Security & compliance

Built for the inspections clinics actually face.

PracticeWise is designed so a compliance officer can answer “who decided what, when, on what evidence” in one click — and so a clinician retains full control over every clinical decision.

UK data residency. Append-only audit. Software where it helps. Clinical judgement where it matters.

Page last reviewed: 18 May 2026

Book a demo See sub-processors

01 · How we protect data

Six controls behind every PracticeWise workflow.

These are not aspirations — they are how the platform is configured before a clinic ever logs in. Each control maps to a clause in the standard Data Processing Agreement we sign with clinics.

UK data residency

Patient records, documents and audit logs are processed on UK-region infrastructure. They do not leave the UK.

Encryption at rest and in transit

TLS 1.2+ in transit, AES-256 at rest, database snapshots and backups encrypted with separate keys held in a managed key service.

Append-only audit log

Records can be annotated but never overwritten. Per-patient and per-clinic export to PDF or CSV on demand.

Signed clinical decisions

Every decision is signed by an appropriately qualified clinician — GMC or GPhC reference, timestamp and reason recorded together.

Scoped document access

Uploads (ID, BMI photos, GP letters) are tagged with source, scoped per workflow and visible only to authorised roles.

Point-in-time recovery

Daily encrypted backups with point-in-time recovery up to 30 days. Restore procedure tested during onboarding and rehearsed quarterly.

02 · Audit you can hand to an inspector

Every decision, signed and timestamped.

When the MHRA or CQC asks “who approved this prescription, with what evidence, and against what consent version” — PracticeWise produces the answer from the same record the clinician saw at the time. Nothing is reconstructed from inboxes.

Read the clinical guardrail

Audit record · illustrative example, not a real patient

2026-04-12 · 14:31Dr Anya Bashir · GMC #######Approved · BMI ≥ 30 confirmed · consent v3.2 accepted 2026-04-11
2026-04-12 · 14:29Reza Mahmoud · PT 8814-2206Submitted BMI confirmation photo · auto-verified by admin queue
2026-04-11 · 10:04Reza Mahmoud · PT 8814-2206Accepted consent v3.2 · GP-notification opt-in confirmed
2026-04-11 · 09:58Reza Mahmoud · PT 8814-2206Started intake · 24/24 questions answered · 1 clinical flag raised

Exported to PDF or CSV per patient, per workflow or per date range.

03 · The controls in detail

What sits behind the green checks.

Three layers — access, operational, governance. Each maps to a clause in the DPA and to a check in clinic inspection frameworks.

Access control

LiveRole-based permissions per clinic (admin · clinician · finance · patient)
LiveSingle sign-on (SAML 2.0, OIDC) on Clinic Group tier
LiveSCIM 2.0 user provisioning on Clinic Group tier
LivePer-clinic data isolation enforced at the database row level
LiveMFA required by default on Clinic Operations and above; available on all tiers

Operational security

LiveDocumented incident response runbook with named on-call roles
LiveInternal vulnerability scanning on every deploy
LivePrivileged-access review every 90 days
RoadmapThird-party penetration testing on a quarterly cadence — From first production release
RoadmapSOC 2 Type II — observation window scheduled — Target Q4 2026

Governance

LiveWritten Data Processing Agreement signed with every clinic
LivePer-clinic configurable consent wording and versioning
LiveSubject Access Request workflow documented for clinic admins
LiveExport formats designed against MHRA, CQC and GPhC inspection requirements
LiveQuarterly governance review on Clinic Group tier

Live items are running in production today. Roadmapitems are committed for a named release; this page is updated when an item moves between the two. The “Last reviewed” date in the footer reflects the most recent revision.

04 · Sub-processors

Every system that touches data.

A complete list. The application data layer is in London (eu-west-2). The marketing site is the only surface that uses a global edge.

Sub-processor

Role

Region

Vercel Inc.

Marketing-site hosting & CDN

Global edge · UK origin · transfer under UK IDTA

Supabase Inc.

Application database & auth

London (eu-west-2)

Amazon Web Services

Encrypted document storage (S3)

London (eu-west-2)

Resend, Inc.

Transactional email

EU region · US parent · transfer under UK IDTA

Sentry Inc.

Application error reporting (no patient identifiers)

EU region · US parent · transfer under UK IDTA

Where a sub-processor's corporate parent is outside the UK, transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. Clinics receive 30 days' notice of any change to this list. Full processor terms are reviewed during onboarding.

05 · Reporting a security concern

If you find something, tell us.

PracticeWise welcomes responsible disclosure. We aim to acknowledge reports within one working day and triage critical issues the same week.

Emailsecurity@practicewise.uk

PGP fingerprintAvailable on request

Out-of-scopeSocial engineering, physical access, missing rate-limit on non-sensitive routes

Safe harbourResearch carried out in good faith, in scope, and consistent with this policy is not pursued under the Computer Misuse Act 1990. Out-of-scope or destructive testing is not covered.

Book a 30-minute security review

Walk a compliance officer through PracticeWise.

We'll talk through your clinic's data flows, the DPA, the audit export format and the controls relevant to your inspection regime. Bring your questions.

Book a security review Book a product demo Read privacy notice