VPOP PRO Security White Paper
Overview
Security is fundamental to the mission of VPOP PRO, ensuring reliable and intelligent cloud-based virtual orthopaedic planning. This white paper provides a detailed explanation of the robust security measures and protocols we have implemented to protect the sensitive data of both our users and their patients.
This document should be read alongside our GDPR Statement, Privacy Policy, and Terms & Conditions.
Our comprehensive security strategy includes Organisational Security, Infrastructure and Network Security, Application Security, Data Protection, Identity and Access Management, Incident Management, Compliance and Auditing, and Customer Security Controls.
Organisational Security
ISO27001 Framework – Working Towards Certification VPOP PRO is actively working towards compliance with ISO27001, demonstrating our commitment to safeguarding data confidentiality, integrity, and availability through international best practices.
Employee Vetting and Training - All staff are required to sign confidentiality and acceptable use agreements. Additionally, regular, mandatory training sessions are held to reinforce staff awareness regarding data privacy, secure data handling practices, and general data protection regulations. Our developers are particularly trained to understand and mitigate risks associated with secure coding practices and are familiar with the OWASP Top 10 vulnerabilities.
Dedicated In-House Development Team - Our internal development team continuously monitors risk exposure, applies industry-standard best practices, and rapidly addresses emerging security threats.
Infrastructure & Physical Security
Cloud Hosting and Data Redundancy - We host our systems in secure data centres within the EU and UK, which adhere strictly to GDPR and ISO 27001 compliance. Regular data backups are conducted, with robust disaster recovery plans tested frequently to ensure continuity of operations.
Physical Security Measures Physical - Security at VPOP PRO headquarters includes comprehensive surveillance systems and strict access control with logging mechanisms to record all entry and exit points.
Network Security - Our network infrastructure incorporates advanced firewalls, Distributed Denial of Service (DDoS) protection, and intrusion prevention systems. To maintain security, our production environment is segregated from development and testing environments.
Secure Development Lifecycle (SDLC) - All software code passes through rigorous security reviews, testing protocols, and automated scanning processes before deployment. We utilise Continuous Integration and Continuous Delivery (CI/CD) practices with gated approval systems to ensure secure deployment.
Vulnerability Management - Regular penetration testing is conducted by third-party security experts to proactively identify vulnerabilities. Critical vulnerabilities identified are prioritised for immediate patching and resolution.
Endpoint and Server Hardening - Devices issued to employees are encrypted and managed using advanced endpoint security solutions, ensuring secure handling and storage of sensitive information.
Data Protection & Privacy
Encryption - We secure data in transit using TLS 1.3 with Perfect Forward Secrecy (PFS) to ensure robust protection. Data at rest, including clinical data and associated media files, is secured using AES-256 encryption, providing the highest level of confidentiality and integrity.
Data Retention and Secure Disposal - User data is retained for a limited period post-termination, after which it is securely deleted. Additionally, backup copies are securely destroyed within 90 days to prevent unauthorised access.
Third-Party Data Processing - VPOP PRO rigorously evaluates the need for Data Processing Agreements (DPAs) with all third-party vendors and partners, clearly defining roles as controllers or processors. Agreements are established to maintain compliance with GDPR and other relevant data protection laws. Our Privacy Policy, Terms & Conditions, and GDPR Statement are reviewed and updated regularly to accurately reflect these practices.
Identity & Access Management
Authentication and Permissions - Role-based permissions are enforced across our platform, ensuring users have only the necessary access to fulfil their responsibilities securely.
Administrative Access and Logging - Administrative actions within the platform are logged comprehensively, regularly reviewed, and audited. Access to sensitive administrative functions is strictly controlled and limited to authorised personnel using secure, hardened devices.
Incident Response
Continuous Monitoring and Detection - Our systems and environments are under continuous monitoring 24 hours a day. Any detected anomalies are immediately reviewed and triaged by our dedicated internal team.
Incident Handling - Our incident response framework involves clearly defined escalation paths and communication strategies. Upon detection of a data breach, we commit to notifying relevant data controllers or affected data subjects within 24 hours. Additionally, we maintain open communication and full cooperation with data controllers in compliance with established Data Processing Agreements.
Compliance & Certifications
VPOP PRO adheres strictly to compliance standards and holds the following statuses:
GDPR (EU): Fully Implemented
ISO 27001: Certification in progress, anticipated completion by Q4 2025
Cyber Essentials Plus: Achieved certification in February 2025
We perform regular internal audits and collaborate with external auditors to continuously strengthen our compliance posture and to prepare effectively for certifications.
Customer Security Controls
Our platform offers robust customer-managed security controls, including role-based access at both the case and image level. Administrators have access to dashboards for comprehensive organisational oversight and management. We also offer a secure billing portal managed via Paddle to ensure secure financial transactions.
For further technical documentation, including Data Protection Impact Assessments (DPIAs) or to request a Business Associate Agreement (BAA), please contact:
support@vpop-pro.com