We hold the most-sensitive records a UK clinic owns — patient incidents, staff bank details, regulator-facing assertions. Here's exactly what we do to protect them, and what we're working towards next.
Every personal-data field (NI numbers, bank details, sort codes) is encrypted at rest with AES-GCM using a 12-byte random IV per record. Never plaintext, never logged. Fails CLOSED when the encryption key is unset.
Every HR + governance write logs to the HR_EVENTS ledger with actor, action, entity, before, after. PII is scrubbed before logging so the log itself never accumulates the data it audits.
Seven roles — admin / manager / hr / clinical / finance / readonly / employee. Every endpoint gates with requireRole before doing work. The dashboard UI hides controls a user can't action.
Article 15 Subject Access Request is a single API call: GET /api/hr/gdpr/sar?empId=... returns the subject's full personal-data footprint across employees, absences, timesheets, training and access log.
Monthly scheduled function deletes records past their retention window: 7-year payroll, 6-year clinical credentials, 7-year general HR. Every deletion emits Well-led CQC evidence so the audit trail records the action.
Production runs on Netlify with all data in EU regions by default. Per-tenant data residency (US, AU) configurable via the storage adapter when an international tenant signs.
Every blob key prefixed with t:<tenantId>:. Edge function resolves the tenant from the request hostname before any function runs. Cross-tenant data leakage isn't possible without an admin actively breaking the key prefix convention.
Every secret-sensitive endpoint reads keys from Netlify env vars. If a required key is unset, the endpoint refuses the call rather than silently degrading to plaintext. Following the same pattern across the codebase.
Auto-trigger sweeps, retention deletions, signup checkout creation, key migration — every destructive or revenue-impacting operation uses idempotency keys + per-trigger cooldowns. Replays are safe.
Group-tier customers will be able to bring their own KMS-managed encryption key. Per-tenant key derivation, with revocation tearing down access without a database migration.
Audit engagement kicking off with a vendor automation platform. Type I report targeting Q3 2026; Type II follows 12 months later. Evidence pack already wired through the dashboard for sharing on request.
Formal Information Security Management System documentation in progress: vendor risk register, BCP, incident response runbook, DPA template, DPIA per integration. Targeting certification Q1 2027.
12 months of evidence post-Type-I. Designed for enterprise sales cycles where the procurement team wants a Type II report before signing.
Annual UK government-backed certification. Aligned with the NHS-supplier baseline; complements DSPT submissions our customers make.
Quarterly external pen test, annual internal red-team exercise. Findings tracked in the public security changelog (redacted).
Public subprocessor page listing every third-party that touches tenant data: Netlify, Anthropic, MailerLite, Stripe, etc. With change-notification policy.
Email security@clinimanage.co.uk for the technical security pack, DPA template, or to ask about a specific control. We respond within one working day.