South Africa (POPIA)
We support processing principles that map to accountability, minimisation, and security safeguards — including clarity on who processes what when patients interact on WhatsApp and your team uses the workspace.
Trust
Compliance
Healthcare data deserves more than checkbox security. Saving Grace is built so practices can run WhatsApp-first booking alongside sensible governance — with clear roles, controlled access, and policies you can align to your own legal and clinical obligations.
Not legal advice. This page summarises how we think about regulatory alignment and platform responsibilities. Your counsel and privacy officer should review commitments for your jurisdiction, contracts, and patient populations.
Regulatory alignment
POPIA, HIPAA readiness, and your practice obligations
We design for common healthcare privacy regimes. Final compliance is always shared: the platform provides controls and transparency; the practice defines lawful basis, notices, and clinical use of information.
United States (HIPAA)
Where a business associate relationship applies, we work toward administrative, physical, and technical safeguards appropriate to messaging and scheduling workflows — executed alongside your BAAs and risk analyses.
Meta & messaging
WhatsApp has its own terms and data handling. We help you reason about template use, user opt-in, and retention in line with both clinical policy and channel rules.
Controls
What we build toward
Concrete patterns that make audits and operational reviews easier — not a substitute for your programme of record, but a foundation that fits how regulated teams work.
Scoped access
Least-privilege roles so staff see booking and patient context only when their job requires it.
Traceable operations
Activity oriented around appointment lifecycle events — supporting proportionate logging and review.
Retention awareness
Policies for how long conversational and booking artefacts are kept, tuned with your counsel and channel constraints.
Secure transport
Modern encryption in transit for platform surfaces; messaging security follows provider and channel standards.
Vendor transparency
We document subprocessors and material flows so your DPIAs and vendor reviews have a clear picture.
Incident readiness
Processes to assess, contain, and notify when something goes wrong — coordinated with your breach playbook.
Related policies
Deeper legal text lives in standalone documents. Use them together with this overview when you brief stakeholders.
Need a security questionnaire, DPIA appendix, or a call with your information governance lead? We will meet you at the depth your procurement process requires.