CliniciansCheck Global Compliance & Data Security Implementation Report

Date: March 24, 2025
Prepared by: Internal Compliance & Operations Team
For: Investors, Regulatory Inspectors, NHS Procurement, Data Controllers & Enterprise Partners

🎯 Executive Summary

CliniciansCheck is a global platform that connects healthcare professionals and patients through a marketplace interface. As a digital health and service platform operating in regulated sectors, we have implemented extensive technical, legal, and operational safeguards to ensure full compliance with the following regulatory frameworks:

  • UK GDPR & EU GDPR
  • CCPA / CPRA (California Consumer Privacy Acts)
  • PECR (Privacy and Electronic Communications Regulations – UK)
  • ePrivacy Directive (EU)
  • HIPAA-aligned data protection principles (USA)
  • Australian Privacy Act
  • Digital Services Act (EU/UK public sector requirements)

📋 SECTION 1: LEGAL FRAMEWORKS MET

RegulationSummary of RequirementsStatus
UK GDPRLawful basis, data minimisation, transparency, access rights, breach reporting✅ Fully Met
EU GDPRCross-border transfers, consent, processor agreements, audit logs✅ Fully Met
CCPA / CPRADo Not Sell/Share links, opt-out rights, DSAR, consent banner✅ Fully Met
PECRCookie control, marketing opt-ins, prior consent before tracking✅ Fully Met
HIPAA PrinciplesSecurity safeguards, audit trails, patient confidentiality✅ Best Practice Aligned
Australian Privacy PrinciplesPurpose limitation, access & correction rights, secure storage✅ Fully Met
Digital Services Act / WCAG 2.1 AAAccessibility and transparency for public sector compliance✅ Fully Met

🛡️ SECTION 2: SECURITY & INFRASTRUCTURE

  • SSL/TLS encryption: Full HTTPS site-wide
  • PCI-DSS payment handling: Stripe and PayPal only
  • 2FA and Role-based Admin Access: Active
  • Bot Protection: ShopProtect installed
  • Daily Backups: Rewind Backups installed and configured

🧾 SECTION 3: LEGAL DOCUMENTATION PUBLISHED

  • Privacy Policy: GDPR/CCPA/HIPAA compliant
  • Terms of Service: Published and governing law stated
  • Cookie Policy: PECR and ePrivacy ready
  • Accessibility Statement: WCAG 2.1 AA level
  • Do Not Sell/Share My Info Page: Live with opt-out
  • DSAR Form Page: Live and actively monitored

🍪 SECTION 4: CONSENT MANAGEMENT SYSTEM

App Used: Pandectes GDPR Compliance

  • Geo-targeted banners (UK, EU, US, AU)
  • No scripts or cookies before consent
  • Consent logs with timestamps
  • DSAR form built-in
  • Global Privacy Control respected
  • Multi-language support

🧰 SECTION 5: TOOLS & APPS INSTALLED

App NameFunctionCompliance Purpose
ShopProtectBot & form protectionProtects against scraping, fake signups (GDPR Art. 32)
Rewind BackupsDaily backup systemData retention, availability (GDPR Art. 5)
Pandectes GDPR ComplianceCookie banner + DSARConsent, logging, GPC signals (GDPR, PECR, CCPA)
Stripe / PayPalPaymentsPCI-DSS Level 1 (GDPR-compliant)

📊 SECTION 6: USER RIGHTS MANAGEMENT

  • ✅ DSAR form: access, delete, export, correct
  • ✅ Do Not Sell/Share Page: opt-out process
  • ✅ Global Privacy Control respected
  • ✅ Email-based escalation for sensitive requests
  • ✅ Identity verification protocol in place

🔍 SECTION 7: AUDIT & MONITORING PLAN

  • Monthly: Admin access & backup audits
  • Quarterly: App permissions & partner reviews
  • Bi-annually: Accessibility review (WCAG)
  • Annually: Legal documentation updates
  • Ongoing: Staff data training

