We Take Your Patients' Data
As Seriously As You Do.

DigitalTCO is a clinical documentation platform purpose-built for dental professionals. The platform converts voice recordings captured during clinical encounters into structured, accurate clinical notes using artificial intelligence. Because this process inherently involves the capture, transmission, processing, and storage of sensitive patient health information, security is not an afterthought or a feature we have bolted on — it is the foundational architecture upon which every aspect of the product has been designed.

We understand that the decision to adopt any technology that handles patient data is not taken lightly. Dental professionals have regulatory obligations under frameworks including the Health Insurance Portability and Accountability Act (HIPAA) in the United States, the UK General Data Protection Regulation (UK GDPR) and the NHS Data Security and Protection Toolkit (DSPT) in the United Kingdom, the Privacy Act 1988 and the Australian Privacy Principles (APPs) in Australia, and various other data protection regimes worldwide. Our responsibility is to ensure that your use of DigitalTCO does not merely satisfy these obligations, but exceeds them.

This document is intended to provide you — and your practice's information governance lead, compliance officer, data protection officer, or legal counsel — with a thorough, transparent account of exactly how we handle data. We encourage you to read it in full. If any aspect of our security posture is unclear, or if you require additional documentation, we are happy to provide further detail upon request.

Understanding exactly how data moves through the DigitalTCO platform is critical to evaluating our security posture. Below is a detailed, sequential account of the data lifecycle from the moment you press "Record" to the moment your completed clinical note is available in your account.

Encryption is applied at every point in the data lifecycle. We use industry-standard and, where appropriate, above-industry-standard encryption protocols to ensure that patient health information is rendered completely unreadable to any unauthorised party — whether in transit between your device and our servers, at rest within our database infrastructure, or during processing within our compute environment.

Encryption in Transit

Encryption at Rest

Encryption During Processing

During the brief period in which audio data is being processed (transcription and note generation), data exists only in volatile memory within an isolated compute instance. This instance is provisioned exclusively for the duration of the processing task and is terminated immediately upon completion. No data is written to persistent storage during processing. The compute environment is protected by network-level isolation, role-based access controls, and real-time monitoring.

The Health Insurance Portability and Accountability Act (HIPAA) establishes the national standard for protecting sensitive patient health information in the United States. Any entity or technology that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) on behalf of a covered entity — such as a dental practice — is classified as a Business Associate and is subject to the full requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule.

DigitalTCO operates as a Business Associate to dental practices using our platform. We take this classification seriously and have implemented comprehensive administrative, physical, and technical safeguards to meet and exceed the requirements set forth under HIPAA.

Business Associate Agreement (BAA)

We execute a Business Associate Agreement (BAA) with every US dental practice that uses the DigitalTCO platform. The BAA is a legally binding contract that establishes the permitted and required uses and disclosures of Protected Health Information (PHI) by DigitalTCO, our obligations to safeguard that information, and the procedures for breach notification. Our standard BAA is available for review prior to account activation. If your practice requires modifications or addenda to the standard BAA, our compliance team will work with your legal counsel to accommodate reasonable requests.

HIPAA Security Rule: Technical Safeguards

The HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) requires the implementation of technical safeguards to control access to electronic Protected Health Information. DigitalTCO implements the following technical safeguards:

HIPAA Security Rule: Administrative Safeguards

HIPAA Security Rule: Physical Safeguards

DigitalTCO's infrastructure is hosted on cloud platforms that maintain rigorous physical security controls at their data centre facilities. These include 24/7 security personnel, biometric access controls, video surveillance, environmental controls (temperature, humidity, fire suppression), and redundant power systems. Data centres used for processing and storing US patient data are located exclusively within the United States.

HIPAA Breach Notification Rule

In the unlikely event of a breach of unsecured Protected Health Information, DigitalTCO will notify affected covered entities without unreasonable delay and in no case later than 60 calendar days following the discovery of the breach, as required under 45 CFR §164.410. Our breach notification procedures include identification and containment of the breach, risk assessment to determine whether the breach constitutes a reportable incident, notification to the affected covered entity with all information required under the Breach Notification Rule, and cooperation with the covered entity's own notification obligations to affected individuals and, where applicable, the Department of Health and Human Services (HHS) and media outlets.

