Security

An overview of the ISO 27001-aligned architecture, encryption, access control, and incident response processes protecting clinic and patient data on My Bloom Aura.

Last updated: 4 July 2026

ISO 27001-Aligned Architecture

My Bloom Aura's security architecture is aligned with the ISO 27001 information security management standard. This means access, data handling, and operational practices are built around the standard's core control areas: risk assessment, access control, cryptography, operations security, incident management, and supplier relationships.

  • Encryption in transit (TLS 1.2+) for all data moving between patients, clinics, and the platform
  • Encryption at rest for all stored patient and clinic data
  • Role-based access control limiting staff access to the minimum data required for their function
  • Audit logging of access to patient records and system configuration changes
  • Segregated, per-clinic data isolation so no clinic can access another clinic's data
  • Documented incident response process with defined notification timelines

Data Isolation & Access Control

Each clinic's patient data is logically isolated from every other clinic on the platform. Internal access to patient data is restricted on a role and need-to-know basis, with all access events logged for audit purposes. Patient data is never used to train AI models, whether for My Bloom Aura or any other product.

Incident Response

VisionXY7 maintains a documented incident response process covering detection, containment, investigation, and notification. In the event of a data breach affecting patient data, affected clinic customers are notified without undue delay in line with UK GDPR notification requirements, so that clinics can meet their own regulatory obligations as data controllers.

Testing & Review

The platform's security controls are reviewed on an ongoing basis, with independent penetration testing conducted periodically as part of our security assurance programme. Findings are triaged and remediated according to severity, with critical issues addressed as a priority.

Regulatory Oversight & Led by a Qualified Auditor

My Bloom Aura's security programme is not self-certified marketing language — it is led directly by Dr. Mahdi Seify, Founder and Chief Intelligence Officer of VisionXY7, who holds ISO/IEC 27001 Lead Auditor and Lead Implementer qualifications and has published works on information security management (ISMS) and cyber security incident response (CSIRT). Every My Bloom Aura security control is scoped and reviewed under his direct oversight, not delegated to a junior team.

VisionXY7 is registered with the UK Information Commissioner's Office (ICO), the UK's independent regulator for data protection and information rights. This registration underpins how patient and clinic data is handled across My Bloom Aura, alongside UK GDPR compliance and CQC-aligned governance support for clinic customers.

ISO/IEC 27001 Lead Auditor & Lead Implementer

Security architecture designed and reviewed directly by a qualified Lead Auditor and Lead Implementer, not a generic compliance checklist.

ICO Registered

VisionXY7 is registered with the UK Information Commissioner's Office for data protection.

Published ISMS & CSIRT Author

Governance practices are informed by published research and practitioner work in information security management and incident response.

Related Policies

For details on how patient and website data is collected, used, and retained, see our Privacy Policy. For more on our leadership team's credentials, see About. For questions about our security architecture, contact hello@visionxy7.com.

My Bloom Aura is an AI Patient Reception and Coordination System for women's health and fertility clinics in the UK, engineered by VisionXY7. Questions about this page can be sent to hello@visionxy7.com.