UK GDPR + NHS DSP Toolkit
Cambrian is a free command-line scanner that produces a UK GDPR + NHS DSP Toolkit readiness report for your AWS account. Read-only, runs locally in about 90 seconds. Designed to prepare you for the formal DSPT audit, not replace it. Built for Cambridge healthtech.
Know your AWS readiness score in 90 seconds, not 6 weeks
Hand your DPO real evidence today, not another action item
Hit the 30 June 2026 DSPT deadline without a last-minute scramble
Save the £5k-£15k a UK consultancy charges for the same evidence
Four things you can do on Monday that you cannot do today
Cambrian exists for the moments when your DPO, NHS sponsor, board, or auditor asks "where are we?" and the honest answer is "we are not sure." These are the four outcomes Cambridge healthtech and biotech teams use it for.
Hit the 30 June 2026 DSPT deadline without scrambling
Walk into your independent DSPT audit with the technical evidence already gathered, prioritised, and mapped. The assessor confirms what you already know - they are not the first person to find your gaps.
Unblock the NHS contract waiting on your security review
Hand your NHS sponsor a single dashboard that answers the technical half of supplier due diligence. Sales stops chasing security; security stops chasing sales. The deal moves.
Stop paying £5,000-£15,000 for a UK readiness PowerPoint
Replace the consultancy deck with a live readiness report. Every finding cites the exact UK GDPR article and NDG standard your DPO and assessor will ask about, so you walk into the formal audit with the technical groundwork already done.
Brief your board with a number, not a feeling
Open the dashboard in your next board meeting. One readiness score, four failures, a defined plan to close them. Replaces the vague 'we are working on compliance' update with something the chair can act on.
Your readiness report, in one local HTML file
A single static file on your disk. Readiness score, failures sorted by severity, copy-paste remediation for every finding. Share it with your DPO, hand it to your assessor as supporting evidence, or use it to brief your board. It is a readiness report - not a compliance certification or audit determination.
$ cambrian --region eu-west-2 --dashboard report.html
cambrian - UK GDPR + DSP Toolkit AWS readiness
Account: 123456789012 Region: eu-west-2
PASS Root account has MFA enabled
FAIL IAM users with console access have MFA
GDPR: UK GDPR Art 32(1)(b) - Confidentiality of processing
DSPT: DSPT NDG Std 4 - Strong authentication / MFA on access
...
========================================================
Readiness: 81% GOOD
Pass 17 Fail 4 Warn 3
========================================================24 checks across 9 AWS services
Every check maps to both UK GDPR Article 32 and an NHS Data Security and Protection Toolkit NDG standard. One scan, two recognised references your DPO and your DSPT assessor can both quote.
IAM
- · Root MFA
- · No root access keys
- · User MFA
- · Password policy
- · Key rotation 90d
- · No wildcard admin
S3
- · Account public access block
- · Default encryption
- · Versioning
- · Server access logging
EC2
- · Open security groups
- · EBS encryption default
- · IMDSv2 required
- · Public snapshots
RDS
- · Public access
- · Storage encryption
- · Backup retention 7d+
- · Deletion protection
CloudTrail
- · Multi-region trail with log validation
CloudWatch
- · Root account usage alarm
KMS
- · Customer-managed key rotation
VPC
- · VPC flow logs enabled
GuardDuty
- · Threat detection enabled
Global
- · UK data residency signal (eu-west-2)
The NHS DSP Toolkit and Cambrian are not the same thing
The official NHS Data Security and Protection Toolkit (DSPT) is the annual self-assessment you submit to the NHS. Cambrian is an independent free tool that produces the technical AWS evidence you attach to it. One does not replace the other - they belong together.
Official, mandatory
NHS DSP Toolkit
The annual self-assessment portal run by NHS England at dsptoolkit.nhs.uk. Mandatory for NHS organisations and qualifying IT suppliers.
- ·A questionnaire, not a scanner. Your team answers assertions and attaches evidence documents.
- ·Covers all 10 NDG standards: people, policies, training, governance, business continuity, and technical controls.
- ·Annual cycle. v8 deadline for IT suppliers is 30 June 2026.
- ·Publishes a score on the NHS website tied to your organisation.
- ·Independent audit required for IT suppliers above the NHS audit threshold.
Run by NHS England. We have no affiliation.
Independent, complementary
Cambrian (this tool)
A free command-line scanner you run on your laptop against your AWS account. Produces a readiness report you attach as evidence to the DSPT assertions about AWS configuration.
- ·A scanner, not a questionnaire. Automatic detection across your AWS account.
- ·Covers AWS configuration only: the technical sub-set of NDG Standards 1, 4, 6, 7, and 9.
- ·Runs on-demand in about 90 seconds. Re-run as often as you change AWS.
- ·Produces a local HTML readiness report. Nothing published, nothing uploaded.
- ·Independent of NHS England. Built by Tasrie IT Services. Not endorsed by NHS.
Built by Tasrie IT Services. Independent.
