Trust & security

Built for regulated service operations.

Neos Wave runs AI-powered service operations for organisations in healthcare, public sector, finance, and regulated retail. This page sets out the certifications, architecture, and operating principles that make us buyable by procurement, security, and data protection teams.

Cyber Essentials certified

UK Government-backed scheme. Certified by IASME via Omni Cyber Security, June 2026.

NHS DSPT — Standards Met

NHS Data Security and Protection Toolkit 2025-26 (v8). Published 29 June 2026, valid to 30 June 2027.

UK/EEA data residency

Customer interaction data stays within the UK and European Economic Area, on EEA-configured infrastructure.

Sovereign deployment options

Local hosting on UK/EU infrastructure, or within your own environment, depending on requirements.

Cyber Essentials

Cyber Essentials is the UK Government-backed scheme operated by IASME that verifies an organisation has the technical controls in place to guard against the most common cyber threats. It is a baseline requirement for many UK public sector and NHS engagements.

Certificate number 105a7536-4f7c-41bd-b32d-b026b562b719 Certifying body IASME, via Omni Cyber Security Certified 25 June 2026 Recertification due 25 June 2027 Profile Cyber Essentials 3.3 (Danzell) Scope Whole organisation

The certificate covers all of Neos Wave: every system, device, person, and process used to deliver our services is in scope.

NHS Data Security and Protection Toolkit

The NHS Data Security and Protection Toolkit (DSPT) is the data security standard that NHS Trusts, health and social care organisations are required to meet, and the standard their suppliers are expected to evidence. Neos Wave has completed the 2025-26 self-assessment and achieved Standards Met.

Standard NHS Data Security and Protection Toolkit Version 2025-26 (version 8) Status Standards Met Published 29 June 2026 Valid to 30 June 2027 Organisation Neoswave Limited Public listing dsptoolkit.nhs.uk →

The DSPT covers the ten national data guardian standards on data security, staff responsibilities, and IT protection. Our assessment is independently published on the NHS Digital register and refreshed annually.

How our AI is put together

Different workloads have different sovereignty, latency, and cost profiles. We design service operations using the right model in the right tier for the job, and we publish how we make that choice.

Tier 1

Cloud frontier models

Anthropic Claude

For general reasoning where a frontier-class model is needed and the workload does not require jurisdiction-bound processing. Hosted on UK/EEA endpoints where available.

Tier 2

Local GDPR-resident models

Mistral, Ollama

For workloads that must remain inside the UK or EEA jurisdiction. Run on EEA-hosted infrastructure or self-hosted, depending on client requirements.

Tier 3

Sovereign frontier models

Kimi, Qwen

Open-weight models that can be self-hosted end-to-end. For deployments where the customer requires the model itself to run inside their environment.

Your data is not used to train models

Customer data processed by Neos Wave is not used to train, fine-tune, or improve any AI model — ours or anyone else’s. This applies across all three tiers above. Where we use third-party model providers, we use endpoints and contracts that contractually exclude customer data from training, and we configure those endpoints accordingly.

This is non-negotiable. If a workload cannot be delivered without using your data for training, we will tell you and we will not run that workload.

Sovereign deployment options

For organisations that require it, Neos Wave offers sovereign deployment options. These include local hosting on UK or EU infrastructure, or running within the customer’s own environment, depending on requirements.

This matters for NHS Trusts, public sector bodies, regulated financial services, and organisations whose own customers require demonstrable jurisdictional control of their data. We discuss the right deployment shape during scoping, alongside the data processing agreement.

How we handle data

When we operate AI service operations for a client, the client is the data controller and Neos Wave is the data processor under a data processing agreement. Every engagement is structured this way.

Data minimisation by design

Our agents are designed to ask only for the information needed for the task. Where a person volunteers sensitive information that is not required, the agent declines to use it and flags it for removal. This is built into the agent architecture itself, not an afterthought.

Transparency by Service Handshake

Every AI agent interaction we deliver is governed by our Service Handshake: a declared set of goals, authority limits, data permissions, and fallback rules that are visible before the interaction begins. Agents disclose that they are AI when asked.

Retention

Interaction data is retained only for the period agreed in the data processing agreement — typically minimal and transient — and is securely deleted on the schedule set by the client controller.

Security controls

Neos Wave maintains technical and organisational measures appropriate to the risk we and our clients face, including:

  • Multi-factor authentication on all business systems
  • Encryption of devices and data at rest and in transit
  • Role-based, least-privilege access
  • Scoped and rotated credentials held in a dedicated password manager
  • Secure configuration and prompt patching of devices
  • Data minimisation built into the design of our AI agents

Our infrastructure is delivered through proprietary Neos Wave engine components, with secure connectors into customer enterprise systems where required.

Sub-processors

To deliver our services we use a small number of trusted third-party providers as sub-processors, under contracts that require them to protect personal data and to use it only on our documented instructions. These fall into the following categories:

  • Cloud productivity and storage (business email, documents, and files)
  • Conversational AI and voice platform
  • Telephony and messaging
  • Language model providers
  • Application hosting
  • Credential management and security tooling

A current list of named sub-processors is maintained in our internal records and is available to clients on request as part of their data processing agreement.

If you are a procurement, security, or data protection reviewer and you need our Cyber Essentials certificate, NHS DSPT confirmation, sub-processor list, or DPA template, email hello@neoswave.com and we will send them the same day.

Who you’re contracting with

Legal entity Neos Wave Limited Registered office 6th Floor, Charlotte Building, 17 Gresse Street, London, W1T 1QL Company number 12002488 Data protection contact hello@neoswave.com ICO registration Registered with the UK Information Commissioner’s Office

Procurement-ready, today.

If you’re scoping an AI service operation in a regulated context, we’d rather start with your security and data protection questions than dodge them.