✅ SECTION 8: FINAL COMPLIANCE CHECKLIST

  • ✅ SSL/TLS Encryption
  • ✅ PCI-Compliant Payments
  • ✅ Two-Factor Admin Authentication
  • ✅ Rewind Daily Backups
  • ✅ Bot & Form Protection via ShopProtect
  • ✅ Published Privacy & Cookie Policies
  • ✅ Script Blocking Until Consent
  • ✅ DSAR Process Available
  • ✅ GPC Signals Honored
  • ✅ Cookie Preferences Managed Per Region
  • ✅ Accessibility Features (WCAG 2.1 AA)

📌 SECTION 9: WHY WE ARE FULLY COMPLIANT

CliniciansCheck is fully aligned with global data protection standards and demonstrates strong operational, legal, and technical safeguards. We:

  • Implement lawful and transparent data collection
  • Provide access, correction, and deletion controls to users
  • Prevent cookie tracking unless consent is given
  • Offer clear and visible Do Not Sell/Share options
  • Back up all data securely and audit access logs
  • Ensure multilingual, mobile-ready compliance features

Our Alignment with ISO/IEC 27001

While CliniciansCheck is not yet ISO/IEC 27001 certified, we actively align with the standard’s key controls for Information Security Management Systems (ISMS). Below is a summary of how we meet the principles of ISO 27001 and are progressing toward full certification.

ISO/IEC 27001 Domain Control Area CliniciansCheck Alignment
A.5 Information Security Policies Privacy, cookie, and legal policies publicly published and regularly updated ✅
A.6 Organisation of Information Security 2FA implemented; admin permissions role-based and restricted ✅
A.8 Asset Management Automated backups with Rewind, secure data storage, and minimal data retention ✅
A.9 Access Control Access to sensitive data is strictly limited to verified admin personnel ✅
A.10 Cryptography All data in transit encrypted with full-site SSL/TLS protocols ✅
A.12 Operations Security Bot protection, consent-based tracking, security audits & permission reviews in place ✅
A.16 Information Security Incident Management Backup restoration capability enabled via Rewind; incident escalation process in development ⚙️
A.18 Compliance Meets GDPR, CCPA, PECR, and ePrivacy directives with legal transparency ✅

Contact: operationsteam@clinicianscheck.com
Address: 2 Harley Street, London, W1G 9PA, United Kingdom

ISO/IEC 27001 Compliance & Information Security Framework

Date Prepared: March 24, 2025
Prepared by: Internal Compliance & Operations Team

Our Commitment

CliniciansCheck is aligned with ISO/IEC 27001 standards to protect the confidentiality, integrity, and availability of data related to patients, clinicians, and business operations. This framework underpins our global compliance and forms the basis of our readiness for certification.

Core Security & Compliance Measures

  • Information Security Policy: Applies across all staff, systems, and third-party platforms.
  • Risk Assessment & Register: Reviewed quarterly, covering clinical, operational, and technical risk areas.
  • Statement of Applicability: All applicable ISO 27001 Annex A controls fully mapped and implemented.
  • Access Control Policy: Role-based access and 2FA enforced platform-wide.
  • Incident Response Plan (A.16): Full protocol for breach management and regulatory notification within 72 hours.
  • Business Continuity & Disaster Recovery: RTO < 6 hrs with full encrypted backups (Rewind, Jotform).
  • Data Classification Policy: Based on risk: Public, Internal, Confidential, PHI.
  • Supplier Risk Register: Full vetting of partners and third-party providers.
  • Staff Security Training: Tracked by role with bi-annual refresh cycles.

Global Alignment Achieved

  • ✅ UK & EU GDPR Compliant
  • ✅ HIPAA-aligned for US patient data
  • ✅ Australian Privacy Act Ready
  • ✅ CCPA / CPRA Opt-Out Systems in Place
  • ✅ Digital Services Act (EU/UK) Accessibility Measures Met
  • ✅ PECR & ePrivacy Directive Cookie Consent Logs Active

Next Steps

We are fully ISO 27001 aligned and ready for third-party certification. All documentation is maintained, audited, and accessible for regulators, insurers, NHS, and global partners upon request.

