← Back to Homepage

Security

Last updated: April 2026

ICO Registered
Ref: ZC108524
UK GDPR Compliant
Data Protection Act 2018
Cyber Essentials
Certification in progress

Our Commitment

BosseyAI LTD handles patient contact data on behalf of UK dental clinics. We treat data security as a core business requirement, not an afterthought. This page explains exactly how we protect the data we process, who is responsible, and how to contact us with security concerns.

What Data We Access

BosseyAI processes only the minimum data required to deliver our service. We never access clinical records.

Patient name and phone number

Used solely to send appointment reminders and recovery messages

Appointment date and time

Used to trigger reminder and follow-up workflows

Clinical records, treatment notes, medical history

Never accessed, never stored

Financial or payment data

Never accessed, never stored

Technical Safeguards

  • Encryption in transit: All data is transmitted over TLS 1.2+. No unencrypted connections are permitted.
  • Encryption at rest: All stored data is encrypted at rest using AES-256 via Supabase (hosted on AWS EU-West).
  • API authentication: All server endpoints require authenticated API keys. No public endpoints exist that expose patient data.
  • Access control: Patient data is scoped per clinic. No clinic can access another clinic's data.
  • Minimal retention: Patient contact data is deleted 90 days after the end of a clinic contract, or earlier on request.
  • Infrastructure: Hosted on Railway (EU region) and Supabase (AWS EU-West). Both are SOC 2 Type II certified platforms.

Compliance & Certification

  • ICO Registration: ZC108524. Registered 20 March 2026 under the Data Protection Act 2018.
  • UK GDPR: We act as Data Processor for clinic clients. A signed Data Processing Agreement (DPA) is in place with every client before any data is accessed.
  • Cyber Essentials: Certification application currently in progress via IASME. Certificate expected May 2026.
  • Sub-processors: Twilio (SMS, US — SCCs in place), VAPI (voice AI), Railway (server hosting, EU), Supabase (database, AWS EU-West). Full sub-processor list available on request.

Security Leadership

Security at BosseyAI is led by Alex Abossey, Technical Director. Alex is a Senior Network Analyst at Unipart Group with over 20 years of enterprise infrastructure and network security experience in regulated, safety-critical environments. He is responsible for all security architecture, policy, and incident response at BosseyAI.

Breach Response

In the event of a confirmed data breach, BosseyAI will notify affected clinic clients within 24 hours of discovery, and report to the ICO within 72 hours where required under UK GDPR Article 33. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Report a Security Issue

If you have discovered a security vulnerability or have a security concern, please contact our Technical Director directly:

Alex Abossey — Technical Director

security@bosseyai.com

We aim to acknowledge all security reports within 24 hours.