ClinicSignalby hmdg
Security & data

Your clinic data, treated like clinic data.

Read only access to your PMS. Patient identifiers hashed at rest. UK hosted. Full GDPR Data Processing Agreement. Nothing fancy. Just the basics, done properly.

Read only PMS access

We never write back to your practice management system. Not a note, not an appointment, not a status. If something goes wrong here, your PMS is unchanged.

Patient identifiers hashed

Personally identifying patient fields are hashed at rest with a per environment salt. The clinic dashboard fetches the full patient record from your PMS on demand when you click into it.

UK hosting, ICO registered

Application and database hosted in the UK and EU only. HMDG Ltd is registered with the ICO. Full GDPR Data Processing Agreement signed before any data flows.

What we read

What we read, and what we never touch.

A practice management system is full of sensitive material. We only need a small part of it to give you a useful dashboard.

What we read

The operational shape of your business.

Just enough to compute the metrics. Nothing for marketing, nothing for outbound, nothing that travels outside your dashboard.

  • Appointments: start time, duration, status, practitioner, service
  • Invoices: line items, amounts, dates, status
  • Patient identifiers: hashed for aggregation, never used for outreach
  • Practitioner names and rates, treatment names
What we never touch

Patient communications and clinical detail.

There is a hard line between an operational metrics product and a clinical tool. We are on the operational side.

  • Clinical notes, treatment plans, body charts, attachments
  • Patient messaging, SMS history, email content
  • Patient-facing communications of any kind, from anywhere
  • Anything that needs write access to your PMS
Where it lives, who can see it

UK and EU only. Role based access.

Hosting

PostgreSQL database hosted in the UK. Application servers in the EU. Encrypted at rest by the platform provider. TLS everywhere in transit.

Authentication

Magic link login by default. No passwords stored. Short lived signed cookie. Session timeout configurable per clinic.

Access control

Owner, manager, account manager, and read only seats. You decide which roles each member of your team gets. HMDG staff access only to their own assigned clinics.

Compliance and legal

GDPR Data Processing Agreement, signed before data flows.

No clinic data is ingested until the DPA is in place. HMDG is the data processor. You remain the controller.

  • HMDG Ltd is registered with the Information Commissioner's Office (ICO)
  • UK GDPR and EU GDPR aligned. UK Data Protection Act 2018 compliant.
  • Sub-processors disclosed in the DPA. List kept current.
  • Data Subject Access Requests honoured within 30 days. No charge.
  • Breach notification within 72 hours, in line with ICO guidance.
  • 30 day deletion on cancellation. Backups purged on the next cycle.
Read the DPA Read the MSA
At a glance
Controller
Your clinic
Processor
HMDG Ltd
Hosting
UK / EU
Regulator
ICO
PMS access
Read only
Retention
30 days post-cancel
Operational security

How we run it day to day.

Audit logging

Every API call, every admin action, every data access logged with user ID, IP, and timestamp. Retained for 12 months.

Backups

Daily point in time snapshots, 14 day retention. Restore tested quarterly. Patient-identifiable fields stay hashed in every backup.

Secret handling

API keys and OAuth tokens are stored in secret management, not in source. Per environment salts. Rotated on any departures or incidents.

Vendor security

Dependency updates run continuously with CVE alerting. All sub-processors are SOC 2 or ISO 27001 certified.

Code review

Every change reviewed and tested before deploy. Production releases gated on CI, including security checks.

Incident response

On call rotation for production. Communication to affected clinic owners within 24 hours of any confirmed security incident, ahead of any regulatory deadline.

Questions we get

Specific things people ask.

Can you write back to my PMS?
No. The integration is read only. We do not have write scopes on any PMS we connect to. If we ever offered a feature that needed write access, we would ask you to authorise it explicitly with a separate scope, and you could decline.
Do you send anything to my patients?
No. ClinicSignal does not send SMS, email, or any other patient communication. Recall lists are exported as CSV for your admin team to send through your normal channels.
Where exactly is the data stored?
PostgreSQL hosted in the UK with a major cloud provider. Application servers in the EU. We can share the specific sub-processor list under NDA.
Who at HMDG can see my data?
Your assigned account manager and the engineering team for support purposes. Access is logged. We do not share or sell data, ever.
What happens if I cancel?
Your dashboard access ends on cancellation. Your data is purged within 30 days. Aggregated, non-identifying benchmark figures may persist (these power the cross-clinic benchmarks; nothing in them can be traced back to your clinic).
Can I see my audit log?
Yes. Submit a written request and we will return the audit log for your clinic within 5 working days.
Have you been audited?
External security audit by an independent reviewer in May 2026. Closeout report on file. Available under NDA.

Got a security question we did not cover?

Get in touch. We will answer specifically, with documentation if you need it.

Email security@hmdg.co.uk