted on infrastructure that meets NHS Data Security and Protection Toolkit standards, and we maintain full compliance with the UK General Data Protection Regulation (UK GDPR) as enforced by the Information Commissioner's Office (ICO). Access controls follow the principle of least privilege, with role-based permissions ensuring clinicians only see data relevant to their consultations. We conduct regular penetration testing and vulnerability assessments in line with NHS Digital cyber security guidance, and our compliance page provides full details.

How to Report

Email: security@qastco.com
Subject line: Vulnerability Disclosure — [brief description]

Please include:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code

What Can You Expect From Our Security Response Team?

  • Acknowledgement within 2 business days
  • We will investigate all reports promptly
  • We aim to remediate confirmed vulnerabilities within 90 days
  • We will keep you informed of progress where possible

When you submit a vulnerability report to our security team, you will receive an acknowledgement within two working days confirming that your report has been received and assigned to an engineer. Our security team triages all submissions by severity using the Common Vulnerability Scoring System (CVSS), prioritising any issues that could affect patient data or clinical workflows. We aim to resolve confirmed critical vulnerabilities within fourteen days and all other confirmed issues within ninety days. Throughout the remediation process, we provide progress updates at reasonable intervals. Our approach aligns with responsible disclosure best practices recommended by the ICO and the National Cyber Security Centre. For questions about our broader data protection practices, visit our privacy policy.

Our Commitment to You

  • We will not take legal action against researchers who report vulnerabilities in good faith
  • We will not share your personal details with third parties without your consent
  • We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to fix it

Scope

This policy covers:

  • rxsure.co.uk — public website
  • practitioner.rxsure.co.uk — clinical portal
  • patient.rxsure.co.uk — patient portal
  • Any other service operated by QASTCO Limited

Out of Scope

The following are not covered by this policy:

  • Social engineering or phishing attempts against our staff
  • Physical security issues
  • Denial of service attacks
  • Issues in third-party services we use (report directly to those providers)

Security Frequently Asked Questions

Is RxSure compliant with UK GDPR?

Yes. RxSure is fully compliant with the UK General Data Protection Regulation. We are registered with the Information Commissioner's Office (registration ZB261485) and maintain comprehensive data processing records, lawful basis documentation, and data protection impact assessments for all clinical workflows.

Where is patient data stored?

All patient data is stored on servers located within the United Kingdom. Our hosting infrastructure meets NHS Data Security and Protection Toolkit requirements. Data is encrypted at rest using AES-256 and in transit using TLS 1.3, in line with guidance from NHS Digital.

How does RxSure handle data breaches?

We maintain a documented incident response plan that follows ICO breach notification guidance. In the event of a personal data breach, we will notify the ICO within 72 hours where required and inform affected individuals without undue delay. Our privacy policy provides further details.

Does RxSure undergo independent security testing?

Yes. We commission regular independent penetration tests and vulnerability assessments conducted by accredited third-party security firms. Results are reviewed by our engineering team and any findings are remediated according to severity. For more about our platform standards, see our compliance page.

Security.txt

A machine-readable security disclosure policy is available at /.well-known/security.txt following RFC 9116 standards. Security researchers can use this file to programmatically discover our vulnerability reporting process.

For general security questions, contact contact@rxsure.co.uk.

QASTCO Limited (trading as RxSure)
Company Number: 13426888 • ICO Registration: ZB261485