Digital Technology Assessment Criteria (DTAC)

Version 1.1
Date : July 9th 2024
Overall outcome: Pass by MedTech for NHS England

dtac feedback summary : outcome : pass
Company Information
  • Name : CareLoop Health Ltd
  • Product : CareLoop for Psychosis
  • Type : Software as a Service / App
  • Contact : Dan Stapleton | Product Manager | | 07834132955
  • Registered Address : Ctf 46 Grafton Street, Manchester, M13 9NT
  • Country of registration : England and Wales
  • Companies House registration Number : 13219481
  • CQC Assessment : n/a

Value Proposition

Who is this product intended to be used for ? Patients

Product Description

The CareLoop Psychosis Product has been developed through consultation with people using services, their carers and mental health professionals. The CareLoop for Psychosis product provides a mobile technology monitoring system that enables :

  • daily monitoring of symptoms using validated measures;
  • daily monitoring for personalised Early Warning Signs (EWS) of relapse;
  • delivery of Wellbeing Messages aimed at enhancing self-management;
  • a pathway to relapse prevention facilitated where appropriate by sharing up to date EWS data with participating community mental health services.

The CareLoop for Psychosis Medical Device is specifically the algorithm which calculates changes in participants’ individual EWS and generates responses to these. The algorithm is a Class 1 Medical Device.

Describe clearly the intended or proven benefits for users and confirm if / how the benefits have been validated

CareLoop for Psychosis has been shown to:

  • Predict and prevent relapse into psychosis.
  • Reduce the severity of psychotic relapse.
  • Reduce the fear of relapse into psychosis in users.
  • Reduce hospital admission for psychotic relapse.
  • Reduce overall costs for mental health services treating schizophernia.

The benefits have been validated through various studies including

Gumley AI, Bradstreet S, Ainsworth J, Allan S, Alvarez-Jimenez M, Birchwood M, Briggs A, Bucci S, Cotton S, Engel L, French P, Lederman R, Lewis S, Machin M, MacLennan G, McLeod H, McMeekin N, Mihalopoulos C, Morton E, Norrie J, Reilly F, Schwannauer M, Singh SP, Sundram S, Thompson A, Williams C, Yung A, Aucott L, Farhall J, Gleeson J. Digital smartphone intervention to recognise and manage early warning signs in schizophrenia to prevent relapse: the EMPOWER feasibility cluster RCT. Health Technol Assess. 2022 May;26(27):1-174. doi: 10.3310/HLZE0479.

User Journeys and Data Flow


Clinical Safety

Have you undertaken Clinical Risk Management activities for this product which comply with DCB0129?Yes

Details of our clinical risk management system are available within our DCB0129 and our full Clinical Safety File and Hazard Analysis is available on request.

Clinical Safety Officer (CSO) has been appointed:

Dr Shon Lewis | GMC 2519560 | Greater Manchester Mental Health NHS Foundation Trust Honorary Consultant with mandatory training up to date. Chief Clinical Information Officer for Trust 2018-2021. 

CareLoop for Psychosis is a registered medical device and is registered with the Medicines and Healthcare products Regulatory Agency (MHRA) : 2023112401329251.

Our Declaration of conformity and UKCA certificate is available on request.

CareLoop does use third-party products as part of the deployment. The related risks and relevant Data Processing Agreements are contained within the DCB0129

Data Protection

We are required to register with the Information Commissioner, please attach evidence of a current registration.

ZB255439 | On-Line DPA Register Search

We have a nominated Data Protection Officer (DPO) | Professor John Ainsworth, University of Manchester & Chief Product Officer, CareLoop Health

In some circumstances our product has access to personally identifiable data. We are Registered and compliant with the Data Security and Protection Toolkit Assessment

Data Protection Impact Assessment are completed on a per customer basis, but an example can be provided on request.

Our risk assessments and mitigations / access controls / system level security policies have been signed-off by our Data Protection Officer, and these are available in our Quality Management System, in the Clinical Risk Management File and available on request.