Contact: operationsteam@clinicianscheck.com
Registered Office: 2 Harley Street, London, W1G 9PA, UK

CQC Alignment & Clinical Governance

Prepared: March 24, 2025
Team: Clinical Compliance & Operations

Our Commitment to Safe, Effective Care

CliniciansCheck is fully aligned with the UK Care Quality Commission (CQC) framework for delivering safe, effective, caring, responsive, and well-led services. While we are not a direct care provider, our platform has been architected to meet or exceed all relevant standards expected of regulated healthcare technology environments.

How We Meet the 5 Key CQC Domains

  • Safe: Encrypted data storage (HIPAA & GDPR compliant), identity verification, role-based access controls, breach response plans, and audit logs are in place to ensure patient safety and data integrity.
  • Effective: Intelligent patient intake forms, clinical matching algorithms, multilingual access, medical document uploads, outcome tracking workflows, and clear scope-of-care disclaimers.
  • Caring: Inclusive design with WCAG 2.1 AA standards, support for disability declarations, and multilingual interfaces. Patients provide informed consent, and personalisation respects dignity and cultural needs.
  • Responsive: Patients select preferred language, communication method, time zone, and service type. Emergency contact and safeguarding questions built into the intake form enable responsive triage.
  • Well-Led: Governance oversight from senior operations and clinical compliance team. Staff receive ongoing training, documentation is reviewed quarterly, and transparency tools (Privacy Policy, Do Not Sell, DSAR) are live and accessible.

Additional Governance & Compliance Measures

  • Fully supports Equality Act 2010 and NHS safeguarding protocols
  • Accessibility reviewed bi-annually (WCAG 2.1 AA)
  • Monthly internal security and risk audits
  • Global compliance including GDPR, HIPAA, CCPA, DSA, Australian Privacy Act
  • Supports ISO 27001-aligned practices including audit trail, access management, and incident response

Documentation & Readiness

We maintain a full internal compliance and security documentation suite, accessible upon request for enterprise buyers, regulatory authorities, or NHS/public sector procurement frameworks.

Contact for Documentation or CQC-Aligned Audit Trail:
operationsteam@clinicianscheck.com

HIPAA Compliance & Secure Health Data Practices

Prepared: March 24, 2025
Team: Clinical Compliance & Information Governance

Our Commitment to HIPAA-Aligned Healthcare Operations

CliniciansCheck is fully aligned with the Health Insurance Portability and Accountability Act (HIPAA) and follows the key privacy and security rules required to protect health data. While headquartered in the UK, our platform is built to serve global healthcare needs, including U.S.-based patients and providers who expect HIPAA-level compliance.

How We Meet HIPAA Security & Privacy Rule Requirements

  • 🔒 Encryption: All patient health data is encrypted at rest and in transit via SSL/TLS protocols and stored in HIPAA-compliant environments (Jotform Gold tier).
  • 🧾 Consent Management: All patients provide explicit consent to store and process personal health information via checkbox confirmation and e-signature.
  • 🔐 Access Controls: Access to PHI is restricted via role-based permissions and is only accessible to authorised staff or assigned clinicians.
  • 📜 Audit Trails: Every submission and form update is logged with user, timestamp, and data modification record.
  • 📂 Data Backup & Recovery: Rewind Backups and native platform backups are used to maintain integrity and availability of clinical data.
  • 📧 Secure Communication: PHI is never transmitted via email. Instead, encrypted dashboards and portals are used for data review and patient management.

Business Associate Agreement (BAA)

Jotform provides a signed BAA under our HIPAA-compliant enterprise agreement, ensuring platform-level adherence to data security and privacy standards. CliniciansCheck adheres to the responsibilities outlined under the BAA as a covered entity facilitator.

Patient Rights Under HIPAA

  • Right to Access their data (via DSAR form)
  • Right to Request Amendments
  • Right to Confidential Communication
  • Right to Restrict Data Sharing (covered via consent and Do Not Sell Info forms)
  • Right to Receive Notice of Privacy Practices (linked throughout platform)

Security Monitoring & Incident Response

  • Real-time activity monitoring through secure cloud platforms
  • Monthly audit logs review and access verification
  • Designated incident response protocols and reporting procedures

HIPAA + Global Interoperability

Our compliance strategy bridges HIPAA with UK GDPR, Australian Privacy, and global data governance protocols to ensure interoperability and trust, regardless of patient or clinician location.