How they fit together in practice
You still submit the official NHS DSP Toolkit at dsptoolkit.nhs.uk - nothing replaces that. When the DSPT asks you to provide evidence for NDG Standard 1 ("data not exposed to unauthorised parties"), NDG Standard 4 ("MFA on access"), NDG Standard 7 ("backup and recovery"), or NDG Standard 9 ("audit logging"), you attach the relevant section of your Cambrian readiness report and the per-finding remediation evidence behind it. Cambrian does the technical heavy lifting; the DSPT remains your single, audited declaration to NHS England.
Cambrian is not an official NHS tool, not affiliated with NHS England, and does not produce or replace your DSPT submission. References to NDG standards and assertion numbers are based on the published DSPT v8 (2025-26) framework and should be verified against the official Assertions and Evidence spreadsheet before submission.
A DSPT readiness check should not cost £15,000
Cambrian does not replace the formal DSPT audit. It does replace the £5k-£15k "readiness PowerPoint" most healthtech and biotech teams pay for before they get there. The technical evidence is the same. The price is not.
| Path to AWS readiness evidence | Typical cost | Time to first report | UK GDPR + DSPT cited |
|---|---|---|---|
| Big Four DSPT readiness engagement | £15,000 - £50,000 | 6 - 12 weeks | Yes |
| Small UK security consultancy | £5,000 - £10,000 | 3 - 6 weeks | Usually |
| In-house senior engineer + open-source tools | £1,500 - £2,500 internal time | 2 - 3 days of focused work | You map them yourself |
| Cambrian (this tool) | £0 forever | ~90 seconds | Yes, automatically |
Cambrian produces a readiness report, not a compliance certification or an audit determination. It is a focused technical scan that gives you the AWS configuration findings you would otherwise spend weeks or thousands of pounds gathering. Cost ranges based on UK SMB rates for DSPT v8 readiness work in 2025-26.
How it works
Three steps. About 90 seconds end to end on a small AWS account.
Request the scanner
Use the form below. We send a signed binary (or a Docker image, your choice), the install instructions, and a short PDF that maps every check to its UK GDPR article and DSPT NDG standard. Usually within one UK working day.
Run it from your terminal
One command, read-only AWS permissions, your existing SSO profile. Defaults to eu-west-2 (London). Takes about 90 seconds on a small account.
Open the local dashboard
A single static HTML file with your readiness score, failures by severity, and a copy-paste remediation note for every finding. Open it in your browser, share it with your DPO, attach it to your DSPT evidence pack.
Built for
- ✓ NHS digital-health and clinical-software vendors approaching the 30 June 2026 DSPT deadline
- ✓ Cambridge biotech and genomics teams handling identifiable patient or participant data on AWS
- ✓ Clinical-research SaaS startups preparing for their first ISO 27001, Cyber Essentials Plus, or DSPT audit
- ✓ CTOs and DPOs who need to brief a board on AWS security posture without paying for a Big Four readiness scan
What Cambrian does not do
This is a technical configuration scan only. It will not, by itself, satisfy any of the following.
- - Policies, training records, governance documents, or business continuity plans
- - The independent DSP Toolkit audit itself (mandatory for IT suppliers in 2025-26 / v8)
- - A formal UK GDPR compliance determination - that is your DPO or supervisory authority
- - Continuous monitoring or drift detection - this is a point-in-time scan
Use it for gap analysis and readiness, then engage a qualified assessor for formal submission.
Request free access to Cambrian
Tell us about your AWS environment and your NHS / UK GDPR exposure. A senior engineer from our team replies within one working day with the signed binary (or Docker image), the install instructions, and a one-page UK GDPR / DSPT mapping reference.
-
Sent to your work email only
We do not share or sell your details. Privacy policy applies.
-
Optional 20-min onboarding call
A senior engineer walks you through your first scan. Skip it if you would rather just read the docs.
-
Includes UK GDPR / DSPT mapping PDF
A one-page reference of every check, its Article 32 citation and its NDG standard. Drop it straight into your DPIA.
Free is the default. Two ways to take it further if you want our time.
The tool itself stays free, forever, with no licence key, no usage cap, and no SaaS tier behind it. The two paid options below are for teams who want our time on the first scan or want continuous coverage afterwards.
Cambrian, free forever
For teams who want answers this afternoon, not a quote next quarter.
- +See your DSPT readiness score before anyone outside your team asks for it
- +Hand your DPO real evidence instead of "we are looking into it"
- +Skip the £5k-£15k consultancy bill for the same technical findings
- +Stay in control: read-only, local, nothing uploaded
- -You install it, run it, and read the report yourself
Your report by Friday
For teams who want the report this week without spending a day setting up the scanner.
- +Have the readiness report on your desk by Friday, not next sprint
- +Skip the Python install and the IAM debugging
- +Get a 60-minute working session with a senior engineer, screen-share, your AWS
- +Walk away with the top 5 fixes ranked by effort vs risk
- +Keep Cambrian installed to re-run whenever you want
Stay audit-ready, every month
or £3,995 / year · 2 months free
For teams shipping AWS changes every sprint who want continuous proof of readiness, not an annual scramble.
