Security Overview

How OpenDentist protects patient data through encryption, access controls, and secure infrastructure.

Encryption

AES-256 encryption at rest for all stored data including clinical notes, transcripts, and audio recordings

TLS 1.3 encryption in transit for all data transmissions between clients, servers, and third-party services

AWS Key Management Service (KMS) for centralised encryption key management with automatic annual key rotation

Deprecated protocols (TLS 1.0, TLS 1.1, SSL) are fully disabled

Data Hosting

All patient health data stored within the United Kingdom exclusively (AWS eu-west-2, London region)

Database encryption enforced at the storage layer with AWS server-side encryption

Automated daily backups with AES-256 encryption, retained for 30 days with point-in-time recovery to 5-minute granularity

Region lock configured to prevent accidental deployment outside the UK

Audio Data Handling

Audio recording storage is optional and off by default

Default retention: audio recordings are automatically deleted as soon as the transcript has been processed

When clinicians elect to store audio, recordings are encrypted with AES-256 in AWS S3 (eu-west-2, London) and retained per NHS Records Management Code of Practice

Audio is never used for AI model training — all AI providers operate under zero-training API agreements

AI Provider Security

Zero data retention agreements in place with all AI providers — no patient data is stored by any AI service

All data transmitted to AI providers via encrypted API calls (TLS 1.3)

AI outputs are drafts only — mandatory clinician review is required before any notes are incorporated into the patient record

Your data is never used to train AI models. All providers operate under API agreements that explicitly prohibit training on customer data

Full AI provider details are available on request under NDA. Contact us.

Access Control

Two-factor authentication (2FA) for all user accounts via email-based verification codes

Multi-factor authentication (MFA) mandatory for all administrative and infrastructure access

Role-based access control (RBAC) with principle of least privilege

Session-based authentication using secure, HTTP-only cookies (inaccessible to browser JavaScript) with automatic timeout after 7 days of inactivity

Comprehensive audit logging of all data access events with minimum 12-month retention

Quarterly access reviews conducted by CTO with immediate revocation on role change or departure

Network Security

DDoS protection and Web Application Firewall (WAF) via Cloudflare

Network segmentation isolating application, database, and processing layers

Rate limiting on authentication endpoints (10 attempts per 5 minutes per IP)

Unused ports and services disabled across all infrastructure

Incident Response

Data breach notification to ICO within 72 hours per UK GDPR Articles 33/34

Documented Data Breach Notification Procedure with defined escalation paths and containment protocols

Separate Serious Incident Reporting Procedure for clinical safety events per DCB0129

Post-incident review within 14 days with root cause analysis and corrective actions

Breach register maintained for minimum 6 years