For clinics and healthcare practices

Built to the ICO and NHS DSPT standard.

Custodiance runs your practice's web and email estate as a managed service — kept in UK and EU jurisdiction, built to the standard your ICO duties and your NHS Data Security and Protection Toolkit obligations require, and held by a named senior engineer who is personally accountable for it. A patient enquiry that names a condition is special-category data the moment it lands; the way we run your infrastructure treats it that way.

The risk

What the ICO and NHS DSPT require of your website — and where agency builds silently fail

A typical independent clinic site — podiatry, dentistry, physiotherapy, mental health, fertility, cosmetic, or veterinary care — was built a few years ago on whichever SaaS stack carried a template: a US host, a US enquiry form, Google Analytics, a US newsletter tool. The site works and bookings come in. It also quietly fails the obligations the practice — not the agency — is accountable for. Four are worth naming precisely.

UK GDPR and the ICO regime

The practice is the data controller, and the ICO enforces UK GDPR under the Data Protection Act 2018. That means Article 30 records of processing, Article 28 data-processing agreements with every sub-processor, and — under Articles 44 to 49 — a lawful transfer mechanism with Standard Contractual Clauses and a written Transfer Risk Assessment for any personal data flowing outside the UK and EU. The agency that wired the enquiry form to a US host almost certainly wrote none of these.

Special-category health data

A patient enquiry that names a condition is special-category data under UK GDPR Article 9 the moment it lands. The Caldicott Principles add the NHS-adjacent layer: justify every use of identifiable patient information, and keep access on a strict need-to-know basis. An enquiry form on US-resident infrastructure exposes that data to lawful third-party access — under the US CLOUD Act — that the practice never named and cannot defend.

The NHS Data Security and Protection Toolkit

Any clinic in the NHS supply chain — taking GP referrals, supplying an occupational-health service, or processing data that originated in NHS systems — inherits Data Security and Protection Toolkit (DSPT) obligations through its contracts. The assessor spot-checks the public website: the named Information Governance lead, the incident-reporting route, the privacy notice, the supported stack, and the sub-processor list are all verified in a browser before any conversation with the practice.

Where patient data is hosted

Most clinic sites route enquiry forms, the CRM, analytics, and patient mailings through US-resident SaaS — HubSpot, Mailchimp, Google Analytics, a US inbox. The CJEU's Schrems II ruling made bulk transfer of personal data to US infrastructure legally precarious, and US-resident services remain subject to the CLOUD Act regardless of where the data physically sits. The practice cannot answer where the data lives or who can reach it.

None of these obligations explicitly requires an "EU-sovereign website". Each, however, eventually asks the same question: where does the patient data live, who has access, and can the practice prove it? On a typical agency-built site the honest answer is "we do not really know."

How Custodiance answers it

An estate held to your regulator's standard

The work that puts a clinic's site right is not a one-off remediation. It is the work the estate carries continuously, mapped to the ICO duties and the DSPT assertions a practice is accountable for.

A managed estate, not a finished project

Your web and email infrastructure is run as an estate we hold continuously — audited, monitored, and changed on your behalf — not handed over once and left to decay. Patient enquiry intake, the CRM, analytics, patient mailings, and the compliance-facing pages are kept correct as the regime and your practice evolve, ready for the next DSPT submission rather than rebuilt against the deadline.

In-jurisdiction by design

Hosting is pinned to a London region, enquiry forms post to Cloudflare-routed inboxes on UK and EU edges, the CRM moves to an EU-hosted platform, patient mailings move to an EU-resident relay, and analytics move to Plausible (EU-resident, cookieless). When a patient, an insurer, an ICB, or a DSPT assessor asks where the data lives and who can reach it, the answer is engineered, not assumed — and it maps to your Article 30 records.

Built to a published methodology

The standard each estate is built to is written down and applied consistently, so the way your practice is built is the way the next one is — auditable, repeatable, and defensible rather than improvised per project. At the close of onboarding the practice receives an evidence pack mapping each DSPT assertion to the URL on its estate that satisfies it. The posture is set out in the Custodiance framework.

A named accountable engineer

A single senior technical partner is personally accountable for your estate — a name and a direct line, not a ticket queue. For a practice too small to justify a full-time chief technology officer, this is the fractional equivalent: someone who understands your ICO duties and your DSPT obligations, carries the work between requests, and answers for it when something needs to be put right.

Engage

Two ways to run the estate

Growth

£1,495 per month

For an established practice that wants its web and email estate run properly — in-jurisdiction, with a named partner on call.

  • Managed web + email infrastructure
  • Built to your regulator's standard
  • EU/UK-sovereign hosting
  • A named technical partner
  • Continuous monitoring + changes

Embedded

From £6,000 per month · bespoke

For a practice that wants a fractional CTO embedded — owning the roadmap, the compliance posture, and the build.

  • Everything in Growth
  • Fractional-CTO engagement
  • Compliance + DPIA support
  • Bespoke build + integrations
  • Board-level reporting

Custody, not marketing.

Have a senior partner review your estate against the ICO and DSPT standard

A scoping call is a measured conversation about your obligations, your current setup, and what it would take to run it properly. Each of the four arms above is reviewed against your live site and marked pass, partial, or fail, with the specific remediation for each. No obligation, and no pressure.