- +Walk into every board review with a current readiness number, not a stale one
- +Catch misconfigurations in days, not at the next annual audit
- +Stop tracking DSPT v9 / NHS CAF updates - we do that and update the checks
- +Sleep through post-deploy weekends with an inbox you can ping, 1-day SLA
- +No vendor lock-in: cancel any month, the free tool stays yours
Prices in GBP, exclude VAT. The £495 scan-as-a-service covers one AWS account per session; multi-account scans are quoted separately. If the session does not surface at least three actionable findings in your environment, we refund 50%.
Questions UK healthcare and biotech teams ask before requesting Cambrian
If your question is not here, mention it in the form above and we will answer it in the reply.
Is this an official NHS or ICO tool?
No. Cambrian is an independent free utility built by Tasrie IT Services, distributed as a signed binary (or a Docker image) on request. It maps your AWS configuration to the UK GDPR Article 32 technical requirements and the NHS Data Security and Protection Toolkit v8 NDG standards, but it is not the formal DSPT submission or audit and not a UK GDPR compliance determination. Use it for gap analysis, then engage a qualified assessor for formal submission.
Why is it free? What is the catch?
There is no catch. We built Cambrian because the Cambridge healthtech and biotech teams we work with kept paying £5,000-£15,000 for a 'readiness scan' that was just a Prowler run with a UK-flavoured PDF on top. We wanted a UK-specific tool with the right references baked in. If you later need help fixing the gaps it surfaces, you know where to find us. If not, keep the tool and move on.
What AWS access do you need for the £495 scan-as-a-service?
None of your credentials. We share a screen, you keep the keyboard, Cambrian runs from your laptop under your existing AWS profile. We see the output as you see it. After the session ends we hold no credentials, no access, and no copy of your account state. The same applies on the care plan - you run the monthly scan, you share what you want to share.
If the tool is free, what are the £495 and £395 prices on the pricing block for?
Two levels of our time, not the tool. Cambrian itself is free, unlicensed, and uncapped - download it and run it forever without paying us a penny. The £495 scan-as-a-service is for teams who would rather not spend an afternoon setting up Python and IAM: we share a 60-min session, run the scan with you on your AWS, and you walk away with the readiness report by Friday. The £395/month care plan is for teams who want continuous monthly scans, alerts when new failures appear, and an inbox to ping. Most teams use the tool for free and never speak to us; that is fine.
What AWS permissions does it need?
Read-only. AWS managed ReadOnlyAccess is sufficient. We never recommend granting more. The scan never writes to your account, never assumes a role outside the one you give it, and never makes network calls outside the AWS APIs.
Does any of my data leave my laptop?
No. Cambrian is a Python CLI that calls the AWS API under your existing profile and renders a local HTML file. There is no telemetry, no cloud back-end, no licence key check. You can read every line of source before you run it.
How is this different from AWS Security Hub, Prowler, or Inspector?
Security Hub and Prowler are general-purpose, multi-framework tools and Inspector is workload vulnerability scanning. Cambrian is a focused 24-check baseline where every result already cites the exact UK GDPR article and the NDG standard your DPO or assessor will ask about. If you are running Prowler too, brilliant - Cambrian is the UK-specific lens on top.
We are a Cambridge biotech with one AWS account and an NHS research contract. Is this overkill?
It is the opposite of overkill. The 24 checks are the technical floor you should be able to evidence the moment an NHS sponsor, ethics committee, or funder asks. Most early-stage healthtech teams discover three to five of them are missing the first time they run it.
What happens after I submit the request form?
A senior engineer from our team replies with the download link, a one-page UK GDPR / DSPT mapping reference, and an optional 20-minute call to walk through your first scan. You can ignore the call invitation - the tool works on its own.
Can you actually fix the failures it finds?
Yes. Our cybersecurity services and AWS managed services teams remediate UK GDPR and DSPT findings as fixed-scope engagements. Most early-stage healthtech teams need 1-2 weeks of work to close everything Cambrian surfaces.
What this tool is, and isn't
Cambrian produces a readiness report - a point-in-time technical view of your AWS configuration against the controls behind UK GDPR Article 32 and the NHS Data Security and Protection Toolkit v8 NDG standards. It is not a compliance certification, a UK GDPR compliance determination, the formal DSPT submission, or the independent DSPT audit. Those remain the responsibility of your DPO, your supervisory authority, and a qualified DSPT assessor.
Use Cambrian for gap analysis and readiness preparation, then engage a qualified assessor for formal submission. The output of Cambrian and any related scan-as-a-service or care plan engagement is informational and does not constitute legal advice.
Not sure which option fits?
20-minute fit call. We look at your AWS environment and your DSPT / UK GDPR deadline, then tell you honestly whether the free tool is enough or whether the scan-as-a-service is the right next step. No pitch.