US Data Residency

All data belonging to US dental practices — including audio during processing, clinical notes, user account information, and metadata — is processed and stored exclusively within data centres located in the continental United States. No US patient data is transferred to, processed in, or stored in any jurisdiction outside the United States. This includes transient processing; at no point during the data flow described in Section 2 does US patient data leave US-based infrastructure.

State-Specific Compliance Considerations

In addition to federal HIPAA requirements, several US states have enacted their own health data privacy laws that may impose additional obligations. DigitalTCO's architecture has been designed to accommodate the requirements of state-specific health information privacy statutes, including but not limited to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Texas Medical Records Privacy Act, the New York SHIELD Act, and state-level audio recording consent requirements. DigitalTCO's zero audio retention policy and user-consent-driven recording model are designed to align with both one-party and all-party consent jurisdictions, though practices are responsible for obtaining patient consent in accordance with their applicable state law.

The United Kingdom has one of the most rigorous data protection regimes in the world, governed by the UK General Data Protection Regulation (UK GDPR) as retained in domestic law following the UK's departure from the European Union, the Data Protection Act 2018, and — for organisations handling NHS patient data — the NHS Data Security and Protection Toolkit (DSPT), the Digital Technology Assessment Criteria (DTAC), and Cyber Essentials certification. DigitalTCO has been designed from the outset to satisfy the requirements of each of these frameworks.

UK GDPR: Lawful Basis for Processing

Under Article 6 of the UK GDPR, the processing of personal data requires a lawful basis. DigitalTCO processes personal data on behalf of dental practices, who act as the Data Controller. DigitalTCO acts as a Data Processor. The lawful bases upon which processing is typically conducted include Legitimate Interests (Article 6(1)(f)) — the processing is necessary for the legitimate interests of the dental practice in maintaining accurate clinical records, subject to the Data Controller's own assessment — and, where applicable, Consent (Article 6(1)(a)) and Performance of a Contract (Article 6(1)(b)). For special category health data under Article 9, processing is conducted under Article 9(2)(h) — the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care, or the management of health care systems and services.

Data Processing Agreement (DPA)

In accordance with Article 28 of the UK GDPR, DigitalTCO enters into a Data Processing Agreement with every UK dental practice. The DPA sets out the subject matter and duration of processing, the nature and purpose of processing, the type of personal data and categories of data subjects, and the obligations and rights of the controller. Our standard DPA is compliant with ICO guidance and is available upon request.

Data Subject Rights

DigitalTCO has implemented technical and organisational measures to support dental practices in fulfilling data subject rights requests under Articles 15–22 of the UK GDPR. These include the right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). Requests are processed in accordance with the applicable time limits (one calendar month, extendable by two further months where requests are complex or numerous).

NHS Data Security and Protection Toolkit (DSPT)

The DSPT is a mandatory online self-assessment tool developed by NHS England for all organisations that access, process, or store NHS patient data. The DSPT requires organisations to demonstrate compliance with the National Data Guardian's 10 Data Security Standards, which cover areas including staff training, data handling, asset management, access controls, network security, continuity planning, incident response, and unsupported systems.

DigitalTCO submits an annual DSPT assessment and maintains a published "Standards Met" status. Our DSPT submission addresses all 10 standards and their associated evidence requirements, including the completion of annual data security awareness training by all staff, the maintenance of a comprehensive Record of Processing Activities (RoPA), documented data protection policies and procedures, technical measures including encryption, access controls, and patch management, and an incident response plan that is tested at least annually.

Digital Technology Assessment Criteria (DTAC)

The DTAC is a framework published by NHS England for assessing digital health technologies. While originally designed for apps, platforms, and medical devices used within the NHS, the DTAC criteria represent best practice for any digital health technology operating in the UK. DigitalTCO's architecture and data handling practices align with the DTAC's requirements across its five assessment domains: Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability and Accessibility.

Cyber Essentials

Cyber Essentials is a UK government-backed certification scheme that sets out baseline security controls for organisations. DigitalTCO has achieved Cyber Essentials certification, which verifies that we have implemented controls covering firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. We undergo the Cyber Essentials assessment annually and maintain current certification at all times.

