Skip to main content

Business Information & Compliance

This section covers the business logic, regulatory compliance, and security posture of Skin Club Pro.

Skin Club Pro is designed with "Privacy by Design" principles to handle sensitive medical and personal data.

Regulatory Framework

GDPR (EU/UK): We act as the Data Controller for our platform and a Data Processor for practitioners.
Special Category Data: Health data is treated with high-level security as per GDPR Article 9.

Key Compliance Features

Right to Erasure: Support for "Soft Delete" to maintain medical record retention periods (typically 10 years) while removing PII from active views.
Data Portability: Users can request a full export of their clinical and personal data.
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Audit Trails: Every access to a patient record is logged with a timestamp and user ID.

2. Clinical Governance

The platform enforces strict clinical standards:

Consent Management: Digital signatures are captured and timestamped for all treatment consent forms.
Practitioner Verification: Only verified practitioners with valid roles can access clinical notes and patient records.
Medical History: Mandatory medical history updates are enforced before treatments can be booked.

3. Cyber Threat & Security Posture

Threat Mitigation

XSS Protection: Use of HttpOnly cookies for session management.
SQL Injection: Use of TypeORM with parameterized queries.
DDoS Protection: CloudFront and AWS WAF are used to mitigate application-layer attacks.
Brute Force: Rate limiting is implemented on all authentication endpoints.

Incident Response

In the event of a data breach, Skin Club Pro follows a strict 72-hour notification policy to relevant authorities and affected users.

1. Data Compliance (GDPR)
- Regulatory Framework
- Key Compliance Features
2. Clinical Governance
3. Cyber Threat & Security Posture
- Threat Mitigation
- Incident Response