GDPR Compliance

How Velastria complies with UK GDPR and protects your data

Our Commitment to Data Protection

Velastria is committed to the highest standards of data protection and privacy. We fully comply with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and healthcare-specific regulations including CQC, HIS, and GMC requirements.

This page explains how we implement GDPR principles and protect the personal data and patient health information processed through our platform.

1. GDPR Principles

We adhere to all seven GDPR principles:

1.1 Lawfulness, Fairness, and Transparency

  • We process data only on lawful bases (consent, contract, legal obligation, legitimate interests)
  • We provide clear, plain-language privacy notices
  • We maintain transparency about data processing activities

1.2 Purpose Limitation

  • Data is collected for specified, explicit, and legitimate purposes
  • We do not process data for purposes incompatible with the original purpose
  • Each processing activity has a documented purpose

1.3 Data Minimisation

  • We collect only data adequate, relevant, and necessary for the specified purpose
  • Optional data fields are clearly marked
  • We regularly review data collection practices to minimise data capture

1.4 Accuracy

  • Customers can update and correct their data at any time
  • Inaccurate data is deleted or rectified without delay
  • We maintain audit trails of data changes for accountability

1.5 Storage Limitation

  • Personal data is retained only as long as necessary
  • We follow medical record retention guidelines (6 years minimum)
  • Data deletion policies are automated where possible
  • See our Data Retention Policy for details

1.6 Integrity and Confidentiality (Security)

  • Appropriate technical and organisational measures protect data
  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Regular security audits, penetration testing, and vulnerability assessments
  • Access controls, authentication, and role-based permissions

1.7 Accountability

  • We maintain comprehensive records of processing activities
  • Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Staff training on data protection and GDPR compliance
  • Regular compliance audits and reviews

2. Data Controller vs Data Processor

2.1 When We Are the Data Controller

Velastria acts as the data controller for:

  • Marketing and sales data (beta applications, contact forms)
  • Account holder information (clinic details, billing information)
  • Website usage data and analytics

As controller, we determine the purposes and means of processing and are responsible for GDPR compliance.

2.2 When We Are the Data Processor

Velastria acts as a data processor for:

  • Patient health records entered by clinics
  • Patient communications managed through the platform
  • Clinical data, photos, and documentation

As processor, you (the clinic) are the data controller and determine the purposes and means of processing patient data. We process data only on your documented instructions.

2.3 Data Processing Agreement (DPA)

All customers receive a comprehensive Data Processing Agreement that details:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller (you)
  • Security measures and breach notification procedures
  • Sub-processor agreements
  • Data deletion and return procedures

3. Data Subject Rights

We facilitate the exercise of all GDPR data subject rights:

3.1 Right of Access (Article 15)

  • Individuals can request copies of their personal data
  • We provide data within 30 days (1 month) of request
  • First copy is free; reasonable fees may apply for additional copies

3.2 Right to Rectification (Article 16)

  • Individuals can request correction of inaccurate data
  • We rectify data without undue delay
  • Clinics can update patient records directly through the platform

3.3 Right to Erasure / "Right to be Forgotten" (Article 17)

  • Individuals can request deletion of their data
  • We delete data unless legal obligations require retention
  • Medical records are subject to 6-year minimum retention under UK law

3.4 Right to Restrict Processing (Article 18)

  • Individuals can request limitation of processing
  • We mark restricted data and process only with consent or for legal claims

3.5 Right to Data Portability (Article 20)

  • Individuals can receive their data in a machine-readable format
  • We provide exports in CSV, JSON, or PDF format
  • Data can be transmitted directly to another controller where feasible

3.6 Right to Object (Article 21)

  • Individuals can object to processing based on legitimate interests
  • Individuals can opt out of marketing communications at any time
  • We cease processing unless compelling legitimate grounds exist

3.7 Rights Related to Automated Decision-Making (Article 22)

  • We do not make solely automated decisions with legal or significant effects
  • AI features provide suggestions; clinical decisions remain with clinicians

4. Technical and Organisational Measures

4.1 Encryption

  • In Transit: TLS 1.3 encryption for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Database: Encrypted database connections and storage
  • Backups: Encrypted backup storage

4.2 Access Controls

  • Role-based access control (RBAC) with least privilege principle
  • Multi-factor authentication (MFA) available for all accounts
  • Regular access reviews and revocation procedures
  • Segregation of duties for administrative functions

4.3 Authentication and Password Security

  • Strong password requirements (minimum 12 characters, complexity rules)
  • Password hashing using bcrypt with salting
  • Session management with automatic timeout
  • Account lockout after failed login attempts

4.4 Network Security

  • Firewalls and network segmentation
  • Intrusion detection and prevention systems
  • DDoS protection via Cloudflare
  • Regular security patching and updates

