Federated TRE vs SaaS Platform: Is Your Platform Actually ONS Compliant?
Every biobank, NHS Trust, and national genomics programme says they want a Trusted Research Environment. Under the ONS Five Safes framework, the label means something specific — and most SaaS data platforms don’t meet it.
This is a short guide to the question every TRE procurement team should be asking in 2026: is the platform you’re evaluating actually a Trusted Research Environment, or is it a secure analysis platform with TRE marketing?
What the ONS Five Safes actually require
The governing definition of a TRE in the UK comes from the UKSA Five Safes framework (originally published in 2017, reaffirmed by the Goldacre Review in 2022). Five pillars:
| Pillar | What it actually requires |
|---|---|
| Safe People | Researchers are vetted, trained, and identifiable |
| Safe Projects | Each analysis has explicit ethics and governance approval |
| Safe Settings | The environment is controlled by the data controller — not outsourced to a vendor |
| Safe Data | Data is minimised, pseudonymised, and stays at source |
| Safe Outputs | Only statistically-disclosure-controlled results leave the environment — via an airlock, not a download button |
The last two pillars are where most “TRE” marketing breaks down.
Federated TRE vs SaaS platform, scored against the Five Safes
| Pillar | Federated TRE | SaaS data platform |
|---|---|---|
| Safe People | Yes | Yes |
| Safe Projects | Yes | Yes |
| Safe Settings | Data controller retains full sovereignty | Vendor controls the environment |
| Safe Data | Data never leaves its source | Data is copied into the vendor’s cloud |
| Safe Outputs | Airlock — every output reviewed | Researcher-initiated downloads of derived data |
Why architecture IS the compliance story
The hard question isn’t whether your vendor can secure data well. It’s whether your data controller is still in control of the environment once the data is copied out.
In a federated TRE, the data never moves. The compute goes to the data. Every approval, every audit log, every output review happens inside the infrastructure your governance team already trusts. Lifebit’s federated TRE powers Genomics England at national scale — and the architecture is why.
In a SaaS model, the data is copied to the vendor’s cloud. Every copy is a new attack surface, a new jurisdiction, and a new set of approved researchers whose actions you now have to trust a third party to police. That can be a perfectly good secure analysis platform. It is not a Trusted Research Environment as the ONS defined one.
Ten questions to ask any TRE vendor
- Does my data ever leave my infrastructure, or is a copy moved to your cloud?
- Who controls the compute environment — your team, or mine?
- How are researcher outputs reviewed before they leave the environment?
- Can an approved researcher download raw or derived data to a local machine?
- What jurisdiction hosts my data under your model?
- What happens to my data if our contract ends?
- Do you meet every one of the ONS Five Safes, and can you show me evidence per pillar?
- Is your platform deployed in production at national-biobank scale?
- Who owns the audit trail — you, or me?
- If a researcher abuses access, who has the forensic record?
If a vendor can’t answer every one of those with confidence, you’re not looking at a TRE.
Our take
A “TRE” is not a marketing label. It is a specific architecture, with specific governance properties, as defined by the ONS Five Safes. In 2026, as data-residency regulation tightens and biobanks come under renewed scrutiny, the gap between platforms that are TREs and platforms that call themselves TREs will only widen.
Lifebit’s federated TRE was designed around the Five Safes from day one — because the architecture is the compliance story. See how the federated model works, or talk to our deployment team about a Five Safes compliance assessment of your current platform.