How we look after your patients’ data.
ivory handles patient calls, bookings and payments for UK healthcare clinics. Procurement, IG and DPO teams: this page is for you.
Identity
ivory is operated by Dentree Ltd, registered in England & Wales. Registered office: London, UK.
ICO registration number: ZB123456 (placeholder — current entry on the ICO public register at ico.org.uk).
Company number: 11234567 (placeholder — verify on Companies House).
Data residency & encryption
All patient data is processed in the UK and EEA. Primary storage region: London (UK), with read-replica in Frankfurt (EEA).
- Encrypted in transit using TLS 1.3.
- Encrypted at rest using AES-256.
- Per-tenant logical isolation. Row-level security on every patient-data table.
- Backups encrypted, 35-day rolling retention, restorable to any point in the previous seven days.
Data Processing Agreement
We sign DPAs with every customer. Download our standard template, or send us yours and we’ll counter-sign.
Records of Processing Activities (ROPA)
Our Article 30 ROPA, listing every processing activity, lawful basis and retention period, is published for procurement review.
Sub-processors
The third parties we share patient data with, what they do, where they sit, and a link to their DPA. We notify customers of new sub-processors at least 30 days before they go live.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Vercel Inc | Cloud hosting (marketing site, app) | USA · SCCs in place | DPA |
| Supabase Inc | Database, authentication, file storage | EU (Frankfurt) · UK | DPA |
| Vapi Inc | Voice agent infrastructure | USA · SCCs in place | DPA |
| Twilio Inc | Telephony (inbound/outbound calls, SMS) | UK · USA | DPA |
| SendGrid (Twilio) | Transactional email delivery | USA · SCCs in place | DPA |
| Stripe Payments UK Ltd | Card payments, deposits | UK | DPA |
| Cal.com | Sales scheduling (Dentree, not patient data) | EU | DPA |
Certifications
We’re early stage and choose to publish a roadmap rather than make claims we can’t back up.
ISO 27001
In progress Target Q4 2026.
SOC 2 Type II
In progress Target Q1 2027.
Cyber Essentials Plus
Held Renewed annually.
NHS DSPT
In progress Target Q3 2026.
Incident response
We publish all incidents at status.useivory.ai. Critical incidents that affect a customer’s data or service are notified by email to all affected practices within one hour, with a written post-incident review delivered within five working days.
Subject access requests & GDPR rights
Patients and practices can exercise their GDPR rights — access, rectification, erasure, portability, objection — by emailing our DPO at dpo@useivory.ai. We acknowledge within two working days and respond within thirty days.
Practice admins can also export and delete patient records directly from the ivory dashboard.
Procurement questions?
Email dpo@useivory.ai or book a call. We answer infosec questionnaires in days, not weeks.