Security architecture.
A plain-English summary of how Practice Digital secures the healthcare websites we build. Designed to give your data protection officer, ICB digital lead or information-governance team everything they need to sign off — without an hour-long call.
One paragraph
Every Practice Digital site is a static, pre-rendered HTML site served from Cloudflare's UK and EU edge network. There is no PHP, no MySQL and no WordPress — whole categories of vulnerability (SQL injection, plugin RCE) don’t apply. The practice-facing admin portal is a separate application running on Supabase (postgres with row-level security, magic-link authentication). Patient data is never collected by Practice Digital’s own systems — all patient interactions route to your existing NHS suppliers (NHS App, eConsult, AccuRx, Patchs, SystmOnline, Patient Access) through embedded redirects.
Infrastructure
| Layer | Provider | Certifications | Region |
|---|---|---|---|
| CDN + edge hosting | Cloudflare Pages | SOC 2 Type II, ISO 27001, GDPR-aligned | UK + EU |
| Serverless application | Cloudflare Workers | Same as Cloudflare Pages | UK + EU |
| Database + auth | Supabase | SOC 2 Type II, HIPAA-ready, GDPR-aligned | EU (Frankfurt) |
| Direct Debit collection | GoCardless | FCA-authorised, PCI DSS L1 | UK |
| Transactional email | Resend | SOC 2 Type II | EU |
| AI patient chatbot | Cloudflare Workers AI | SOC 2 Type II, HIPAA-ready | UK + EU |
No data leaves the UK or EU. There are no US-only or other-jurisdiction processors in the stack.
Transport and headers
- HTTPS-only with automatic certificate rotation. TLS 1.3.
- HSTS with preload (max-age 1 year, includeSubDomains)
- Content-Security-Policy with strict allowlist for scripts and styles
- X-Frame-Options: SAMEORIGIN — mitigates clickjacking
- Referrer-Policy: strict-origin-when-cross-origin — minimises referrer leakage
- Permissions-Policy — camera, microphone and geolocation disabled site-wide
- X-Content-Type-Options: nosniff
You can verify these by running curl -I https://practicedigital.co.uk/ from any terminal.
Application security
- Static-site delivery for patient-facing pages — HTML is pre-rendered, no server-side execution at request time.
- Row Level Security on every Supabase table; admin and practice users can only read their own data.
- Magic-link authentication — no passwords stored. Compromise of one user cannot lead to lateral movement.
- Worker secrets stored in Cloudflare encrypted secret store, never in source code, rotated periodically.
- Webhook signature verification on all GoCardless and Supabase webhook endpoints.
- Atomic deploys with instant rollback — every deploy is a separate immutable revision; rolling back a faulty deploy takes seconds.
- No third-party trackers on customer-facing healthcare websites. No Google Analytics, no Meta pixel, no Hotjar.
Data residency and the GDPR position
All processing of personal data takes place in the UK or EU only. The practice (you) is the data controller for patient data displayed on your website. Practice Digital is the data processor. We have a standard Data Processing Agreement available on request, drafted in line with UK GDPR Article 28 and the ICO’s template clauses.
Personal data we hold about your practice (your practice manager’s contact details, your billing information) is held in Supabase EU. We retain it for the duration of your contract plus 6 years for legal-defence purposes. You can request deletion at any point after contract end via the standard subject-access-request mechanism.
Backup, business continuity and recovery
- Daily database backups retained for 30 days. Point-in-time recovery available.
- Static-site revisions retained indefinitely on Cloudflare Pages. Roll back any deploy to any previous revision in seconds.
- Multi-region Cloudflare edge — if one Cloudflare region is unavailable, traffic automatically routes to another. Uptime SLO 99.9%+.
- Practice content export available on demand at any point of the contract, machine-readable JSON.
Vulnerability disclosure
We follow RFC 9116. Our security disclosure file is at /.well-known/security.txt.
Found a security issue? Please email [email protected] before public disclosure. We aim to acknowledge within one working day and remediate:
- High-severity issues within 14 days
- Medium-severity issues within 30 days
- Low-severity issues on a best-effort basis
We don’t currently offer a paid bug bounty but happily credit reporters publicly with their consent.
Certifications and compliance roadmap
Honestly: Practice Digital is a new company. Our infrastructure inherits the certifications of the providers above (Cloudflare and Supabase are both SOC 2 Type II and ISO 27001 certified). Our own organisation-level certifications are on the following roadmap:
| Certification | Status | Target |
|---|---|---|
| Cyber Essentials | In progress | Q3 2026 |
| Cyber Essentials Plus | Scheduled | Q4 2026 |
| NHS DSP Toolkit (Approaching Standards) | In progress | Q4 2026 |
| NHS DSP Toolkit (Standards Met) | Scheduled | Q1 2027 |
| ISO 27001 | Considered | 2027 |
| External penetration test | Scheduled | Q3 2026 |
If your procurement process requires any of the in-progress certifications to be in place before signing, please talk to us — we can either accelerate a specific certification, partner with you through your ICB’s supplier-assurance team, or honestly tell you we’re not yet the right supplier for your timeline.
Incident response
If we discover a security incident affecting practice data:
- Containment within 4 hours of discovery (revoke credentials, isolate affected systems).
- Initial notification to affected practices within 24 hours via email and phone.
- Written incident report including root cause within 72 hours.
- If personal data is implicated, notification to the ICO within 72 hours of discovery as required by UK GDPR Article 33.
- Full post-incident review and remediation plan within 14 days.
What we ask of you
The single biggest security risk to a practice’s website isn’t the website itself — it’s the practice’s own email and the human side of access management. Practical advice:
- Use a real password manager (1Password, Bitwarden) for practice manager credentials. Don’t share logins.
- Use multi-factor authentication on email and on the Practice Digital portal.
- Tell us immediately if a practice manager leaves so we can revoke their access.
- Use the urgent-publishing feature rather than sharing CMS credentials with locums or temporary staff.
Talk to a clinician.
If your IG team has specific questions, the easiest path is a short message to our clinical lead — a practising NHS GP and partner at Practice Digital. We reply by email within one working day.