Trust Center
Security & compliance, transparently shared

Trust is the foundation of clinic care.

Pabau powers clinics with practice-management software trusted to handle sensitive patient data. This is where we publish the certifications, attestations, and data-protection practices behind our platform.

View documents Explore compliance
Compliance

Certifications & standards

The frameworks our platform and infrastructure are aligned with — verified by independent assessors.

Pabau registrations Held by Pabau Our direct legal & data-protection registrations
GDPR GDPR logo

UK & EU GDPR

Registered with the UK Information Commissioner's Office (ICO) as a data controller.
Ref. ZA478121 · ICORegistered
Infrastructure & subprocessor compliance Cloud & data centre Certifications held by the providers that host Pabau
PCI DSS v4.0.1

PCI DSS v4.0.1

SAQ A attestation of compliance — card data fully outsourced to PCI-validated Stripe.
DigitalOcean · 2026Verified
ISO/IEC 27001:2022 ISO 27001 logo

ISO/IEC 27001:2022

Information security management system certified for the colocation data centres.
CoreSite · to Nov 2027Verified
PCI DSS v4.0.1

HIPAA

Independent attestation that the platform conforms to the HIPAA Security & Breach Notification Rules.
DigitalOcean · Dec 2025Verified

DORA

Assessed compliant with the EU Digital Operational Resilience Act (Reg. 2022/2554).
DigitalOcean · 2024Verified

CSA STAR Level 1

Cloud Security Alliance CAIQ v3.1 self-assessment of cloud security controls.
DigitalOcean · CAIQSelf-assessed

Global PRP

Global Privacy Recognition for Processors — certified with no areas of non-compliance.
DigitalOcean · Nov 2025Verified
Documents

Resource library

Certificates, attestations and reports. Filter by category or request access to private items.

About these documents. The ICO registration is held directly by Pabau. The PCI DSS, HIPAA, ISO 27001, DORA, CSA STAR and Global PRP materials are the current certifications of the cloud and data-centre providers that host the Pabau platform (DigitalOcean and CoreSite), demonstrating the compliance of our underlying infrastructure and subprocessors.

Knowledge base

Frequently asked questions

The questions we hear most often during security and procurement reviews.

Pabau is built to support UK and EU GDPR obligations and is registered with the UK Information Commissioner's Office (Ref. ZA478121). Patient data is encrypted, access-controlled, and stored securely. Your clinic remains the data controller; Pabau acts as a processor and provides the tools and infrastructure to help you meet your obligations. Full details are on our GDPR page.

Yes. The platform is built to support the HIPAA Security Rule and Breach Notification requirements, and the underlying hosting infrastructure holds an independent HIPAA attestation. Business Associate Agreements (BAAs) are available on request. More information is on our HIPAA page.

Pabau runs on DigitalOcean's cloud infrastructure, hosted in ISO/IEC 27001:2022-certified CoreSite data centres. Data is encrypted in transit using TLS and encrypted at rest, with access restricted to authorised personnel through authentication and least-privilege controls.

Pabau does not store raw card data. All card processing is fully outsourced to Stripe, a PCI DSS-validated payment processor, and card details are tokenised so the original data cannot be reconstructed. The relevant PCI DSS v4.0.1 attestation is available in the document library above.

Subprocessors and vendors are subject to security due diligence before onboarding, contractual security and confidentiality obligations, and ongoing monitoring at renewal. Our key subprocessors include DigitalOcean (hosting) and Stripe (payments). A current subprocessor list is available on request.