Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Compliance Implementation Report – May 2025

Prepared by: Internal Compliance & Operations Team Date: March 24, 2025 Intended for: Regulatory authorities, enterprise partners, insurers, NHS procurement, legal counsel, and data protection officers.

Executive Overview

This report outlines CliniciansCheck’s comprehensive data governance, compliance, and security frameworks in line with internationally recognised laws and standards. Our controls are designed not only to meet minimum legal requirements, but to exceed the expectations of enterprise, public sector, and healthcare stakeholders operating under regulated conditions.

Regulatory & Legal Alignment

CliniciansCheck operates under a global compliance framework aligned with the following key data protection and privacy laws:

  • UK GDPR and EU GDPR

  • UK Data Protection Act 2018

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

  • PIPEDA – Personal Information Protection and Electronic Documents Act (Canada)

  • HIPAA – Health Insurance Portability and Accountability Act (United States)

  • APA – Australian Privacy Act 1988 and Australian Privacy Principles (APPs)

  • LGPD – Lei Geral de Proteção de Dados (Brazil)

  • ePrivacy Directive and PECR (Privacy and Electronic Communications Regulations – UK)

  • Digital Services Act (EU/UK accessibility and transparency measures)

Wherever applicable, these legal frameworks are mapped to internal controls and validated through audit trails, data flow records, DPIAs, and documented risk registers.

ISO/IEC 27001 Information Security Alignment

CliniciansCheck is fully aligned with the control structure and operational expectations of ISO/IEC 27001, and maintains audit-ready documentation across all domains of the standard.

Key Controls Implemented:

  • Information Security Policy: Enforced across all systems, staff, and third-party services

  • Risk Assessment Framework: Operational, clinical, legal, and technical risks reviewed quarterly

  • Statement of Applicability: Full mapping to ISO 27001 Annex A controls

  • Access Control & Identity Management: Role-based permissions, 2FA across systems, least privilege model

  • Incident Response Protocol: Formal breach response process with regulatory notification commitment within 72 hours

  • Business Continuity & Disaster Recovery: RTO under 6 hours, with encrypted, cloud-based backup systems (e.g. Rewind, Jotform)

  • Data Classification Policy: Four-tier structure – Public, Internal, Confidential, and PHI (Protected Health Information)

  • Supplier Due Diligence: Risk-based assessment and contractual safeguards in place for all third-party processors

  • Staff Security Training: Mandatory at onboarding and renewed on a bi-annual basis

Technical & Operational Security Measures

  • Full SSL/TLS encryption for all traffic

  • 256-bit encryption at rest

  • Secure hosting on infrastructure built on PCI-DSS Level 1 certified platforms (e.g. Sharetribe, Shopify, Stripe)

  • Real-time threat detection and intrusion monitoring systems

  • Monthly vulnerability scanning and annual external penetration testing

  • Comprehensive access logging, role-based monitoring, and audit trails

  • Internal data handling and operational access policies aligned with ISO/IEC 27701 (privacy information management)

User Rights & Consent Management

  • Consent Management Platform (CMP) deployed and synchronised with cookie banner and back-end logs

  • Full implementation of DSAR (Data Subject Access Request) tools for all global rights requests

  • Cookie consent aligned with PECR, GDPR, and ePrivacy Directive

  • Do Not Sell or Share My Personal Information opt-out mechanism implemented

  • Support for Global Privacy Control (GPC) signals recognised and respected

  • Consent withdrawals and marketing preferences managed and logged in CRM

Published Legal Policies and Transparency Documentation

  • Global Privacy Policy

  • Global Privacy & Data Transfer Statement

  • Cookie Policy and Tracking Disclosure

  • Terms of Use

  • Accessibility Statement (aligned with WCAG 2.1 AA)

  • Marketplace Terms & Conditions (internal access for clinicians and organisations)

  • DSAR Submission and Process Guidance

  • All legal documents are version-controlled, actively reviewed quarterly, and made publicly available through the Site's legal footer.

Compliance Auditing & Documentation

Compliance and DPO teams maintain full logs of:

  • Access requests and subject rights interactions

  • Consent logs and opt-outs

  • Breach/incident management events (if any)

  • Vendor and data transfer impact assessments (DTIAs and DPIAs)

  • Risk register updated quarterly

All operational security documentation is subject to internal audit and ready for third-party review

Third-Party Readiness

CliniciansCheck is actively preparing for formal ISO/IEC 27001 certification, with full alignment already achieved. We maintain a certification roadmap, including internal audits, third-party control testing, and documented process reviews to support formal accreditation by H3 2025.

Contact for Compliance Matters

Data Protection & Compliance Contact

Email: operationsteam@clinicianscheck.com

Registered Office: CliniciansCheck Ltd, 2 Harley Street, London, W1G 9PA, United Kingdom

Final Statement

This Compliance Implementation Report reflects our commitment to excellence in information security, regulatory compliance, and ethical data handling. All processes, systems, and third-party relationships are governed by standards suitable for regulated markets, healthcare procurement frameworks, and high-level enterprise partnerships.

This report is valid as of May 22, 2025, and is subject to revision under CliniciansCheck’s compliance update cycle.