Trust isn't a checkbox you bolt on. It's earned by being clear about what's true today, what's coming, and who's accountable when something breaks. Here's all three.
SmileOS isn't a generic SaaS rebranded for dentistry. It's built by Haroon Ismail, a UK GDC-registered clinical director who runs cosmetic and orthodontic consultations every week. Every workflow has been used in a real chair before it shipped.
Most software companies bury this. We don't, because dentists know the difference between a marketing claim and a clinically defensible one.
Patient data lives on Supabase Postgres in Frankfurt (eu-central-1). Encrypted at rest, in transit over TLS, and never leaves European infrastructure.
Every read and write filters on your tenant ID before touching the database. One clinician can't query another practice's records.
Short-lived signed tokens, no third-party auth vendor in the data path. Password hashing with bcrypt, no plaintext storage.
Every mutation (case created, consent signed, payment verified) writes to an append-only audit table. Searchable by clinical director.
SmileOS Ltd, registered in the UK. Founder reachable by email or WhatsApp directly — no support queue.
We don't touch card data. Payments flow through Stripe (PCI-DSS Level 1). Refunds, disputes, invoices — all via Stripe's regulated path.
Tenant scoping at the API layer is enforced today. We're adding database-level row-level security as a second layer before public launch.
A Data Processing Agreement reviewed by our solicitor, ready to sign per practice. Currently bespoke — happy to talk through what we'll commit to before you sign.
Formal DPIA covering AI-assisted clinical notes, in collaboration with a UK dental defence union. Shared with founder cohort once complete.
Registration with the UK Information Commissioner's Office as a data controller. We're a processor today; controller registration is on the immediate roadmap.
Third-party pentest scheduled before our first 50 founders go live. Findings shared with the cohort.
Not certified — and we won't claim it until we are. We're aligning internal controls now to be audit-ready by year-end.
We deliberately don't display "ISO 27001 certified" or "HIPAA compliant" badges, because we aren't certified, and dentists know fake badges when they see them. If you need a specific compliance assurance before signing, email the founder and we'll tell you exactly where that line is for us — and when we'll cross it.
Three things most dental software gets wrong — and how SmileOS handles them differently.
Voice-first capture means notes happen during the consult, not after hours. The patient sees you, not your laptop.
Consent and estimate generation are inside the consultation flow — not a separate file the patient never receives.
Every case sits in a stage. Unsigned consents, unverified payments, missing ClinChecks — visible at a glance, not hidden in folders.
Before you commit. Before you sign anything. Email the founder — you'll get a real answer, not a marketing reply.
Email the founder