Board Compliance Statement: April 2026

To: CheckTick Board (SIRO & CTO) From: SIRO Date: 06/04/2026 Subject: DSPT 2025/26 Documentation Review and Board Approval

1. Purpose

This statement confirms that the full suite of Data Security and Protection Toolkit (DSPT) documentation for CheckTick (Eatyourpeas Ltd) has been formally reviewed by the Senior Information Risk Owner (SIRO) and approved by the Board in preparation for submission of the 2025/26 DSPT return.

2. Documentation Reviewed

The following documents were reviewed and are considered current, accurate, and fit for purpose as of 6 April 2026:

  • Software Security Code of Practice (SSCoP) Self-Assessment โ€” covering all 14 principles across 4 themes (Themes 1โ€“4), with evidence and arguments documented at sub-claim level (claims 1.1.1โ€“4.3.1)
  • Annual Compliance Checklist 2026
  • Risk Register โ€” active risks reviewed and accepted where applicable
  • Data Flow Mapping and Record of Processing Activities
  • Information Asset Register and Data Policy
  • Incident Response Plan and Incident/Near-Miss Log
  • Data Subject Rights Procedure and Individual Rights Procedure
  • Training Records and Training Needs Analysis
  • Business Continuity Plan and Disaster Recovery Drill (2025)
  • Supplier Assurance Register and Supplier Contract Audit
  • Board Minutes (DSPT) โ€” November 2025
  • Board Security Statement โ€” January 2026 (unsupported systems review)
  • Penetration Test Attestation (AD24502, conducted by external provider)

3. SIRO Review Statement

I have reviewed the DSPT documentation suite listed above. I am satisfied that:

  1. The documentation accurately reflects the data security and protection practices of CheckTick for the 2025/26 period.
  2. The Software Security Code of Practice self-assessment is complete, evidenced, and appropriately argued for an organisation of our size and risk profile.
  3. Identified risks, including the active Pygments CVE-2026-4539 exception (recorded in the Risk Register and acknowledged in the SSCoP assessment), have been formally accepted with appropriate mitigating controls and are subject to review within six months.
  4. The organisation's security posture, as evidenced by the external penetration test (AD24502), Cyber Essentials Plus certification, and continuous automated monitoring, meets or exceeds expectations for a two-person clinical software supplier.
  5. No material data security incidents occurred during the 2025/26 reporting period that would prevent submission.

4. Board Approval

The Board of Eatyourpeas Ltd hereby approves:

  • The DSPT 2025/26 documentation suite as reviewed by the SIRO.
  • The submission of the 2025/26 DSPT return to NHS England.
  • The SSCoP self-assessment as an accurate and complete representation of CheckTick's software security practices.

5. Signatories

SIRO Declaration

"I confirm that I have reviewed the DSPT 2025/26 documentation suite and am satisfied that it is accurate, appropriately evidenced, and ready for submission."

Signed: Dr Serena Haywood, SIRO Date: 06/04/2026

CTO Acknowledgement

"I confirm that the documentation reflects the technical controls and security practices in place at CheckTick and that all evidence referenced is current and accessible."

Signed: Dr Simon Chapman, CTO Date: 06/04/2026

This statement is retained as evidence for DSPT 2025/26. Next review: April 2027.