Information Commissioner's Office (ICO) Registration

DigitalTCO is registered with the Information Commissioner's Office (ICO) as a Data Processor in accordance with the requirements of the Data Protection Act 2018. Our ICO registration details are available upon request.

International Data Transfers

DigitalTCO utilises distributed databases across the UK, the US, and the EU. The UK GDPR includes specific clauses that allow for safe and secure data transfers between these countries, making this practice completely legal and compliant. We ensure that all cross-border data transfers are protected by appropriate legal safeguards and specific agreements to guarantee the security of your patient data.

GDC Record-Keeping Standards

The General Dental Council (GDC) requires that dental professionals maintain adequate clinical records. DigitalTCO is designed to support compliance with the GDC's Standards for the Dental Team, specifically Standard 4.1 ("Make and keep contemporaneous, complete and accurate patient records"). Our AI-generated clinical notes are structured to capture the key information required for compliant dental records, including clinical findings, treatment provided, materials used, informed consent, and post-operative instructions. However, it is the clinician's responsibility to review and approve all AI-generated notes before they are finalised as part of the patient record.

Australia's data protection framework for health information is primarily governed by the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) set out in Schedule 1 of the Act. In addition, several Australian states and territories have enacted their own health records legislation that imposes additional or supplementary requirements, including the Health Records Act 2001 (VIC), the Health Records and Information Privacy Act 2002 (NSW), and the Health Records (Privacy and Access) Act 1997 (ACT).

Dental practices in Australia are classified as health service providers under the Privacy Act and are required to comply with the APPs when collecting, using, disclosing, and storing health information. DigitalTCO has been designed to support Australian dental practices in meeting these obligations.

Australian Privacy Principles (APPs) — Compliance Mapping

Notifiable Data Breaches Scheme

Under Part IIIC of the Privacy Act 1988, DigitalTCO is required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an eligible data breach — that is, a breach that is likely to result in serious harm to any individual whose personal information is involved. DigitalTCO maintains a documented breach response procedure that includes identification and containment, assessment of likely harm, notification to the OAIC and affected individuals within the prescribed timeframes, and remedial action to prevent recurrence.

Australian Health Practitioner Regulation Agency (AHPRA)

The Dental Board of Australia, administered by AHPRA, sets the Code of Conduct for dental practitioners, which includes requirements relating to clinical record-keeping. DigitalTCO supports compliance with these requirements by generating structured, contemporaneous clinical notes that capture the essential elements of each patient encounter. As with all AI-generated documentation, the registered dental practitioner retains full clinical responsibility for reviewing, amending, and approving all notes.

My Health Record

DigitalTCO does not currently integrate directly with the My Health Record system. Clinical notes generated by DigitalTCO can be exported and uploaded to My Health Record-connected practice management systems by the dental practice, in accordance with the My Health Records Act 2012 (Cth) and associated rules.

DigitalTCO is used by dental professionals in a growing number of jurisdictions. While our primary compliance focus is on the United States (HIPAA), the United Kingdom (UK GDPR, DSPT), and Australia (Privacy Act 1988), our security architecture has been designed to accommodate the data protection requirements of practices operating in other jurisdictions.

European Economic Area (EEA)

For dental practices operating within the European Economic Area, the EU General Data Protection Regulation (Regulation (EU) 2016/679) applies. DigitalTCO's data handling practices are aligned with GDPR requirements, including lawful basis for processing, data minimisation, purpose limitation, storage limitation, data subject rights, and cross-border transfer safeguards. Where data is transferred outside the EEA, Standard Contractual Clauses (SCCs) as approved by the European Commission are utilised.

Canada

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs the handling of personal information in the Canadian private sector. Provincial legislation, such as Alberta's Health Information Act (HIA) and Ontario's Personal Health Information Protection Act (PHIPA), may also apply. DigitalTCO's data minimisation, consent, and security practices are consistent with the principles set out in PIPEDA and applicable provincial health information legislation.

New Zealand

The Privacy Act 2020 and the Health Information Privacy Code 2020 govern the handling of health information in New Zealand. DigitalTCO's practices are consistent with the 13 Information Privacy Principles set out in the Privacy Act 2020 and the specific rules for health information in the Health Information Privacy Code.

