Trust Center
Security & compliance, transparently shared

Trust is the foundation of clinic care.

Pabau powers clinics with practice-management software trusted to handle sensitive patient data. This is where we publish the certifications, attestations, and data-protection practices behind our platform.

Compliance

Certifications & standards

The frameworks our platform and infrastructure are aligned with — verified by independent assessors.

Pabau registrations Held by Pabau Our direct legal & data-protection registrations
Infrastructure & subprocessor compliance Cloud & data centre Certifications held by the providers that host Pabau
PCI DSS v4.0.1

PCI DSS v4.0.1

SAQ A attestation of compliance — card data fully outsourced to PCI-validated Stripe.
DigitalOcean · 2026Verified
ISO/IEC 27001:2022 ISO 27001 logo

ISO/IEC 27001:2022

Information security management system certified for the colocation data centres.
CoreSite · to Nov 2027Verified
PCI DSS v4.0.1

HIPAA

Independent attestation that the platform conforms to the HIPAA Security & Breach Notification Rules.
DigitalOcean · Dec 2025Verified

DORA

Assessed compliant with the EU Digital Operational Resilience Act (Reg. 2022/2554).
DigitalOcean · 2024Verified

CSA STAR Level 1

Cloud Security Alliance CAIQ v3.1 self-assessment of cloud security controls.
DigitalOcean · CAIQSelf-assessed

Global PRP

Global Privacy Recognition for Processors — certified with no areas of non-compliance.
DigitalOcean · Nov 2025Verified
HDS HDS logo

HDS

Hébergeur de Données de Santé — French health-data hosting certification held by the cloud provider.
OVHcloudView certification
Subprocessors

Subprocessors

The third-party providers we rely on to deliver the Pabau platform. Each is bound by data-processing terms and assessed before onboarding.

Platform & operational General Infrastructure, product and operational providers
Digital Ocean

DigitalOcean

Primary cloud hosting and managed databases for the Pabau platform.
EU & US regionsCloud & database
Amazon Web Services

Amazon Web Services

Supporting cloud infrastructure and services for the platform.
EU & US regionsCloud services
Sentry

Sentry

Application error monitoring and performance tracking.
United StatesMonitoring
SendGrid

SendGrid

Transactional and notification email delivery.
United StatesEmail
Vercel Vercel

Vercel

Frontend hosting for the web and connect applications.
US & globalHosting
New Relic New Relic

New Relic

Application performance monitoring — logs and traces (may carry PII).
United StatesMonitoring
Twilio Twilio

Twilio

SMS delivery and video / telehealth.
United StatesCommunications
Stripe Stripe

Stripe

Payment processing (Connect).
US & EUPayments
Supabase Supabase

Supabase

Managed Postgres and storage — hosts AI-Scribe patient transcripts / notes; community.
EU & USDatabase & storage
Anthropic Anthropic

Anthropic

AI note structuring and letter drafting (consultation text).
United StatesAI
OpenAI OpenAI

OpenAI

AI photo analysis and treatment-result simulation.
United StatesAI
Deepgram Deepgram

Deepgram

Speech-to-text of consultation audio.
United StatesAI / speech
AssemblyAI AssemblyAI

AssemblyAI

Speech-to-text (voice notes and video).
United StatesAI / speech
HubSpot HubSpot

HubSpot

CRM and marketing sync (lead and payment events).
United StatesCRM
Intercom Intercom

Intercom

In-app support chat.
United StatesSupport
Xero Xero

Xero

Accounting — syncs invoice and customer financials.
EU & globalAccounting
Google Google

Google

Maps, OAuth SSO, Drive, Reserve with Google and Reviews.
GlobalPlatform services
Microsoft Azure Microsoft Azure

Microsoft Azure

Blob storage transport for lab orders.
European UnionStorage
Cloudflare Cloudflare

Cloudflare

Turnstile bot gate, CDN and WAF (visitor IPs).
GlobalCDN & security
Healthcare-specific Highest sensitivity Transmit patient identifiers & clinical / claims data
Healthcode Healthcode

Healthcode

UK private-insurance claims clearing house.
United KingdomClaims
The Doctors Laboratory TDL

The Doctors Laboratory (TDL)

Pathology lab orders (HL7 / CSV).
United KingdomPathology lab
Viva Diagnostics Viva Diagnostics

Viva Diagnostics

Pathology lab orders (SFTP / HL7).
United KingdomPathology lab
Ideal Postcodes Ideal Postcodes

Ideal Postcodes

UK address autocomplete.
United KingdomAddress data
Documents

Resource library

Certificates, attestations and reports. Filter by category or request access to private items.

