Patient data, treated like patient data.
Built by a UK dental practice owner for UK dental practices. UK GDPR, CQC and GDC alignment isn’t an afterthought — it’s the design constraint.
UK GDPR + Data Protection Act 2018.
We sign a UK GDPR Data Processing Agreement with every practice. You remain the Data Controller. dentdial is the Data Processor. Sub-processors listed and updated publicly.
UK-only data residency.
All call recordings, transcripts, patient identifiers and metadata stored in UK-region cloud infrastructure (AWS London / eu-west-2). No transfers outside the UK or EEA without explicit consent.
AES-256 at rest. TLS 1.3 in transit.
Recordings encrypted with per-tenant keys. Database encrypted at the disk and field level for sensitive PII. All API and call traffic over TLS 1.3.
Consent captured on every call.
Every inbound call opens with a recording disclosure and lawful basis statement. Patients can opt out, request transcripts or request deletion at any time.
Retention you control.
Default 90-day retention for call recordings, longer for booking records (per practice policy). Custom retention windows for Group plans. Hard delete on request, within 30 days.
Role-based access. Audit logs.
SSO (Google, Microsoft). Multi-factor authentication enforced. Every staff action — view, listen, download, delete — logged with timestamp and user.
CQC inspection-ready.
Complaints captured and routed to your nominated complaints lead. Full audit trail. Patient feedback aggregated. Reports formatted for CQC submission.
GDC-compliant scripts.
Triage scripts reviewed by registered UK dentists. No clinical advice provided. Clear scope boundaries — dentdial books appointments, it doesn’t diagnose.
No model training on your data.
Your calls, transcripts and patient records are never used to train shared AI models. Per-practice fine-tuning stays in your tenant.
Standards we work to.
What we comply with today and what’s on the certification roadmap.
In place today
- UK GDPR — Data Processing Agreement signed with every customer. View the DPA.
- Data Protection Act 2018 — registered with the ICO as a data processor.
- Cyber Essentials — certified. Annual renewal.
- NHS DSPT — Data Security and Protection Toolkit alignment, “Standards Met” status.
On the roadmap (Q4 2026)
- ISO 27001 — information security management. Audit underway.
- Cyber Essentials Plus — independent technical verification.
- SOC 2 Type II — for international expansion.
Reporting a security issue
If you believe you’ve found a vulnerability, please email our contact form. We respond within one working day and operate a responsible disclosure programme.