Your data stays in Europe.
DentalPolyglot is built by Europeans, for European clinics, on European infrastructure. Patient data never crosses the Atlantic. Encryption at rest and in transit. GDPR is the floor, not the ceiling.
Three commitments. Written into the platform.
Your data stays in the EU.
Patient records, conversations, treatment plans, attachments: everything lives in Frankfurt on Vercel's fra1 region, with the database in Neon's EU cluster. Nothing replicates across the Atlantic. Nothing.
You own it. We hold it.
You can export your clinic's content and lead inbox at any time, in formats that don't lock you in. We don't sell data, we don't mine it, we don't train models on it.
GDPR is the floor.
Default-secure account settings. Passwords hashed with Argon2id, never in plaintext, every new password checked against the HaveIBeenPwned breach corpus at set time. Sessions HttpOnly and HMAC-signed. Right to be forgotten, by clinic and by patient, executed within 30 days of request.
One region today. Always in the EU.
DentalPolyglot runs on Vercel's Frankfurt region (fra1), with the database in Neon's EU cluster. We don't replicate to the United States, the United Kingdom, or anywhere outside the EU. Our CDN is Vercel's EU edge, our transactional email runs through Resend's EU infrastructure, and our analytics never leave Vercel.
Multi-region disaster recovery is on the roadmap for 2026. When we turn it on, we will publish the architecture and the regions on this page before any data moves.
Encrypted at rest. Encrypted in transit.
Two roles. Every query scoped at the database layer.
Every vendor. Every country.
Every third party that touches data we hold for you. We notify clinics in writing 30 days before any change. If you're on a DPA with flow-down, you can object to a new sub-processor and we'll work with you.
Anthropic is the one US-headquartered vendor on this list. Clinic content (page copy, treatment-plan source text) is sent to Claude only when a clinic asks for translation. We use the standard API, which Anthropic states is not used to train their models. We do not send patient identifiers in translation prompts.
Dental records are medical data. We treat them as such.
Photos, X-rays, treatment plans, conversations between a patient and the clinic are Article 9 special category data under GDPR. We hold them under stricter rules than the rest of the platform.
Encrypted on upload, never indexed for search, never used for ML training. Only the patient, their clinic, and a DentalPolyglot translator working on the case can access them.
Stored encrypted at rest. Auto-translated copies are derived from the original, never shared with third parties, deleted alongside the source on request.
Generated server-side, archived as branded PDF, downloadable by patient and clinic. Retained for the legal period required by the clinic's jurisdiction.
Patient name, email, phone stored separately from medical content, linked only via opaque IDs. Defense in depth: a breach of one layer does not expose the other.
We hold patient records as long as the clinic needs to under local medical record law (typically 10 years in DE/AT/IT, 5 years in RO). After that, or sooner on request, records are deleted, including from backups within the next snapshot cycle.
Strong defaults. Boring is the point.
Returning sign-ins use email + password. Passwords are hashed with Argon2id (OWASP-aligned parameters), never stored in plaintext, and every new password is checked against the HaveIBeenPwned breach corpus at set time. Forgot it? A one-time link to your verified email, no security questions, no SMS codes.
Sessions are HttpOnly, SameSite=lax, secure in production. The cookie name and TTL are constants in the code, not hand-rolled per route.
Every database query that reads clinic data scopes by tenant ID derived from the session. We never trust a client-supplied tenant ID. The pattern is reviewed on every change.
Every API endpoint validates its request body against a Zod schema before doing anything. Malformed input is rejected at the door with a clear error code.
Sign-in attempts are rate-limited per IP and per email, fail-closed (a Redis outage blocks rather than bypasses). AI translation and scrape are rate-limited per tenant, also fail-closed. Contact forms are rate-limited per IP and fail-open (a Redis hiccup never blocks a real patient).
Every page ships with a strict Content-Security-Policy using per-request nonces and strict-dynamic, plus cross-origin isolation headers (COOP, COEP, CORP). If an attacker ever managed to inject content, the browser would refuse to run it. securityheaders.com grades us A+.
Stripe and Resend webhooks are signature-verified before we touch the payload. Unverified webhooks return 400 and never reach the database.
Find something. Tell us.
We don't run a paid bug bounty yet. We do read every security report, we acknowledge within 24 hours, and we fix critical issues fast. If you've found something, please email us with a description and reproduction steps. Public credit on this page unless you ask us to skip it.
We acknowledge within 24 hours. We aim to resolve critical issues in 48 hours, high in 7 days, medium in 30 days. We will tell you what we did, and what we changed.
- · dentalpolyglot.com
- · *.dentalpolyglot.com tenant sites
- · Our API endpoints
- · Rate-limit or volumetric testing on production
- · Social engineering of staff or clinics
- · Physical attacks on infrastructure
Lawyers welcome.
Privacy officers especially.
Email privacy@dentalpolyglot.com and we will send what you need within one working day.