DSP and Pen testing for supporting agencies

Tim_Morgan · 24 November 2025 12:03

We are a consultancy supporting a provider to integrate with e-RS.

The provider uses Salesforce as a platform.

Should the data security-type sections of the API applications be answered as Salesforce, or as the provider?

i.e. Should Salesforce be able to demonstrate their DSP Toolkit credentials, or the provider? Should Salesforce demonstrate a penetration test results, or the provider?

Are either of these examples applicable as a requirement for us, as the supporting implementation consultancy?

zubeir.tai · 26 November 2025 15:27

Hi Tim - It would be the integrating party in all cases, i.e. the supplier providing the software solution.

From what you’ve stated, this sounds like Salesforce.

Tim_Morgan · 26 November 2025 16:36

Ok perfect thank you @zubeir.tai !

tony.marsh1 · 18 December 2025 12:12

Tim, we’ve added some more guidance here too so you know what we’d expect you to receive from them and how we’ll help review it with our cyber colleagues https://digital.nhs.uk/services/e-referral-service/api/integration-process/stage-2-build section 2.5

Topic		Replies	Views
Application-restricted Access eRS APIs - List of steps e-Referral Service FHIR API onboarding , api	3	783	17 November 2022
e-RS sandbox with UI for user familiarity e-Referral Service (e-RS)	4	27	19 November 2025
How do I integrate with the API Platform? e-Referral Service (e-RS) authentication , onboarding	2	680	4 March 2024
Test Data upon Registration e-Referral Service FHIR API testing , onboarding	2	40	13 November 2024
Trouble performing "e-RS worklist retrieval" API Platform testing	21	128	15 April 2025

DSP and Pen testing for supporting agencies

Related topics