Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Clinicians Check Security & Data Protection Policy

Effective Date: May 23, 2025

1. Purpose
This Security & Data Protection Policy outlines CliniciansCheck Ltd’s commitment to safeguarding all personal, clinical, and business data across its global platform. It details the administrative, technical, and physical security measures implemented to ensure data confidentiality, integrity, and availability in compliance with global legal and ethical standards.

2. Scope
This policy applies to all data processed, transmitted, or stored through the CliniciansCheck platform, including but not limited to:

  • Patient and user data
  • Clinician and seller data
  • Transactional records
  • Communications and metadata
  • AI-generated logs and outputs

It governs all staff, contractors, partners, and third-party providers with access to Platform systems or data.

3. Legal & Framework Alignment
CliniciansCheck is compliant with:

  • UK GDPR & EU GDPR
  • HIPAA (USA)
  • NHS Digital and DSPT requirements
  • ISO/IEC 27001: Information Security Management
  • NIST Cybersecurity Framework
  • OECD Privacy Guidelines
  • EU AI Act and NHS AI Code of Conduct (AI Data Protections)

4. Security Controls
4.1. Data Encryption
All data is encrypted at rest using AES-256.

All data in transit is secured via TLS 1.3 or higher.

Encrypted backups are performed daily and retained securely.

4.2. Access Controls
Role-based access (RBAC) with least-privilege principles enforced.

Multi-factor authentication (MFA) is mandatory for all privileged users.

User sessions auto-expire after defined inactivity thresholds.

4.3. Network and Infrastructure Security
Firewalls, DDoS protection, and endpoint threat detection systems are in place.

Regular penetration testing is performed by certified external security specialists.

Cloud infrastructure complies with SOC 2, ISO 27001, and CIS Benchmarks.

4.4. Physical Security
Data centers are certified to ISO 27001 and SOC 2.

Access is monitored, logged, and restricted to authorized personnel only.

5. Data Governance & Integrity
5.1. Logging & Monitoring
Continuous system monitoring, audit logging, and intrusion detection systems are active.

All access to personal or clinical data is logged and traceable.

5.2. Data Classification
Data is classified by risk level (Confidential, Restricted, Public) with safeguards aligned to classification.

5.3. Change Control
Platform code and infrastructure changes undergo peer review, change management, and rollback readiness checks.

6. Staff Training & Access
All staff undergo mandatory annual security awareness and data protection training.

Access to sensitive data is strictly controlled and reviewed quarterly.

7. Vendor & Third-Party Risk
All third-party services are subject to vendor risk assessments.

Data processing agreements (DPAs) are in place with all sub-processors.

AI or analytics vendors must provide proof of compliance with security, privacy, and AI safety standards.

8. Incident Response
A formal Incident Response Plan is in place and reviewed annually.

Breaches will be reported within 72 hours per GDPR and other applicable regulations.

Data subjects will be notified if their rights or privacy are materially impacted.

9. Data Minimization & Retention
Only data necessary for platform function or legal basis is collected.

Retention schedules comply with GDPR, HIPAA, and local health record mandates.

Data is securely deleted after the retention period or upon verified request.

10. User Rights & Transparency
Users can request access, correction, deletion, or export of their data via the Data Subject Request Form.

Privacy controls are built into the platform UI for consent and visibility management.

11. Audit & Review
Annual third-party audits verify compliance with this policy.

Internal reviews are conducted quarterly by the Compliance & Information Governance team.

Audit findings are tracked to resolution and improvement.

12. Contact
For data security concerns, contact:

Data Protection Officer

CliniciansCheck Ltd

2 Harley Street, London, W1G 9PA, United Kingdom

operationsteam@clinicianscheck.com

This policy is legally binding and forms part of our Terms of Service. It reflects CliniciansCheck’s gold-standard commitment to safeguarding the integrity of clinical and user data across borders.

13. Cross-Border Data Transfers
To comply with international transfer obligations:

All cross-border data flows are governed by appropriate safeguards including Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), or Binding Corporate Rules (BCRs) where required.

Transfers outside the UK, EU, or other data-adequate jurisdictions are risk-assessed and documented with supplementary controls as required under Schrems II and related rulings.

CliniciansCheck will publish a list of third countries receiving data upon request.

14. AI-Specific Data Controls
Due to the Platform’s use of AI in health and wellness contexts:

All training data used in AI development is either synthetic, anonymized, or lawfully obtained under valid consent or contractual terms.

AI outputs influencing healthcare decisions must be logged, time-stamped, and reviewable under regulatory audit.

CliniciansCheck prohibits “black box” AI for clinical decision-making — explainability and auditability are enforced.

15. Children's Data Safeguards
Where data of minors is processed:

  • Parental or legal guardian consent is required under the age of 16 (or local equivalent).
  • Data of minors is segregated, encrypted, and reviewed under stricter access and retention policies.
  • CliniciansCheck does not use children's data for profiling, marketing, or algorithm training.

16. Breach Notification Protocol (Expanded)
For clarity on transparency obligations:

Data subjects will be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Notifications include: nature of breach, contact point, potential consequences, and remediation measures.

All incidents are recorded in an internal Breach Log maintained for regulatory audit.

17. Zero Trust & Confidential Computing (Futureproof Provision)
CliniciansCheck is committed to adopting advanced models including:

  • Zero Trust Architecture: identity-verified, context-aware access.
  • Confidential computing: encryption of data during processing (not just in transit or rest) for sensitive workloads.

18. Statement of Alignment
This policy is aligned with the principles of privacy by design and default, and supports regulatory compliance under the ICO (UK), EDPB (EU), HHS (US), and future global AI and data governance frameworks including the UN AI Ethics Guidelines and G7 Data Free Flow with Trust (DFFT) principles.

Security Contact Hours & Escalation Matrix Security team is reachable Mon–Fri, 08:00–18:00 UKT. Critical breaches are escalated within 1 hour to the DPO and CTO.

Post-Incident Public Disclosure Policy Significant security events may be disclosed publicly via official statements or regulator-required notifications, where appropriate.

Automated Threat Intelligence Feed Subscription CliniciansCheck participates in global threat intelligence exchange platforms and continuously updates its threat models accordingly.