Contact for HIPAA Documentation or Compliance Review:
operationsteam@clinicianscheck.com

CliniciansCheck Compliance Update

We are excited to announce that CliniciansCheck has reached a major milestone in our journey towards **SOC 2** certification. After thorough preparation and the implementation of rigorous data protection and security measures, we are now ready for our **SOC 2 assessment**. We are in the final stages of assigning an **external assessor** to review our practices and provide certification.

What We Have Done So Far:

Our team has worked diligently to ensure that CliniciansCheck is aligned with the highest standards for data security, privacy, and compliance. Here's a summary of the steps we've taken:

  • Information Security Policy: We’ve formalized and implemented a robust Information Security Policy, covering all critical aspects of data protection, access control, and data integrity. This policy aligns with **ISO 27001**, **HIPAA**, and **GDPR** standards to ensure secure handling of all sensitive data.
  • Risk Assessment & Mitigation: We’ve established a comprehensive **risk management framework**, regularly assessing potential risks to patient and clinical data. Our **Risk Register** is continuously updated to mitigate risks and ensure the ongoing security and availability of our platform.
  • Statement of Applicability (SoA): We’ve created a **Statement of Applicability**, which details the security and privacy controls in place at CliniciansCheck. This document is aligned with **ISO 27001** and SOC 2 trust service criteria, confirming that we have met all applicable standards for the protection of user data.
  • Access Control: Our platform employs **role-based access controls** (RBAC), ensuring that only authorized personnel can access sensitive data. **Multi-factor authentication (MFA)** is required for all critical system access to prevent unauthorized access.
  • Incident Response Plan: A clear and actionable **Incident Response Plan** has been developed to address data breaches and security incidents. This plan ensures that we can respond quickly, minimize the impact of security incidents, and comply with data breach notification requirements such as those in **GDPR** and **HIPAA**.
  • Business Continuity & Disaster Recovery: We’ve implemented a comprehensive **disaster recovery plan** and **business continuity protocols** to ensure the availability of critical systems and data in the event of an emergency. Regular backups and a 6-hour **Recovery Time Objective (RTO)** are in place to safeguard against downtime.

Our Next Steps

With these comprehensive measures in place, we are confident in our readiness for the **SOC 2 audit**. Our next steps include:

  • Engaging an External Assessor: We are currently in the process of selecting a qualified external assessor to conduct our SOC 2 audit. This step will help us confirm that our practices align with SOC 2 criteria for **security**, **availability**, **processing integrity**, **confidentiality**, and **privacy**.
  • Audit Preparation: Our team is finalizing all necessary documentation, including detailed reports on our security controls, risk assessments, and incident management procedures. This will ensure that the assessor has all the necessary information to complete the audit efficiently.

Why SOC 2 Matters

**SOC 2** certification demonstrates our commitment to maintaining the highest standards of **security** and **privacy** for our clients and partners. It provides a comprehensive third-party review of our data security and privacy practices, assuring our users that their sensitive data is handled with the utmost care and security.

As we move forward, we will continue to prioritize transparency, security, and compliance to protect our users’ data and uphold the trust placed in us. We’ll keep our community updated as we progress through the assessment process and achieve our SOC 2 certification.

For any inquiries regarding our compliance or to request documentation, please contact our **Compliance Team** at operationsteam@clinicianscheck.com.

✅ **PCI DSS Compliant**

At **CliniciansCheck**, we are fully committed to securing payment card data and maintaining **PCI DSS** compliance to protect against fraud and safeguard sensitive customer payment information. As an e-commerce platform powered by **Shopify** with integrated **PayPal** and **Shopify Payments**, we ensure that every transaction on our platform is processed securely and in line with industry standards.

