Trust Pack (UK Compliance & Clinical Safety)
Last updated: 16 April 2026
Dentistry Dashboard is designed to support secure, responsible use across NHS and private dental settings. For NHS Trust procurement, IG and clinical safety review, a full Trust pack is available containing clinical safety, information governance, cyber security, and regulatory evidence.
Current assurance status
All items below are current. Certificates, registration letters and independent reports are available on request for Trust IG, procurement and clinical safety review.
DSPT - Standards Met
2025/26 (version 8), published 13 April 2026, valid to 30 June 2027. ODS organisation code V5P2T.
Independent penetration test - passed
External web-application penetration test by Mondas Consulting. Final retest on 10 April 2026 confirmed no remaining reportable findings in scope.
Cyber Essentials
Whole-organisation scope, certified by iasme on 11 September 2025. Cyber liability insurance in force via the Cyber Essentials scheme.
MHRA manufacturer & device registration
Outlook Aesthetics Ltd registered as manufacturer. Dentistry Dashboard AI Notes registered as a Digital dictation system (GMDN 36216), UK MDR Class I. Registration outcome 20 September 2025.
ICO registration
Registered with the Information Commissioner’s Office, reference ZC087154.
DTAC response pack
Full NHS Digital Technology Assessment Criteria response prepared, covering clinical safety, data protection, security, interoperability and usability — including Section C3 independent penetration testing.
Clinical safety (AI Notes)
- ✓DCB0129-aligned clinical risk management with a named Clinical Safety Officer (CSO), hazard log, safety case and post-market surveillance plan maintained.
- ✓Human-in-the-loop: AI Notes drafts documentation only. Clinicians review, edit and approve every output before it is saved.
- ✓Configurable 30-day retention for Trusts: temporary AI notes can be automatically deleted after a Trust-defined retention window. Raw audio is processed transiently and is not retained by Dentistry Dashboard.
UK compliance & information governance
- ✓UK GDPR / Data Protection Act 2018 compliant processing approach. Your organisation remains the Controller for patient data; we operate as Processor.
- ✓DSPT Standards Met (2025/26 v8), published 13 April 2026, valid to 30 June 2027.
- ✓Named DPO and IG lead. Article 28 Data Processing Agreement, subprocessor register, retention schedule, incident response plan and business continuity plan all maintained.
Cyber security & infrastructure
- ✓Cyber Essentials certified (whole organisation, iasme) and supported by an independent penetration test pass from Mondas Consulting (final retest 10 April 2026, no remaining reportable findings in scope).
- ✓UK/EU data residency: platform and clinical content for UK customers is hosted on AWS (London, eu-west-2) and Microsoft Azure (UK South).
- ✓ISO 27001-certified subprocessors (AWS, Microsoft Azure, Google Cloud, Stripe, Postmark, Google Workspace, GitHub) underpin all production infrastructure.
- ✓TLS in transit, encryption at rest, least-privilege role-based access control, centralised logging, and daily backups with documented retention.
What we can provide (on request)
Trust / IG documents
- Data Processing Agreement (DPA) template (Article 28)
- Subprocessor register (purpose, regions, transfer safeguards)
- Incident Response Plan + tabletop exercise record
- Retention Schedule (including backup persistence)
- Business Continuity & Disaster Recovery Plan
- Data exit and termination (export/deletion)
- Information Governance Framework & Records Management Policy
Evidence & certifications
- DSPT Standards Met certificate (2025/26 v8, ODS V5P2T)
- Cyber Essentials certificate + insurance evidence
- Independent penetration test reports (Mondas, 2026) + retest summary
- MHRA manufacturer registration + Declaration of Conformity
- Clinical safety artefacts (Safety Case, Hazard Log, PMS Plan)
- DPIA materials (AI Notes DPIA)
- DTAC Response Sheet & attachments list
- Supplier Certifications & Assurance Register (subprocessor ISO 27001 / SOC evidence)
A note on Cyber Essentials Plus and ISO 27001
Neither Cyber Essentials Plus nor ISO 27001 is required by NHS DTAC or DSPT at this scope. The NHS baselines — Cyber Essentials and DSPT Standards Met — are both held. Our independent penetration test provides the verified external assurance that Cyber Essentials Plus is intended to demonstrate, and all production cloud infrastructure runs on ISO 27001-certified subprocessors. Where a specific Trust requires ISO 27001 on the supplier legal entity itself, please let us know.
Request the Trust pack
Email our team and we’ll share a concise Trust Compliance Summary as a PDF, with the underlying certificates, DPA, DPIA and policies provided on request for Trust IG review.