Security Annex

 

Last updated: May 2026

 

Version: 1.0
Last updated: 25th May 2026
Classification: Public

 

This Security Annex sets out the technical and organisational security measures (“TOMs”) implemented by VetFlash in accordance with Article 32 of the UK GDPR and as referenced in the Data Processing Agreement (DPA) (vet-flash.com/dpa).

 

This Security Annex describes the technical and organisational measures VetFlash applies or intends to apply to protect personal data processed through the VetFlash platform. It forms part of the Data Processing Agreement where the Data Processing Agreement applies.

 

Security Review

VetFlash reviews its technical and organisational measures periodically and when material changes are made to the Services.

 

The measures described in this Security Annex reflect VetFlash’s current security approach and may be updated over time, provided that updates do not materially reduce the overall protection of Customer Personal Data.

 

Infrastructure, hosting, vendor, backup and application controls are reviewed using internal security and data protection records.

 

Teleos Integration

Where users connect Teleos themselves, Teleos credentials are stored locally in the user’s browser and are used to connect to Teleos when the user uses the integration. Users can remove these local credentials by disconnecting Teleos or clearing browser storage.

 

VetFlash does not intentionally retain user-managed Teleos credentials server-side. If VetFlash configures Teleos on behalf of a customer by request, any credentials stored for that purpose are used only to provide the requested integration and can be deleted on request.

 

  1. Security Governance

 

– VetFlash will assign responsibility for information security and data protection operations to an appropriate owner.

– Security and privacy controls will be reviewed periodically and when material changes are made to the Services.

– Security risks will be assessed for material platform, vendor, AI provider, infrastructure and data processing changes.

– Security incidents and personal data breaches will be recorded and reviewed.

 

  1. Access Control

 

– Access to production systems and Customer Personal Data will be limited to authorised personnel with a business need.

– Administrative access will be granted using least privilege principles.

– Administrative access will be reviewed periodically and removed when no longer required.

– Access will be removed or disabled when personnel or contractors leave or change role.

– VetFlash avoids shared administrative accounts where technically feasible.

– VetFlash uses multi-factor authentication for administrative access where supported by the relevant system.

 

  1. User Authentication

 

– User accounts are protected by unique login credentials.

– Passwords are stored using industry-standard one-way hashing where VetFlash stores passwords directly.

– Password reset flows use time-limited reset links or equivalent controls where VetFlash controls the reset flow directly.

– Session management is designed to protect against unauthorised reuse, fixation and excessive session duration.

– VetFlash uses rate limiting, throttling, monitoring, or equivalent abuse controls where feasible for login and high-risk endpoints.

 

  1. Encryption and Secrets

 

– The Services use TLS/HTTPS for transmission of data over public networks where VetFlash controls the connection.

– Encryption at rest is used where supported by hosting, database, storage, backup and vendor systems.

– VetFlash restricts access to production containers, server configuration, application code, logs, environment files and backups to authorised administrators.

– Administrative credentials and production secrets are protected through server, Docker/container, and hosting control-panel access controls and are rotated if compromise is suspected.

– VetFlash rotates secrets when compromise is suspected and periodically where appropriate.

 

  1. Application Security

 

– Application changes are reviewed before deployment where feasible.

– Dependencies are reviewed and updated to address known vulnerabilities where feasible.

– VetFlash uses input validation and output encoding to reduce injection and cross-site scripting risks where feasible.

– File uploads are restricted by file type, size and purpose where feasible.

– Uploaded files are stored securely and are not executable by default where VetFlash controls the storage location.

– VetFlash does not intentionally store full payment card data unless a compliant PCI DSS process is separately implemented.

– Security-relevant errors are logged in a way designed to avoid unnecessary personal data or secrets.

 

  1. AI Security and Data Minimisation

 

– AI prompts, uploaded files, feedback and generated outputs may contain personal data if users choose to submit it.

VetFlash instructs users not to submit client-identifiable data unless necessary and lawful.

– AI provider settings are configured, where available, to prevent Customer Personal Data from being used to train third-party models by default.

– AI provider retention settings are minimised where available and commercially reasonable.

– Prompt and output logs are limited to what is needed for service delivery, support, safety, audit, model improvement, abuse prevention and legal compliance.

– VetFlash considers prompt injection, data leakage and inappropriate disclosure risks when designing AI workflows.

– AI outputs are presented as professional support only and are not represented as final clinical decisions.

– Debug prompt logging is disabled, removed, or tightly controlled before production use.

 

6A. Teleos Credentials

 

– User-managed Teleos credentials are stored locally in the user’s browser local Storage for convenience and are used to connect to Teleos when the user uses the integration.

– Users are instructed to connect Teleos only on trusted devices and to disconnect Teleos or clear browser storage if using a shared or untrusted device.

– VetFlash does not intentionally retain Teleos credentials server-side for user-managed connections.

– Existing server-side Teleos credential records created through the admin dashboard are deleted where no longer needed.

– If VetFlash configures Teleos credentials on behalf of a customer in the future, VetFlash obtains customer permission, restricts administrator access, keeps a record of the request and deletes the credentials when no longer needed or on request.

