Early Adopter Offer — Limited Places. Sign up before June 2026 and use MDConnect for free until September.  Find out more

MDConnect Data Security Overview

MDBUDDY UK LTD

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Effective date: 1 January 2026

Last reviewed: 4 April 2026

Next review due: 4 April 2027

This document provides an overview of the technical and organisational security measures that MDBUDDY UK LTD has implemented to protect personal data processed through the MDConnect platform. It is intended for Local Authority procurement teams, Programme Provider information governance leads, academy trust data protection officers, and any other party conducting due diligence or completing a Data Protection Impact Assessment in connection with MDConnect.

This document should be read alongside the MDConnect Privacy Policy, the MDConnect Data Processing Agreement, and the MDConnect DPIA and Due Diligence Information Pack. It does not replace those documents but provides a consolidated security reference.

1. Company Overview

Legal entityMDBUDDY UK LTDRegistered address427 Kings Road, Stretford, Manchester, M32 8LNICO registration numberZB894415Data compliance leadDr Ramzan MohammedContact emailmdconnect@mydentalbuddy.comProductMDConnect: a web-based SaaS platform for managing supervised toothbrushing programmesLive deploymentOldham Council supervised toothbrushing programmeInsurance coverageEmployer's Liability (£5m), Public Liability (£10m), Professional Indemnity (£2m)

2. Certifications and Compliance Standards

MDBUDDY UK LTD holds or is working towards the following certifications and compliance standards relevant to information security and data protection.

Cyber EssentialsCertified. Cyber Essentials is a UK Government-backed scheme that helps organisations protect against the most common cyber threats.NHS Data Security and Protection Toolkit (DSPT)MDBUDDY submits to the NHS DSPT annually. The DSPT demonstrates compliance with the National Data Guardian's 10 data security standards. Current submission status is available on request.ISO 27001Not currently certified. MDBUDDY operates information security practices aligned with ISO 27001 principles and is evaluating formal certification as the business scales.UK GDPR complianceMDBUDDY is registered with the ICO (ZB894415) and processes all personal data in accordance with the UK GDPR and the Data Protection Act 2018.

3. Hosting and Data Residency

All personal data processed through MDConnect is stored and processed within the United Kingdom and the European Economic Area. There is an absolute prohibition on processing or storing personal data outside these jurisdictions.

Primary cloud providerAmazon Web Services (AWS)AWS regions usedEurope (Ireland, eu-west-1) and Europe (London, eu-west-2)Secondary cloud providerFirebase (Google Cloud Platform)Firebase regionEuropeData residency guaranteeAll personal data remains within UK and EEA jurisdictions at all times. This applies to primary storage, backups, and disaster recovery environments.Multi-tenancyMDConnect is a multi-tenant platform. Each Customer's data is logically isolated. Admin Users from one Customer cannot access another Customer's data.

AWS and Google Cloud are used by multiple UK government departments and NHS organisations, and both undergo rigorous compliance assessments including SOC 2, ISO 27001, and NHS-specific audits.

4. Encryption

Encryption at restAll data stored within MDConnect is encrypted using AES-256 encryption, the industry standard for protecting sensitive data. This applies to all databases, file storage, and backup systems.Encryption in transitAll data transmitted between users' browsers and the MDConnect platform is encrypted using TLS 1.3. This ensures that data cannot be intercepted or read during transmission.End-to-end encryptionEncryption is maintained throughout the platform's systems, from the point of data entry through storage, processing, and retrieval.Backup encryptionAll backup data is encrypted using the same AES-256 standard as primary data.

5. Access Controls

5.1 Platform Access Controls

MDConnect operates role-based access controls following the principle of least privilege. Access is restricted to the minimum necessary for each user to perform their function.

RoleAccess ScopeKey RestrictionsSetting UserOwn Setting onlyCannot see other Settings, programme-wide reports, pipeline view, internal admin notes, or contact log entries. Cannot change own pipeline status.Admin User (LA/PP)Own programme onlyFull access to all Settings, reports, stock, incidents, audits, and user management within their own programme. Cannot access other Customers' data.MDBUDDY AdminAll tenants (super-admin)Access for technical support and platform maintenance only. All access is logged and subject to internal audit.