Data Privacy Data Processing Agreement (DPA) UK GDPR data processing agreement, incl. sub-processors & security measures · request access Data Privacy ICO Registration Certificate UK data-protection registration · Ref. ZA478121 Data Privacy Global PRP Certification Report Privacy Recognition for Processors · DigitalOcean · 2025 Compliance PCI DSS v4.0.1 (SAQ A & AOC) Attestation of Compliance · DigitalOcean · 2026–27 Compliance HIPAA Attestation Report HIPAA Security & Breach Notification · DigitalOcean · 2025 Infrastructure ISO/IEC 27001:2022 Certificate Data-centre ISMS certification · CoreSite · valid to 2027 Infrastructure DORA Assessment Summary EU Digital Operational Resilience Act · DigitalOcean · 2024 Infrastructure CSA STAR Level 1 — CAIQ v3.1 Cloud Security Alliance self-assessment · DigitalOcean Policies Information Security Policy Pabau's information security management policy · request access Policies Incident Response Policy How Pabau detects, responds to and manages security incidents · request access Policies Vulnerability Disclosure Policy How to responsibly report security vulnerabilities to Pabau · request access Policies Acceptable Use Policy Acceptable use of Pabau systems, data and resources · v1.0 · request access Policies Access Control Policy Identity, authentication and least-privilege access controls · v1.0 · request access Policies Asset Management Policy Inventory, ownership and lifecycle of information assets · v1.0 · request access Policies Business Continuity & DR Policy Business continuity and disaster recovery planning · v1.0 · request access Policies Change Management Policy Controlled change to systems and production environments · v1.0 · request access Policies Code of Conduct Expected standards of ethical and professional conduct · v1.0 · request access Policies Data Management Policy Data classification, handling, retention and disposal · v1.0 · request access Policies Encryption Policy Encryption of data in transit and at rest · v1.0 · request access Policies HR & Personnel Security Policy Personnel screening, onboarding and offboarding controls · v1.0 · request access Policies Logging & Monitoring Policy Security logging, monitoring and audit practices · v1.0 · request access Policies Physical Security Policy Physical and environmental protection of facilities · v1.0 · request access Policies Risk Management Policy Identification, assessment and treatment of security risk · v1.0 · request access Policies Secure Development Policy Secure software development lifecycle practices · v1.0 · request access Policies Vendor Management Policy Third-party due diligence and ongoing vendor oversight · v1.0 · request access Policies Vulnerability Management Policy Identification, prioritisation and remediation of vulnerabilities · v1.0 · request access

About these documents. The ICO registration is held directly by Pabau. The PCI DSS, HIPAA, ISO 27001, DORA, CSA STAR and Global PRP materials are the current certifications of the cloud and data-centre providers that host the Pabau platform (DigitalOcean and CoreSite), demonstrating the compliance of our underlying infrastructure and subprocessors.

Knowledge base

Frequently asked questions

The questions we hear most often during security and procurement reviews.

Pabau is built to support UK and EU GDPR obligations and is registered with the UK Information Commissioner's Office (Ref. ZA478121). Patient data is encrypted, access-controlled, and stored securely. Your clinic remains the data controller; Pabau acts as a processor and provides the tools and infrastructure to help you meet your obligations. Full details are on our GDPR page.

Yes. The platform is built to support the HIPAA Security Rule and Breach Notification requirements, and the underlying hosting infrastructure holds an independent HIPAA attestation. Business Associate Agreements (BAAs) are available on request. More information is on our HIPAA page.

Pabau runs on DigitalOcean's cloud infrastructure, hosted in ISO/IEC 27001:2022-certified CoreSite data centres. Data is encrypted in transit using TLS and encrypted at rest, with access restricted to authorised personnel through authentication and least-privilege controls.

Pabau does not store raw card data. All card processing is fully outsourced to Stripe, a PCI DSS-validated payment processor, and card details are tokenised so the original data cannot be reconstructed. The relevant PCI DSS v4.0.1 attestation is available in the document library above.

Subprocessors and vendors are subject to security due diligence before onboarding, contractual security and confidentiality obligations, and ongoing monitoring at renewal. Our key subprocessors include DigitalOcean (hosting) and Stripe (payments). A current subprocessor list is available on request.