Built for the inspections clinics actually face.
Clineso is designed so a compliance officer can answer “who decided what, when, on what evidence” in one click — and so a clinician retains full control over every clinical decision.
UK data residency. Append-only audit. Software where it helps. Clinical judgement where it matters.
Six controls behind every Clineso workflow.
These are not aspirations — they are how the platform is configured before a clinic ever logs in. Each control maps to a clause in the standard Data Processing Agreement we sign with clinics.
UK data residency
Patient records, documents and audit logs are processed on UK-region infrastructure. They do not leave the UK.
Encryption at rest and in transit
TLS 1.2+ in transit, AES-256 at rest, database snapshots and backups encrypted with separate keys held in a managed key service.
Append-only audit log
Records can be annotated but never overwritten. Per-patient and per-clinic export to PDF or CSV on demand.
Signed clinical decisions
Every decision is signed by an appropriately qualified clinician — GMC or GPhC reference, timestamp and reason recorded together.
Scoped document access
Uploads (ID, BMI photos, GP letters) are tagged with source, scoped per workflow and visible only to authorised roles.
Point-in-time recovery
Daily encrypted backups with point-in-time recovery up to 30 days. Restore procedure tested during onboarding and rehearsed quarterly.
Every decision, signed and timestamped.
When the MHRA or CQC asks “who approved this prescription, with what evidence, and against what consent version” — Clineso produces the answer from the same record the clinician saw at the time. Nothing is reconstructed from inboxes.
- 2026-04-12 · 14:31Dr Anya Bashir · GMC #######Approved · BMI ≥ 30 confirmed · consent v3.2 accepted 2026-04-11
- 2026-04-12 · 14:29Reza Mahmoud · PT 8814-2206Submitted BMI confirmation photo · auto-verified by admin queue
- 2026-04-11 · 10:04Reza Mahmoud · PT 8814-2206Accepted consent v3.2 · GP-notification opt-in confirmed
- 2026-04-11 · 09:58Reza Mahmoud · PT 8814-2206Started intake · 24/24 questions answered · 1 clinical flag raised
Exported to PDF or CSV per patient, per workflow or per date range.
What sits behind the green checks.
Three layers — access, operational, governance. Each maps to a clause in the DPA and to a check in clinic inspection frameworks.
Access control
- LiveRole-based permissions per clinic (admin · clinician · finance · patient)
- LiveSingle sign-on (SAML 2.0, OIDC) on Clinic Group tier
- LiveSCIM 2.0 user provisioning on Clinic Group tier
- LivePer-clinic data isolation enforced at the database row level
- LiveMFA required by default on Clinic Operations and above; available on all tiers
Operational security
- LiveDocumented incident response runbook with named on-call roles
- LiveInternal vulnerability scanning on every deploy
- LivePrivileged-access review every 90 days
- RoadmapThird-party penetration testing on a quarterly cadence — From first production release
- RoadmapSOC 2 Type II — observation window scheduled — Target Q4 2026
Governance
- LiveWritten Data Processing Agreement signed with every clinic
- LivePer-clinic configurable consent wording and versioning
- LiveSubject Access Request workflow documented for clinic admins
- LiveExport formats designed against MHRA, CQC and GPhC inspection requirements
- LiveQuarterly governance review on Clinic Group tier
Live items are running in production today. Roadmapitems are committed for a named release; this page is updated when an item moves between the two. The “Last reviewed” date in the footer reflects the most recent revision.
Every system that touches data.
A complete list. The application data layer is in London (eu-west-2). The marketing site is the only surface that uses a global edge.
Where a sub-processor's corporate parent is outside the UK, transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. Clinics receive 30 days' notice of any change to this list. Full processor terms are reviewed during onboarding.
If you find something, tell us.
Clineso welcomes responsible disclosure. We aim to acknowledge reports within one working day and triage critical issues the same week.
The seven that always come up.
Each answer is the verbatim line we'll give in a security review. Cite us in a procurement brief; the answers are designed to stand alone.
All patient records, documents and audit logs are stored in the United Kingdom — Supabase (London / eu-west-2) region. Patient data does not leave the UK. Daily encrypted backups with point-in-time recovery up to 30 days.
No. Clineso routes work and structures records — it does not generate, suggest, or approve clinical decisions. We are deliberately outside the MHRA medical device classification. Every clinical decision is made by an appropriately qualified clinician and signed with their GMC or GPhC reference.
Yes. Rajoka Limited (company number 12069067) is the data controller for the marketing website and the data processor for clinic-deployed instances under a written Data Processing Agreement. UK data residency, encryption at rest (AES-256) and in transit (TLS 1.3), append-only audit logs retained for 7 years.
AI-enabled where it helps: intake summarisation, document routing, follow-up reminders. Clinical decisions stay with the clinician. AI is bounded to four specific jobs and never makes recommendations, triages patient risk, prescribes, doses, counsels, or is presented to the patient as a clinician. Patient data is not used to train models.
Supabase (database, London eu-west-2), Vercel (hosting, eu-west), Anthropic (AI summarisation — opt-in only, no training on customer data), Stripe (payments, where the Payments module is enabled), Twilio (SMS, where the SMS add-on is enabled), Resend (transactional email). The live list is published at clineso.com/security#subprocessors with 30 days notice of any change under the DPA.
Yes. Audit logs are append-only, exportable to PDF or CSV per patient, per workflow, or for a date range. CQC, MHRA and GPhC inspection formats are supported on the Practice and Group tiers. Every signed entry carries the clinician's regulator reference (GMC / GPhC / GDC / NMC / HCPC).
Report security issues to security@clineso.com. We acknowledge within one working day, triage within five, and disclose remediated issues publicly within 90 days with researcher credit. We do not run a paid bug-bounty programme at this stage.
Walk a compliance officer through Clineso.
We'll talk through your clinic's data flows, the DPA, the audit export format and the controls relevant to your inspection regime. Bring your questions.