For UK clinics & private practices
Patient data on your booking system. Who can see it from outside?
Vantyris scans your clinic's website and booking-system domain the way an attacker would — email impersonation, exposed admin pages, missing privacy notice, pre-consent trackers — then writes a plain-English report you can forward to your web host or your insurer. From £10. No contracts. UK-based, UK-GDPR aligned.
The reality
What we hear from clinic owners
Patient data on the booking system, and no idea who can see it from outside.
An ICO information notice would feel impossible to respond to without help.
Your insurer asked about cyber security at PI renewal and you don't have a good answer.
Your website builder set up Google Analytics three years ago. You have no idea whether it's loading before patients accept the cookie banner.
What a typical clinic scan surfaces
One finding, shown in plain English.
Every finding in your Vantyris report is shaped the same way: what it means for your business, how to fix it, who to ask, and the technical evidence one tap below.
Anyone can send email pretending to be from your clinic
Your booking-system domain is missing the DMARC record that tells receiving servers to reject impersonated email. Right now a scammer can send a fake appointment-reminder from your clinic's address to a patient's inbox and the inbox will treat it as legitimate. This is the most common phishing path against clinics — and the easiest one to fix.
How to fix it
Add a single DNS TXT record at _dmarc.your-clinic-domain. The exact text to paste is in the report's Exact Fix section, with the Cloudflare / GoDaddy / 123-Reg panel paths. About 30 minutes of work, including the wait for DNS propagation. The Vantyris report ships a copy-paste version of the record so your web host doesn't have to interpret anything.
Why clinics buy Vantyris
Plain-English first, technical detail second
A one-page Executive Summary for the partner
Continuous monitoring with alerts only on what matters
Privacy posture an ICO information notice would ask about
Nine-axis coverage with a Fix Roadmap, not a wall of findings
A trust page for patients and inspectors
Forwardable PDF in four layouts
We have no clinic testimonials to publish until real customers consent to being case-studied. Until then, we'd rather ship nothing than ship something fake.
Long read
12-minute read
The 12-item cyber hygiene checklist for UK clinics, in priority order.
Plain-English playbook for clinics, written by the Vantyris editorial team. Specific, opinionated, not a generic checklist.
Read the full playbook →FAQ for clinics
Common questions from clinic owners
Does this make my clinic UK-GDPR or Cyber Essentials compliant?
No, Vantyris does not certify you compliant with any formal framework. Every verified report includes a Cyber Essentials A1-A5 alignment section showing which NCSC controls each finding informs, which is a useful starting point for any ICO-facing or insurance-facing conversation. The certification itself requires an assessor; Vantyris shows you what an external scanner can speak to and what needs internal evidence.
Will the scan slow my booking system down?
No. The scan reads what's already publicly visible about your site — DNS records, response headers, certificates, a small set of common path probes with a 4-second timeout. It doesn't try to log in, doesn't probe for hidden services, doesn't run brute-force, doesn't fuzz. Real-world clinics never see performance impact.
Can I show this to my professional indemnity insurer?
Yes. Three options: email them the PDF (compliance pack layout is sized for this), send them a time-limited share link they can open in a browser (watermarked with their name if you like), or hand them the URL of your public trust page. Many PI policies now ask for evidence of an external scan in the past 12 months; any of these counts.
What about the ICO's cookie sweep — does Vantyris check for that?
Yes. The Privacy category checks pre-consent tracker loading, cookie-banner reject-parity (the EDPB requirement that rejecting is as easy as accepting), Google Consent Mode v2 presence when Google trackers are detected, and the visible privacy-policy link. These are the patterns the ICO's 2023 sweep flagged on the top 100 UK sites and is following up on for SMEs by complaint.
What if a regulator asks about a specific control?
Open the verified report, scroll to the Cyber Essentials alignment section, find the relevant control row. It lists every finding that touches that control with its severity, and tells you whether the area is covered, has gaps, or is one that external scanning cannot speak to (those need internal evidence like endpoint posture or staff training).
What if I don't have a 'developer'?
Most fixes are at your web host's panel. The report names the action plainly enough to forward to your host's support team — and ships an exact copy-paste snippet for the common fixes (DMARC, HSTS, blocking /readme.html, locking down WordPress REST API users). You can also assign a finding to your host's support email directly from the report; Vantyris keeps the audit trail of when it went out and who responded.
More questions? Full FAQ.