Vendor due diligence for health and posture software: questions clinics should ask
Choosing cloud software is a governance decision, not only a feature comparison. This page helps physiotherapy and orthopaedic clinic leads ask evidence-based questions—educational only; confirm everything with your counsel.
At a glance
- Map controller vs processor before signatures and pilot data.
- Request documentation on encryption, retention, and admin access—not marketing slides.
- Validate how audit trails and exports work for your medico-legal reality.
Clarify legal roles and data flows on paper first
Document which entity is controller, what categories of data move through the platform, and lawful bases where applicable. Sketch inbound paths (staff uploads) and outbound paths (PDF email, patient portal). If the vendor cannot explain flows clearly, pause the pilot.
Security questions that separate serious vendors from brochures
Ask about encryption in transit and at rest, key management, penetration testing cadence, and incident notification timelines. Request subprocessors in writing. Verify whether staff impersonation or “break-glass” admin access is logged and reviewable.
How many credits does each analysis type use?
Fast, Standard, Advanced, and Dynamic analyses use different credit amounts—there’s a dedicated guide in this hub; Pricing also has plans and FAQs on monthly renewal.
Explore pricingOperational continuity: backups, exports, and exit
Understand backup frequency, geographic region choices, and how you retrieve a full patient export if you churn. Posture clinics often need long retention; confirm whether pricing or features gate exports that you may need for continuity of care.
What to validate specifically on PosturalCheck
During evaluation, trace a realistic assessment: credit consumption per protocol, who can start analyses, who can export PDFs, and how organisation settings propagate to new users. Align those answers with your internal policy on health data and professional indemnity expectations.
Common questions
- Is this legal advice?
- No. It is procurement-oriented education. Always involve qualified legal and privacy advisors for your jurisdiction and specialty.
- What document should we request first?
- A current Data Processing Agreement or equivalent, subprocessors list, and security whitepaper or questionnaire responses—not a sales deck.
Related guides
- DPA checklist when contracting SaaS for posture and imaging workflows
Clause-level reminders for processors: subprocessors, international transfers, assistance with DSARs, and PosturalCheck as part of your vendor stack.
Read article - Health data and cloud software: what clinic owners must verify (GDPR-ready mindset)
A practical checklist for physiotherapy clinics before adopting SaaS for posture photos, PDF reports, and patient records—questions to ask vendors including PosturalCheck.
Read article - Audit trails in clinic software: why posture clinics should care
Beyond compliance theatre—how logs support dispute resolution, training, and safe use of PosturalCheck with health imagery.
Read article
From reading to the product: plans and credits at a glance
On Pricing you can compare subscriptions, monthly credits included, operator seats, and features (PDF reports, comparisons, stats, roles).
Go to pricing