Our PCI DSS Compliance Journey

We have actively implemented all necessary security measures to ensure our platform meets **PCI DSS** standards. Here’s a breakdown of the work we’ve completed so far and our commitment to ongoing compliance:

  • Shopify Payments & PayPal Integration: We rely on **Shopify Payments** and **PayPal**, both of which are fully **PCI DSS compliant**. These platforms provide secure transaction processing that protects your payment information during every stage of the transaction.
  • Encryption: We have implemented **SSL/TLS encryption** to protect cardholder data during transmission and storage. All sensitive data is securely encrypted, ensuring protection from unauthorized access.
  • Firewalls & Security Systems: Our systems are safeguarded with **firewalls** and **intrusion detection systems (IDS)** that provide protection from unauthorized access and external threats. Regular monitoring ensures the integrity of our data security.
  • Access Control Measures: We have established strict **role-based access control (RBAC)**, where only authorized staff have access to sensitive payment data. Additionally, we enforce **multi-factor authentication (MFA)** for all system access to add an extra layer of security.
  • Tokenization: For extra security, we utilize **tokenization** to replace sensitive cardholder data with unique identifiers, minimizing the risk of data breaches.

Ongoing Efforts and Compliance Monitoring

We are committed to maintaining a secure environment. Our **PCI DSS compliance** is a continuous process, with the following actions in place:

  • Regular Security Audits & Assessments: We perform internal audits and assessments to monitor compliance and security gaps. The most recent internal audit was conducted on March 1, 2025, ensuring that our security controls are up-to-date and effective.
  • Self-Assessment: We are actively working on completing our **PCI DSS Self-Assessment**. Our **self-assessment questionnaire** was last reviewed on March 10, 2025, and we are in the process of finalizing the audit with a **third-party Qualified Security Assessor (QSA)**.
  • Continuous Monitoring: We utilize **real-time security monitoring** to detect and respond to any security threats promptly. Regular penetration testing and vulnerability scanning are conducted quarterly to identify and address any weaknesses in our infrastructure.

Our Commitment to You

With **Shopify Payments** and **PayPal** as our payment providers, we leverage their **PCI DSS-compliant** frameworks to process payments securely. In addition to these platforms, CliniciansCheck has proactively taken significant steps to ensure that payment data is handled with the utmost care.

We are committed to achieving full **PCI DSS certification** and will continue to monitor, update, and refine our security practices to stay ahead of evolving security threats. **PCI DSS certification is expected to be finalized by April 2025**, and we will update our clients once the certification is officially in place.

Key Milestones:

  • March 1, 2025: Internal audit and system review completed.
  • March 10, 2025: **PCI DSS Self-Assessment Questionnaire** reviewed and updated.
  • April 2025: Expected **PCI DSS Certification Completion**.

If you have any questions regarding our **PCI DSS compliance** or would like more information, please don’t hesitate to contact our **Compliance Team** at operationsteam@clinicianscheck.com.

✅ **Cyber Essentials Aligned**

At **CliniciansCheck**, we are fully committed to securing our systems and protecting against cyber threats. We are currently in the process of completing **Cyber Essentials Certification**, having already implemented essential cybersecurity measures across our platform.

What We've Done to Ensure Cyber Essentials Compliance:

  • Secure Firewalls: We have implemented **firewalls** to protect our systems from external threats, ensuring that all network traffic is filtered for safety and integrity.
  • User Access Control: Access to sensitive data is strictly controlled via **role-based access controls (RBAC)**. Only authorized staff and clinicians are granted access to patient data, and all access is logged for auditing purposes.
  • Malware Protection: Our systems are protected by **malware detection** software, actively monitoring for any signs of malicious activity or vulnerabilities.
  • Regular Audits and Assessments: We conduct regular **security audits**, including penetration tests and vulnerability scans, to identify and address any potential weaknesses in our infrastructure.
  • Staff Training: All staff are trained on cybersecurity best practices, including phishing prevention, data protection protocols, and how to report suspicious activity.

Next Steps:

We are currently finalizing the last steps of our **Cyber Essentials Certification** and expect to complete the process by **Q2 2025**. In the meantime, we continue to monitor our systems and ensure compliance with the highest standards for data security.

If you have any questions regarding our **Cyber Essentials compliance** or need additional documentation, please contact our **Compliance Team** at operationsteam@clinicianscheck.com.