 

  1. Infrastructure Security

 

– Hosting and infrastructure providers maintain physical and environmental security controls for data centres.

– Production systems are separated from development and testing environments where feasible.

– Firewalls, security groups, or equivalent network controls restrict access to production resources where VetFlash controls those settings.

– Operating systems, runtimes, frameworks and managed services are patched or updated to address material vulnerabilities where VetFlash controls those systems.

– Administrative interfaces are not exposed publicly unless protected by appropriate authentication and access restrictions.

 

  1. Logging and Monitoring

 

– Security-relevant events are logged where feasible, including administrative access, authentication events, errors and suspicious activity.

– Logs are protected against unauthorised access.

– Logs are configured or managed to avoid unnecessary storage of sensitive content, secrets, passwords, full payment card data, or excessive prompt content where feasible.

– Log retention is proportionate to security, operational, legal and audit needs.

– Material security alerts are reviewed and escalated where appropriate.

 

  1. Backups and Resilience

 

– Production data is backed up on a schedule appropriate to the criticality of the Services.

– Backups are protected against unauthorised access.

– Backup retention is defined and does not exceed what is reasonably necessary.

– Disaster recovery and business continuity expectations are documented for material systems.

 

  1. Incident Response

 

– VetFlash will maintain an incident response process for security incidents and personal data breaches.

– The process includes triage, containment, investigation, mitigation, evidence preservation, notification assessment and post-incident review.

– Personal data breaches affecting Customer Personal Data will be notified in accordance with the Data Processing Agreement.

– Incidents will be reviewed to identify corrective actions where appropriate.

 

10.1 Detection and Monitoring

  • Authentication failures, unusual access patterns and system errors are logged and reviewed.

10.2 Incident Classification

Security incidents are classified by severity:

SEVERITY DEFINITION RESPONSE TIME
Critical Confirmed breach of personal data with likely harm to Data Subjects within 36 hours
High Potential breach or confirmed breach with limited scope within 36-48 hours
Medium Security vulnerability or suspicious activity, no confirmed breach 48-72 hours
Low Minor security event, no personal data involved 72-7 days

10.3 Response Procedure

  1. Detect: Automated or manual detection of a potential incident
  2. Contain: Isolate affected systems to prevent further exposure
  3. Assess: Determine scope, nature, and affected data
  4. Notify: If personal data is involved:
    • Notify affected Controller(s) within 72 hours of becoming aware
    • Assess ICO notification obligation (if likelihood of harm to individuals)
  5. Remediate: Fix the root cause and restore normal operations
  6. Review: Post-incident review to prevent recurrence
  7. Document: Record all incidents in the internal breach log, including decisions not to report

10.4 ICO Notification

Where a Security Incident is likely to result in a risk to the rights and freedoms of natural persons, we will notify the ICO within 72 hours of becoming aware, in accordance with Article 33 UK GDPR.

Where we act as data processor, the Controller is responsible for making the ICO notification. We will provide all required information to assist the Controller within 72 hours of the incident.

  1. Personnel and Contractors

 

– Personnel and contractors with access to Customer Personal Data are subject to confidentiality obligations.

– Personnel and contractors receive security and privacy guidance appropriate to their role.

– Access for personnel and contractors is limited to what is necessary for their duties.

– Departing personnel and contractors have access revoked promptly.

 

  1. Supplier Security

 

– VetFlash will assess suppliers and Sub-processors that process Customer Personal Data based on the nature and risk of the processing.

– Processor contracts will include data protection obligations where required by Applicable Data Protection Laws.

– International transfer safeguards will be used where required.

– Supplier and Sub-processor use will be reviewed periodically.

 

  1. Data Deletion

 

– Customer Personal Data will be deleted or returned in accordance with the Data Processing Agreement, retention schedule and legal obligations.

– Deletion from active systems is completed within a reasonable period after a valid deletion request or contract termination, subject to technical and legal limitations.

– Data may remain in backups until overwritten or deleted through normal backup cycles.

– VetFlash will use reasonable efforts to ensure Sub-processors delete Customer Personal Data when required by contract and law.

 

  1. Customer Responsibilities

 

Customer is responsible for:

 

– securing its own devices, browsers, networks, email accounts and local systems;

– managing authorised users and access within its organisation;

– ensuring users do not share credentials;

– ensuring users do not submit unnecessary personal data, special category data, client-identifiable data, payment card data, passwords, or secrets;

– maintaining its own privacy notices, lawful bases, professional obligations and client communications;

– reviewing AI outputs before relying on them professionally.

 

  1. Testing and Assurance

 

– VetFlash assesses application and infrastructure security periodically.

– Vulnerabilities are prioritised and remediated based on severity and exploitability.

– Customer audit and assurance requests are handled under the Data Processing Agreement.

 

  1. Compliance and Certification
STANDARD / FRAMEWORK STATUS
UK GDPR / Data Protection Act 2018 Compliant
TLS 1.2+ encryption in transit Implemented
ICO Registration ZB785465
ISO 27001 (direct) Not currently certified
ISO 27001 (via sub-processors) IONOS: certified

 

  1. Contact

Security concerns: info@vetflash.io

Data protection / legal: info@vetflash.io