Security & Compliance

This page provides information about Psychology Tools’ approach to information security, data protection, and regulatory compliance. It is intended for individual clinicians using the platform, as well as organizations undertaking procurement or information governance reviews.

Our role and responsibilities

Data protection roles

  • Therapists and organizations using the platform act as data controllers for patient data.

  • Psychology Tools Limited acts as a data processor, processing personal data only on documented instructions from the controller.

  • Patients are data subjects under UK GDPR.

Psychology Tools does not determine clinical purposes, lawful bases, or retention periods for patient data.

Information security governance

Psychology Tools operates an information security management system (ISMS) aligned with ISO/IEC 27001.

Key elements include:

  • Defined information security policies and procedures

  • Risk-based assessment and treatment of information security risks

  • Senior management oversight of information security

  • Ongoing monitoring, review, and improvement of controls

Information security responsibilities are assigned to defined roles within the organization. For clinicians, this means that patient information is handled within a structured security framework, with clear accountability and oversight.

ISO/IEC 27001 certification

Psychology Tools operates an information security management system (ISMS) aligned with ISO/IEC 27001 and maintains ISO/IEC 27001 certification covering its publishing operations and supporting infrastructure. The same ISMS framework, policies, and security controls are applied to the Psychology Tools platform and its supporting systems.

This provides independent assurance that:

  • Appropriate technical and organisational security controls are in place

  • Risks to information assets are systematically assessed and managed

  • Controls are subject to regular internal and external review

Healthcare and regulatory alignment

UK and European Union (UK GDPR / EU GDPR)

Psychology Tools is based in the United Kingdom and processes personal data in accordance with applicable UK and EU data protection law, including the UK GDPR and EU GDPR where relevant.

The platform is designed to support therapists and organisations in meeting their obligations when processing special category health data, with appropriate technical and organisational safeguards in place.

HIPAA alignment (United States)

For customers in the United States, the Psychology Tools platform is designed to support HIPAA-aligned use, with administrative, technical, and physical safeguards for protected health information (PHI), when used appropriately.

HIPAA compliance depends on appropriate use of the platform and, where required, a Business Associate Agreement (BAA) between Psychology Tools and the covered entity. Psychology Tools does not determine customers’ HIPAA compliance. Where required, Psychology Tools can provide customers with its standard Business Associate Agreement.

Other jurisdictions (Canada and Australia)

The Psychology Tools platform is designed to support use in other jurisdictions, including Canada and Australia, in line with applicable privacy and health information laws. Customers remain responsible for ensuring that their use of the platform complies with local legal and professional requirements.

Medical device position

The Psychology Tools platform supports therapist-led care and clinical workflows. It does not provide diagnosis, treatment recommendations, or automated clinical decision-making, and is not intended to function as a medical device.

Data hosting and residency

Customer data is hosted within secure cloud infrastructure. Therapists and organizations select the geographic region in which their data is stored, from:

  • United Kingdom

  • United States

  • Canada

  • Australia

Data is stored within the selected region to support data residency requirements and minimise international transfers. This helps clinicians meet local data protection and professional obligations regarding where patient information is stored.

Sub-processors

Psychology Tools uses a limited number of vetted sub-processors to deliver the platform, including cloud infrastructure and secure email services.

Sub-processors are subject to contractual safeguards, including data processing agreements. A current list of sub-processors is available on our subprocessors page.

Access controls and monitoring

  • Access to systems and data is controlled using role-based access controls and least-privilege principles.

  • Staff access is restricted to authorised roles and reviewed periodically.

  • System activity is monitored and logged to support security oversight and incident investigation.

Support access to customer data is limited, controlled, and logged.

Incident management and breach notification

Psychology Tools maintains documented incident response procedures covering:

  • Detection and investigation of security incidents

  • Containment and remediation

  • Escalation and communication

Where a personal data breach affecting customer data occurs, Psychology Tools will notify the relevant controller without undue delay, in line with contractual and legal requirements.

Data retention and deletion

  • Therapists and organizations, as data controllers, determine retention periods for patient data.

  • Psychology Tools acts on controller instructions regarding deletion and retention.

  • Deleted data is removed from active systems following defined soft-delete and hard-delete processes.

  • Encrypted backups expire in accordance with defined retention schedules and are not used for active processing.

Data subject rights

Patients have rights under applicable data protection law, including access, rectification, erasure (where applicable), and restriction of processing.

As a data processor, Psychology Tools supports controllers in responding to data subject requests but does not respond to such requests directly unless instructed by the controller.

Assurance materials and further information

Additional assurance materials are available to support organizational due diligence, including:

  • ISO/IEC 27001 certificate and scope

  • Sub-processor lists

For security or information governance enquiries, please contact:

Psychology Tools Limited – Information Governance Team

This page is provided for transparency and due diligence purposes and does not constitute legal advice.