4.5 Application Security

  • Secure coding practices and code reviews
  • Input validation and output encoding
  • Protection against OWASP Top 10 vulnerabilities
  • Regular vulnerability scanning and remediation

4.6 Audit Logging

  • Comprehensive audit trails of all data access and changes
  • Immutable logs stored separately from application data
  • Log retention for 6 years (aligned with medical record requirements)
  • Regular log review and monitoring for suspicious activity

5. Data Breach Procedures

5.1 Detection and Containment

  • 24/7 monitoring for security incidents
  • Automated alerts for suspicious activity
  • Incident response team with defined escalation procedures
  • Containment measures to limit breach impact

5.2 Notification

In the event of a data breach:

  • To ICO: Within 72 hours of becoming aware (Article 33)
  • To Customers: Without undue delay, with details of the breach
  • To Data Subjects: If high risk to rights and freedoms (Article 34)

5.3 Documentation

  • All breaches are documented regardless of severity
  • Records include facts, effects, and remedial action taken
  • Post-incident reviews to prevent recurrence

6. International Data Transfers

6.1 Data Location

  • Primary data storage: AWS EU (London) and UK regions
  • Backup storage: AWS EU (Ireland) region
  • We minimise transfers outside the UK/EEA

6.2 Transfer Safeguards

When data transfers outside the UK/EEA are necessary, we use:

  • Standard Contractual Clauses (SCCs) approved by UK ICO
  • Adequacy decisions by UK Government
  • Binding corporate rules (where applicable)
  • Transfer Impact Assessments to ensure adequate protection

6.3 Sub-Processors

We use sub-processors for specific services:

  • AWS: Cloud hosting (UK/EU regions)
  • Stripe: Payment processing (adequacy decision)
  • Cloudflare: CDN and security services

All sub-processors are contractually bound to GDPR compliance.

7. Healthcare-Specific Compliance

7.1 CQC Compliance (England)

  • Supports CQC Fundamental Standards
  • Audit trails for regulatory inspections
  • Document management for policies and procedures
  • Staff training records and CPD tracking

7.2 HIS Compliance (Scotland)

  • Aligns with Healthcare Improvement Scotland standards
  • Quality improvement metrics and reporting
  • Patient safety incident tracking

7.3 GMC Good Medical Practice

  • Supports GMC record-keeping requirements
  • Consent management and documentation
  • Professional revalidation support

7.4 Caldicott Principles

  • Justify the purpose of using confidential information
  • Use confidential information only when necessary
  • Use the minimum necessary confidential information
  • Access on a strict need-to-know basis
  • Everyone with access understands their responsibilities
  • Comply with the law
  • The duty to share information for individual care is as important as the duty to protect confidentiality

8. Staff Training and Awareness

  • Mandatory GDPR training for all staff upon hiring
  • Annual refresher training
  • Role-specific training (e.g., developers, support staff)
  • Security awareness training and phishing simulations
  • Confidentiality agreements and acceptable use policies

9. Data Protection Impact Assessments (DPIAs)

We conduct DPIAs for:

  • New features involving patient health data
  • AI and automated decision-making features
  • Large-scale processing of special category data
  • New technologies or innovative uses of existing technologies
  • Data sharing with third parties

DPIAs assess risks to data subjects and identify mitigating measures.

10. Accountability and Governance

10.1 Data Protection Officer (DPO)

  • Name: Taimur Shoaib
  • Email: [email protected]
  • Responsibilities: Oversee GDPR compliance, conduct audits, liaise with ICO

10.2 Records of Processing Activities (ROPA)

We maintain detailed records including:

  • Name and contact details of controller/processor
  • Purposes of processing
  • Categories of data subjects and personal data
  • Recipients of data
  • International transfers
  • Retention periods
  • Security measures

10.3 Compliance Audits

  • Annual internal GDPR compliance audits
  • Third-party security audits and penetration testing
  • ISO 27001 certification (in progress)
  • Cyber Essentials Plus certification

11. Your Rights and Contact

11.1 Exercising Your Rights

To exercise any GDPR rights, contact us at [email protected]. We will respond within 30 days.

11.2 Complaints

If you believe we have not handled your data appropriately, you can:

  1. Contact our DPO at [email protected]
  2. Lodge a complaint with the UK Information Commissioner's Office (ICO)

Information Commissioner's Office (ICO)

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline: 0303 123 1113
Website: ico.org.uk
Report a concern: ico.org.uk/make-a-complaint

12. Updates to This Page

We review and update this GDPR Compliance page annually or when significant changes occur to our processing activities. Last updated: 28 November 2025.

13. Additional Resources

  • Privacy Policy - How we collect and use personal data
  • Terms of Service - Legal agreement for using Velastria
  • Data Processing Agreement (DPA) - Available upon subscription
  • Security Whitepaper - Available upon request