5.2 Authentication

Login methodIndividual username and password for each Authorised User. Credentials are not shared between individuals.Password requirementsPasswords must meet minimum complexity requirements including length and character diversity.Session managementUser sessions are time-limited. Inactive sessions expire automatically.Account lockoutAccounts are locked after repeated failed login attempts to prevent brute-force attacks.

5.3 Internal Access

MDBUDDY's internal access to Customer data is strictly controlled. A limited number of engineers hold privileged access to the platform infrastructure. This access is used only for technical support, maintenance, and incident response. All privileged access is logged, and access logs are reviewed regularly.

6. Personnel Security

DBS clearancesAll MDBUDDY staff with access to data that includes information about children hold enhanced DBS clearances. Clearances are obtained before access is granted and renewed in accordance with company policy.Professional registrationClinical staff maintain current professional registration with the relevant regulatory body (e.g. GDC). Registration status is verified on appointment and monitored on an ongoing basis.Data protection trainingAll staff receive comprehensive data protection training on induction. Refresher training is provided at least annually, with additional training triggered by incidents or changes in practice.Confidentiality obligationsAll staff are bound by contractual confidentiality obligations covering personal data and Customer information. These obligations survive the termination of employment.Acceptable useStaff are required to comply with internal information security policies covering device use, password management, data handling, and remote working.

7. Security Monitoring and Testing

Platform monitoringMDBUDDY maintains monitoring on the MDConnect platform to detect anomalous activity, unauthorised access attempts, and system errors. Alerts are escalated to the engineering team for investigation and response.Penetration testingExternal penetration testing is conducted on the MDConnect platform. Results are reviewed by the engineering team and remediation is prioritised based on risk severity. Reports are available to Customers under NDA on request.Vulnerability managementMDBUDDY monitors for known vulnerabilities in platform dependencies and applies security patches in accordance with severity. Critical vulnerabilities are patched as a priority.Code securityApplication code is reviewed for security issues as part of the development process. Automated scanning tools are used to identify common vulnerabilities before deployment.

8. Incident Response

MDBUDDY maintains documented incident response procedures for personal data breaches and security incidents affecting MDConnect.

Internal escalationSecurity incidents and suspected data breaches are escalated to the data compliance lead (Dr Ramzan Mohammed) within 2 hours of detection.Customer notificationAffected Customers are notified without undue delay and within 24 hours of MDBUDDY becoming aware of a breach, as set out in the MDConnect Data Processing Agreement (section 8).ICO notificationWhere a breach is likely to result in a risk to individuals' rights and freedoms, the ICO is notified within 72 hours in accordance with Article 33 of the UK GDPR.Individual notificationWhere a breach is likely to result in a high risk to individuals, affected individuals are notified directly in accordance with Article 34 of the UK GDPR.Enhanced procedures for children's dataBreaches involving children's data or safeguarding information are treated as highest priority with immediate escalation and enhanced notification procedures.Post-incident reviewAll incidents are subject to a post-incident review to identify root causes and implement measures to prevent recurrence. Lessons learned are documented and incorporated into staff training where relevant.

9. Backup and Disaster Recovery

Backup frequencyMDConnect data is backed up regularly. Backup schedules are designed to minimise data loss in the event of a system failure.Backup storageBackup data is stored encrypted (AES-256) within the same UK and EEA jurisdictions as the primary data. Backups are stored separately from primary systems to protect against localised failures.Disaster recoveryMDBUDDY maintains disaster recovery procedures to restore MDConnect service in the event of a major outage. Recovery procedures are tested periodically to ensure effectiveness.Recovery objectivesRecovery time and recovery point objectives are maintained at levels appropriate to the service. Enterprise tier Customers may have enhanced recovery commitments as specified in their Subscription Confirmation.