CareLoop Health store and process data in the UK Only.

Technical Security

Cyber Essentials

The CareLoop Health App and Platform have undergone an external penetration test that included the OWASP top 10 vulnerabilities. The Summary Report is available on request.

Executive Summary 

The web application has been tested between the agreed dates and the security assessment was based around the scope of work detailed in the section above. To identify all possible issues, the tester used both manual testing as well as automated scans against the targeted applications. The methodology in use covered, amongst others, the vulnerabilities contained in the OWASP TOP 10 list of vulnerabilities. 

The security posture of the external infrastructure has been found to be solid, and no high or medium impact vulnerabilities have been discovered. Only necessary services are open to the internet. 

Most vulnerabilities affecting the web application and the mobile application have been promptly fixed by Careloop’s development team and only two low impact vulnerabilities remain. These cannot be exploited by attackers to gain access to user data nor the server. Therefore, the security posture of the application should be considered solid. 

It is advised to ensure that the remediation advice offered within this report is implemented throughout the applications as a whole rather than focused on individual hosts. This could help mitigate issues that have not been explicitly highlighted and ones that may be introduced in the future.

Other Security details:

  • All our custom code is subject to an internal code review as part of our development process.
  • All Privileged accounts have multi-factor authentication enabled
  • Logging of database transactions is in place
  • Load testing has been performed on the platform


Does your product expose any Application Programme Interfaces (API) or integration channels for other consumers? Yes. We look at the need for APIs on a per integration basis. Our platform is built on an API architecture and they can be exposed to 3rd party developed and customer systems as required (i.e. using OpenAPI spec)

Do you use NHS number to identify patient record data? No. We use the identification number that is provided by the service that is using the system. In some cases they may choose to use NHS number to help them identify users in their own system, but the service user does not use NHS number or NHS login to access the app. This is agreed as part of the service design and documented in the DPIA for that service.

Does your product have the capability for read/write operations with electronic health records (EHRs) using industry standards for secure interoperability (e.g. OAuth 2.0, TLS 1.2) ? No. Not at this time as we do not read or writes into EHRs. Each use case is assessed as part of the service design and appropriate connectivity to EHRs can be setup as required using the appropriate industry standards.

Is your product a wearable or device, or does it integrate with them? No

Usability and accessibility

Do you engage users in the development of the product? Yes

Developers should be awarded 10% if they demonstrate that user need has been taken in account through user research, search data, analytics or other data to understand the problem.   

  • User research through historical academic projects 
  • Current user groups : We are currently engaged with PPIE user groups on all the live projects. A summary of feedback and insights are available on request.
  • Patient feedback : It is possible to collect patient user feedback in app as part of any engagement with the consent of the purchasing healthcare organisation (the data controller) 
  • Clinician Feedback is sought out pro-actively on an individual basis, depending on the implementation 
  • Publications : The CareLoop Health App was developed alongside academics who have published findings relating to the uptake and usability of switching to a digital engagement 

Are all key user journeys mapped to ensure that the whole user problem is solved, or it is clear to users how it fits into their pathway or journey? Yes.

Do you undertake user acceptance testing to validate usability of the system? Yes

Are you international Web Content Accessibility Guidelines (WCAG) 2.1 level AA compliant? Working towards it. An Accessibility Statement regarding the clinical dashboard can be found here.

Does your team contain multidisciplinary skills? Yes
Do you use agile ways of working to deliver your product? Yes
Do you continuously develop your product? Yes
Do you have a benefits case that includes your objectives and the benefits you will be measuring and have metrics that you are tracking? Yes
Does this product meet with NHS Cloud First Strategy? Yes
Does this product meet the NHS Internet First Policy? Yes
Are common components and patterns in use? Working towards it.
Do you provide a Service Level Agreement to all customers purchasing the product? Yes
Do you report to customers on your performance with respect to support, system performance (response times) and availability (uptime) at a frequency required by your customers? Yes

If you require a download of the full DTAC in NHS format, please email