Middle East and Gulf Cooperation Council (GCC)

Several GCC states have enacted or are developing data protection legislation, including the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, the Saudi Arabia Personal Data Protection Law (PDPL), and the Qatar Law No. 13 of 2016 Concerning Personal Data Privacy. DigitalTCO will work with practices in these jurisdictions to ensure that our data handling arrangements meet local requirements, including data localisation requirements where applicable.

General Approach to International Compliance

For jurisdictions not specifically addressed in this document, DigitalTCO applies a "highest standard" approach: we apply the most protective set of controls from among our existing compliance frameworks (HIPAA, UK GDPR, Privacy Act 1988) to all users by default. This means that regardless of your jurisdiction, your data benefits from AES-256 encryption at rest, TLS 1.2+ encryption in transit, zero audio retention, strict access controls, and comprehensive audit logging. If your jurisdiction has specific requirements that are not addressed by our default controls, we will work with you to identify and implement any additional measures that may be required.

DigitalTCO's production infrastructure is hosted on enterprise-grade cloud platforms that maintain extensive compliance certifications, including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and FedRAMP. The specific hosting arrangements vary by region to ensure compliance with data residency requirements:

Network Architecture

Our network architecture implements defence-in-depth principles. Production services operate within a Virtual Private Cloud (VPC) with network segmentation that isolates processing, storage, and application layers. Ingress traffic is filtered through a Web Application Firewall (WAF) and distributed denial-of-service (DDoS) protection. Egress traffic is controlled via network access control lists and security groups. Internal service-to-service communication is encrypted and authenticated.

Redundancy and Availability

The platform is architected for high availability with redundancy across multiple availability zones within each region. Database infrastructure uses automated replication with synchronous writes to ensure data durability. Our target uptime SLA is 99.9%, and we maintain a public status page for real-time service health monitoring.

User Authentication

Internal Access Controls

Access to production systems and customer data by DigitalTCO personnel is governed by the principle of least privilege. Access is granted only to personnel whose job function requires it, is approved by a designated security lead, is logged in an immutable audit trail, requires multi-factor authentication, and is reviewed quarterly and revoked upon role change or termination. DigitalTCO personnel do not have the ability to view, read, or access the contents of clinical notes stored in user accounts under normal operating conditions. Access to raw data requires an explicit, documented, and approved access request with a stated justification.

Right to Deletion

You may request the deletion of your clinical notes, account data, or any other personal information held by DigitalTCO at any time by contacting our support team or using the in-app data management tools. Deletion requests are processed within 30 calendar days. Upon deletion, data is removed from all primary storage systems. Data may persist in encrypted backup systems for up to an additional 30 days, after which it is permanently purged.

DigitalTCO uses a limited number of third-party sub-processors in the delivery of our service. Each sub-processor has been evaluated for security and compliance, is bound by a Data Processing Agreement (or equivalent contractual safeguards), and is subject to ongoing monitoring. We maintain a register of all sub-processors, which is available to customers upon request.

Our sub-processors fall into the following categories: cloud infrastructure providers (hosting and compute), speech-to-text processing engines, large language model providers (for clinical note generation), payment processing, email delivery, and customer support tooling. Each sub-processor processes only the minimum data necessary for its specific function. No sub-processor has access to the full dataset. Audio data is processed in isolation by the speech-to-text engine and is never passed to or accessible by any other sub-processor. No sub-processor uses DigitalTCO customer data to train, fine-tune, or improve their own models or services.

DigitalTCO records audio of clinical encounters for the purpose of generating clinical documentation. Because this process involves the recording of conversations between dental practitioners and patients, appropriate consent must be obtained. The specific consent requirements vary by jurisdiction and are the responsibility of the dental practice (as the Data Controller or Covered Entity) to implement. DigitalTCO provides the following guidance and resources to support practices in meeting their consent obligations.

United States

In the United States, audio recording consent requirements vary by state. Some states operate under one-party consent rules (where only one party to the conversation needs to consent), while others require all-party consent. Dental practices must ensure compliance with their state's applicable wiretapping or eavesdropping statute. In all cases, we recommend informing patients that AI-assisted documentation technology is being used and obtaining explicit verbal or written consent, documented in the patient record. DigitalTCO provides a sample consent form and notification script that practices can adapt for their use.

