Built for regulated service operations.
Neos Wave runs AI-powered service operations for organisations in healthcare, public sector, finance, and regulated retail. This page sets out the certifications, architecture, and operating principles that make us buyable by procurement, security, and data protection teams.
Cyber Essentials certified
UK Government-backed scheme. Certified by IASME via Omni Cyber Security, June 2026.
NHS DSPT — Standards Met
NHS Data Security and Protection Toolkit 2025-26 (v8). Published 29 June 2026, valid to 30 June 2027.
UK/EEA data residency
Customer interaction data stays within the UK and European Economic Area, on EEA-configured infrastructure.
Sovereign deployment options
Local hosting on UK/EU infrastructure, or within your own environment, depending on requirements.
Cyber Essentials
Cyber Essentials is the UK Government-backed scheme operated by IASME that verifies an organisation has the technical controls in place to guard against the most common cyber threats. It is a baseline requirement for many UK public sector and NHS engagements.
The certificate covers all of Neos Wave: every system, device, person, and process used to deliver our services is in scope.
NHS Data Security and Protection Toolkit
The NHS Data Security and Protection Toolkit (DSPT) is the data security standard that NHS Trusts, health and social care organisations are required to meet, and the standard their suppliers are expected to evidence. Neos Wave has completed the 2025-26 self-assessment and achieved Standards Met.
The DSPT covers the ten national data guardian standards on data security, staff responsibilities, and IT protection. Our assessment is independently published on the NHS Digital register and refreshed annually.
How our AI is put together
Different workloads have different sovereignty, latency, and cost profiles. We design service operations using the right model in the right tier for the job, and we publish how we make that choice.
Cloud frontier models
Anthropic Claude
For general reasoning where a frontier-class model is needed and the workload does not require jurisdiction-bound processing. Hosted on UK/EEA endpoints where available.
Local GDPR-resident models
Mistral, Ollama
For workloads that must remain inside the UK or EEA jurisdiction. Run on EEA-hosted infrastructure or self-hosted, depending on client requirements.
Sovereign frontier models
Kimi, Qwen
Open-weight models that can be self-hosted end-to-end. For deployments where the customer requires the model itself to run inside their environment.
Your data is not used to train models
Customer data processed by Neos Wave is not used to train, fine-tune, or improve any AI model — ours or anyone else’s. This applies across all three tiers above. Where we use third-party model providers, we use endpoints and contracts that contractually exclude customer data from training, and we configure those endpoints accordingly.
This is non-negotiable. If a workload cannot be delivered without using your data for training, we will tell you and we will not run that workload.
Sovereign deployment options
For organisations that require it, Neos Wave offers sovereign deployment options. These include local hosting on UK or EU infrastructure, or running within the customer’s own environment, depending on requirements.
This matters for NHS Trusts, public sector bodies, regulated financial services, and organisations whose own customers require demonstrable jurisdictional control of their data. We discuss the right deployment shape during scoping, alongside the data processing agreement.
How we handle data
When we operate AI service operations for a client, the client is the data controller and Neos Wave is the data processor under a data processing agreement. Every engagement is structured this way.
Data minimisation by design
Our agents are designed to ask only for the information needed for the task. Where a person volunteers sensitive information that is not required, the agent declines to use it and flags it for removal. This is built into the agent architecture itself, not an afterthought.
Transparency by Service Handshake
Every AI agent interaction we deliver is governed by our Service Handshake: a declared set of goals, authority limits, data permissions, and fallback rules that are visible before the interaction begins. Agents disclose that they are AI when asked.
Retention
Interaction data is retained only for the period agreed in the data processing agreement — typically minimal and transient — and is securely deleted on the schedule set by the client controller.
Security controls
Neos Wave maintains technical and organisational measures appropriate to the risk we and our clients face, including:
- Multi-factor authentication on all business systems
- Encryption of devices and data at rest and in transit
- Role-based, least-privilege access
- Scoped and rotated credentials held in a dedicated password manager
- Secure configuration and prompt patching of devices
- Data minimisation built into the design of our AI agents
Our infrastructure is delivered through proprietary Neos Wave engine components, with secure connectors into customer enterprise systems where required.
Sub-processors
To deliver our services we use a small number of trusted third-party providers as sub-processors, under contracts that require them to protect personal data and to use it only on our documented instructions. These fall into the following categories:
- Cloud productivity and storage (business email, documents, and files)
- Conversational AI and voice platform
- Telephony and messaging
- Language model providers
- Application hosting
- Credential management and security tooling
A current list of named sub-processors is maintained in our internal records and is available to clients on request as part of their data processing agreement.
If you are a procurement, security, or data protection reviewer and you need our Cyber Essentials certificate, NHS DSPT confirmation, sub-processor list, or DPA template, email hello@neoswave.com and we will send them the same day.
Who you’re contracting with
Procurement-ready, today.
If you’re scoping an AI service operation in a regulated context, we’d rather start with your security and data protection questions than dodge them.