01
Data architecture.
Encryption at rest
Patient health data is held in Azure-managed PostgreSQL with encryption at rest enabled by default. Documents uploaded to the platform (lab PDFs, clinical letters, images) are held in Azure Blob Storage, also encrypted at rest by default. Encryption is managed by the Azure platform; key rotation and key management follow the Azure managed-key model.
Encryption in transit
TLS 1.2 or higher is enforced on every endpoint. The application is fronted by Azure Container Apps with Cloudflare as the public edge. No HTTP traffic is accepted; HTTPS is mandatory across all platform-to-client and platform-to-service connections.
Access controls
Patient data is reachable only through the authenticated application API. There is no direct database access for non-administrative users. Administrative access to production is restricted, two-factor authentication is required across the codebase repository and the cloud control plane, and no production data is held on developer devices except in explicitly scoped, time-limited testing windows.
Audit logging
Every read, write, edit, and confirmation against a patient record is recorded in an internal audit log alongside the actor, action, resource, and timestamp. Audit entries are retained indefinitely. Patients have the right under UK GDPR Article 15 to request a copy of their audit entries.
Backup and recovery
Azure-managed PostgreSQL backups follow the Azure point-in-time-restore model, retained per the documented retention window. Blob storage is geo-redundant. Recovery procedures are documented internally and tested as part of the regular operational cadence.
02
UK GDPR & ICO posture.
ICO registration
Zaynix Health Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller under reference ZC117578. The registration covers the processing activities described in the platform's privacy notice and Data Processing Agreements.
Joint-controller arrangement
The legal relationship between you (the clinic), the patient, and Zaynix Health is a joint-controller arrangement under UK GDPR Article 26. It is documented in a real, signed Data Processing Agreement — not a marketing slogan. The DPA defines who is responsible for which categories of decision: lawful-basis selection, consent capture, response to subject rights requests, breach notification, and exit/portability obligations.
DPIA and DPA templates
A Data Protection Impact Assessment template is available on request, tailored to the processing your clinic actually does. A Data Processing Agreement is available on request and is the document we sign with every pilot clinic before any patient data is uploaded. Both are provided before signing, not after — counsel review is welcome and expected.
Lawful basis and special category
Standard processing operates under UK GDPR Article 6(1)(b) — performance of a contract. Special category health data (blood test results, diagnoses, medications, BP readings, body measurements, clinical notes) is processed under Article 9(2)(h) — provision of healthcare. AI features that touch patient data are gated behind explicit consent under Article 9(2)(a), captured per-user and revocable at any time from the patient's privacy settings.
Article 22 — automated decisions
The platform does not perform automated decision-making with legal effect within the meaning of UK GDPR Article 22. All AI output is advisory. Every clinical decision remains with a clinician.
Subject rights
Patients can exercise their rights of access, rectification, erasure, restriction, portability, and objection at any time. Subject rights requests are answered within one calendar month, with extensions only where strictly justified under the regulation.
03
Penetration testing.
Penetration testing posture is shared with prospective clinics on request, ahead of signing a Data Processing Agreement. The shared pack includes scope, methodology, vendor, frequency, and the latest report's findings and remediations.
The platform also runs continuous static analysis in CI, dependency-vulnerability scanning, and an internal code review process before any change reaches production. None of these substitute for an external pen test; they raise the floor that the pen test is run against.
04
Certifications.
We are explicit about what we hold today and what is in progress. We do not list certifications we don't yet hold as if they were already in place.
In progress
Cyber Essentials
The UK government-backed Cyber Essentials baseline. Application work is underway; the scheme covers the five technical controls (firewalls, secure configuration, user access control, malware protection, security update management). Certification timeline shared on request.
On the roadmap
ISO/IEC 27001
Targeted for the first revenue year. The platform's information security policies are already aligned with ISO/IEC 27001:2022 principles, but alignment is not certification. We do not claim certification until an accredited auditor has issued one.
Operating under
UK GDPR Article 32
Article 32 requires "appropriate technical and organisational measures" proportionate to the risk. The platform's policies and controls — encryption, access management, audit, breach response, regular review — are designed to meet that obligation today, with formal certifications progressing as listed above.
05
Business processes.
Vulnerability disclosure
Security researchers, clinicians, and patients who identify a vulnerability can disclose it by email to [email protected]. Reports are acknowledged within two working days and remediated under a coordinated-disclosure timeline that respects both the severity of the finding and the time the platform reasonably needs to fix it safely. We do not pursue good-faith researchers acting within reasonable bounds.
Incident response
The platform follows an internal incident response runbook that defines detection, triage, containment, remediation, communication, and post-incident review. Every step is logged. The runbook is reviewed annually and after any material incident.
Breach notification
Under UK GDPR Article 33, if a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we notify the ICO within 72 hours of becoming aware. The 72-hour clock starts the moment any Zaynix Health employee or contractor becomes aware of the breach — not when it is fully understood. Affected patients and clinics are notified under Article 34 where the breach is likely to result in a high risk.
Consent management
Consent for AI processing of patient data is captured per-user under UK GDPR Article 9(2)(a), versioned (so the patient can see which terms they consented to), and revocable from the patient's privacy settings at any time. Revoking AI consent does not break the rest of the platform — non-AI features remain fully usable.
Subprocessors
The current list of subprocessors (cloud, AI, authentication, email, payments) is provided in the Data Processing Agreement. We notify clinics in advance of any material change to the subprocessor list, with a reasonable window to object before the change takes effect.
06
Request a review pack.
We share the security and compliance pack with prospective clinics before signing. It includes the DPIA template, draft DPA, current security posture (encryption, access, audit, pen-test status), and an introductory call with whoever in your practice owns these decisions.