United Kingdom

Under the UK GDPR and the Data Protection Act 2018, dental practices must have a lawful basis for processing patient data, which includes audio recordings. Practices should update their privacy notice to include reference to the use of AI-assisted clinical documentation, ensure that patients are informed of the recording and its purpose, and provide patients with the opportunity to opt out. The GDC's Standards for the Dental Team require that patients are informed about how their information is used.

Australia

Under the Privacy Act 1988 and APP 5, dental practices must notify patients about the collection of their personal information. This includes informing patients that audio recordings are being made for clinical documentation purposes, the purpose of the recording, who will have access to the recording and the resulting notes, and how the recording will be handled after processing (i.e., immediate deletion). State and territory surveillance legislation may also apply. Practices should seek legal advice regarding the specific consent requirements in their jurisdiction.

DigitalTCO maintains a documented Security Incident Response Plan (SIRP) that defines the procedures for detecting, responding to, containing, investigating, and recovering from security incidents. The plan is reviewed and updated at least annually and is tested through tabletop exercises and simulated incident scenarios.

Incident Classification

Security incidents are classified into severity levels: Critical (confirmed or suspected breach of ePHI/personal data with potential for serious harm), High (security event with potential to compromise data integrity or availability), Medium (security event with limited impact and no data exposure), and Low (anomalous activity requiring investigation but posing no immediate threat). Each severity level has defined escalation procedures, response timeframes, and communication protocols.

Notification Procedures

In the event of a reportable data breach, DigitalTCO will notify affected customers in accordance with the applicable regulatory timeframes: within 60 days under HIPAA, without undue delay (and within 72 hours to the relevant supervisory authority) under UK GDPR, and as soon as practicable under the Australian Notifiable Data Breaches scheme. Breach notifications will include a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.

DigitalTCO maintains comprehensive audit logs that record all significant events within the platform. Audit logs are immutable (append-only), timestamped with UTC synchronisation, stored in a separate, access-restricted logging infrastructure, encrypted at rest, and retained for a minimum of six years. Logged events include user authentication events (login, logout, failed attempts), note creation, viewing, editing, and deletion events, administrative actions (user management, configuration changes), API access events, and system health and error events.

Continuous Monitoring

The platform employs real-time monitoring and alerting for anomalous activity, including unusual login patterns (geographic anomalies, time-of-day anomalies, multiple failed attempts), unexpected data access patterns, elevated API request volumes, infrastructure health metrics (CPU, memory, disk, network), and security event correlation. Alerts are routed to our on-call engineering and security team for triage and investigation.

All DigitalTCO personnel with access to production systems or customer data are subject to background verification checks prior to the commencement of employment or engagement, confidentiality agreements and non-disclosure obligations, mandatory security awareness training upon onboarding and at least annually thereafter, HIPAA-specific training (for personnel handling US customer data), UK GDPR and data protection training (for personnel handling UK customer data), and role-specific access provisioning based on the principle of least privilege.

Access credentials are revoked immediately upon termination of employment or engagement. All company-issued devices are subject to endpoint protection policies including full-disk encryption, screen lock enforcement, and remote wipe capability.

DigitalTCO conducts regular security testing to identify and remediate vulnerabilities before they can be exploited. Our vulnerability management programme includes automated dependency scanning (continuous), static application security testing (SAST) integrated into our CI/CD pipeline, dynamic application security testing (DAST) performed at least quarterly, external penetration testing conducted by an independent, qualified third-party security firm at least annually, and remediation SLAs (Critical: 24 hours, High: 7 days, Medium: 30 days, Low: 90 days).

The results of penetration tests and vulnerability assessments are reviewed by our security lead and used to inform our security roadmap. Executive summaries of the most recent penetration test report are available to enterprise customers upon request under NDA.

DigitalTCO maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) that are designed to ensure continuity of service and the protection of customer data in the event of a major disruption, including infrastructure failures, natural disasters, cyberattacks, and provider outages.

We believe that transparency is a prerequisite for trust. If you require any of the following documents, please contact our compliance team and we will provide them promptly: