Encryption in transit
Browser and API traffic uses modern TLS. Credentials and tokens are never logged in plain text in routine operations.
Trust
Security
Saving Grace is built for healthcare workflows: least-privilege access, modern transport security, and operational discipline around how booking and messaging data moves between patients, WhatsApp, and your team. Security is never finished — we treat it as a continuous programme, not a one-time checklist.
Summary, not an audit pack. This page describes how we think about protecting the platform and your data. For questionnaires, DPIAs, penetration-test summaries, or contractual security terms, work with us through your procurement or privacy process — we will meet the depth your organisation needs.
Platform
Technical safeguards
Controls we apply to the Saving Grace application and supporting infrastructure — aligned with common expectations for cloud software handling sensitive workflows.
Separation of environments
Development, staging, and production are isolated so experiments cannot accidentally touch live patient or practice data.
Secrets and configuration
API keys and integration secrets are managed through controlled configuration — not embedded in client bundles or shared documents.
Access
Identity and authorisation
Staff interact with structured workspace views. Access should match role and policy — we design toward least privilege and clear accountability.
Authenticated sessions
Administrative and staff surfaces require sign-in. Session design favours expiring credentials and re-authentication for sensitive actions where appropriate.
Role-aware views
What a user can see and change is scoped to their role and your workspace configuration — reducing accidental overexposure of queues and patient context.
Account lifecycle
Provisioning and deprovisioning flows support timely removal of access when someone leaves a role or the organisation.
Operations
Reliability and response
Security includes how we run the service day to day: change control, monitoring mindset, and a path when something goes wrong.
Dependency and patch discipline
We track upstream frameworks and libraries and apply security updates on a sensible cadence — balanced with regression testing.
Operational visibility
We structure logging and alerts around service health and abuse patterns, without turning patient content into unnecessary permanent archives.
Incident process
When a security-relevant event is identified, we assess impact, contain risk, and coordinate notification with affected customers and regulators as required.
Channels
WhatsApp and shared responsibility
Patient messages flow through Meta’s infrastructure under WhatsApp’s terms and technical model. Saving Grace sits alongside that stack — your security and privacy posture must account for both.
- End-to-end encryption for WhatsApp conversations follows Meta’s product design; our platform handles booking orchestration and workspace state aligned to your policies.
- Template messages, business verification, and retention on the channel side are governed by Meta’s rules — we help you map flows, not replace those obligations.
- For a fuller view of regulatory framing and subprocessors, see Compliance and Privacy.
Related policies
Legal terms, privacy notices, and compliance framing sit in dedicated pages. Use them together with this overview when you brief security, legal, or clinical leads.
Need a completed security questionnaire, architecture diagram, or a session with your information governance team? We will align to your review process.