10. Sub-processors

MDBUDDY engages a limited number of third-party service providers (sub-processors) in connection with the provision of MDConnect. Each sub-processor is bound by a data processing agreement that imposes obligations consistent with the MDConnect Data Processing Agreement.

Sub-processorPurposeData LocationComplianceAmazon Web Services (AWS)Cloud hosting and data storageEurope (Ireland and London)SOC 2, ISO 27001, NHS compliantFirebase (Google Cloud)Cloud servicesEuropeSOC 2, ISO 27001

This sub-processor list is maintained in the MDConnect Data Processing Agreement (section 7) and updated as changes occur. MDBUDDY does not share personal data with advertising networks, data brokers, or social media platforms.

1

1. Data Minimisation and Children's Data

MDBUDDY applies the principle of data minimisation throughout the design and operation of MDConnect.

Children's data approachMDConnect collects only aggregate, non-identifiable data about children: counts at the Setting level (number of children aged 3-5, number actively brushing, number present per session). No child names, dates of birth, health records, photographs, or individually identifiable data is collected.Safeguarding exceptionThe incident reporting feature allows Settings to report safeguarding concerns. Free-text descriptions may contain identifiable information about children or staff. This data is subject to restricted access, immediate escalation, and enhanced breach procedures.Setting-level aggregationProgramme metrics including IMD deprivation analysis are derived from Setting-level attributes (the Setting's postcode), not from individual children's data.No direct child interactionChildren do not access MDConnect. The platform is used exclusively by adult professional users (LA staff, programme providers, and Setting staff).

12. Data Retention

MDBUDDY retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Full retention periods are set out in the MDConnect Privacy Policy (section 12) and the MDConnect Data Processing Agreement (section 9). A summary is provided below.

Data CategoryRetention PeriodUser account dataSubscription Term plus 12 monthsProgramme operational dataSubscription Term plus 3 yearsIncident and safeguarding reportsSubscription Term plus 6 yearsAudit and QA recordsSubscription Term plus 3 yearsConsent documentation6 yearsTraining and certification recordsSubscription Term plus 3 yearsAggregated and anonymised dataRetained indefinitely (not personal data)

On termination of a Customer's subscription, the Customer has a 30-day window to request a data export. After this period, data is retained according to the periods above and then securely deleted.

13. Compliance and Governance Framework

ICO registrationMDBUDDY UK LTD is registered with the ICO under registration number ZB894415.Records of processing activitiesMDBUDDY maintains records of processing activities in accordance with Article 30 of the UK GDPR.Data Protection Impact AssessmentMDBUDDY has conducted a DPIA for the processing of personal data through MDConnect. A summary is available in the MDConnect DPIA and Due Diligence Information Pack.Privacy PolicyThe MDConnect Privacy Policy is publicly available and sets out how personal data is collected, used, stored, and shared.Data Processing AgreementThe MDConnect DPA forms part of the Terms and Conditions and sets out the parties' data protection obligations.Acceptable Use PolicyThe MDConnect AUP governs how Authorised Users may use the platform.Policy review cycleAll data protection and security policies are reviewed at least annually, with the next review due by 4 April 2027.

14. Contact

For security queries, data protection questions, or to request additional information about the measures described in this document, please contact us.

Data Compliance Lead: Dr Ramzan Mohammed

Email: mdconnect@mydentalbuddy.com

Address: MDBUDDY UK LTD, 427 Kings Road, Stretford, Manchester, M32 8LN

Penetration test reports are available to Customers and prospective Customers under NDA on request. Certification documentation is available on request.

© MDBUDDY UK LTD 2026. All rights reserved.

Features
Stock ManagementSession MonitoringAutomationFeedback and IncidentsResources and TrainingSettings ManagementReport and Metrics
About
ContactPricing
Legal & security
Terms & ConditionsPrivacy policyCookie policyData Processing AgreementAcceptable Use PolicyData Security Overview
Copyright © 2026 MDConnect. MDBuddy UK Ltd.
MDConnect is proudly brought to you by MDBuddy UK Ltd | mydentalbuddy.com