Book a Demo

Compliance

Compliance

Overview
Controls summary
Compliance frameworks
Policies & Documents
Privacy Notice (POPIA)
Terms & Conditions
Cookie & Tracking Policy (Website)
Telehealth & Informed Consent (HPCSA Booklet 10)
Electronic Prescriptions (ECTA & SAPC Guidance)
PAIA — Essentials
POPIA Rights & DSAR
Records Retention (HPCSA/NHA)
Security & Incident Response (POPIA)
Operators / Subprocessors
FAQ
Governance & Contact
References
Overview
Ubuntu Health provides healthcare software used by clinicians and patients to manage appointments, consultation notes, prescriptions, referrals, symptom tracking and medication histories. Separate apps for doctors and patients. Production data hosted in South Africa.
Operational
Service status

Core services are available; maintenance is communicated in‑app.

South Africa
Data location

 Currently hosted in SA; cross‑border transfers would follow POPIA s72 safeguards.

Doctors • Patients
Separate apps

Role‑based access and audit trails across both apps.

Controls summary
Infrastructure security
  • TLS in transit; modern AES‑class at rest; key rotation.
  • Segmentation, firewalls, hardened baselines, patching cadence.
  • Centralised logging & monitoring; access reviews.
  • Encrypted backups; restoration testing; RTO/RPO objectives.
  • Information Security Policy; privacy training.
  • MFA, onboarding/offboarding, periodic access reviews.
  • Vendor due‑diligence; POPIA‑compliant Data Processing Agreements.
Organisational security
  • Secure SDLC; code reviews; SAST/DAST.
  • RBAC and audit trails for clinical records.
  • Privacy by design (data minimisation, secure defaults).
Product security
  • Change management; peer review; staged deployments.
  • Endpoint baselines; device encryption; patch policies.
  • Incident response: Detect → Contain → Assess → Notify → Remediate → Review.
Internal procedures
  • POPIA‑compliant Privacy Notice; just‑in‑time app notices.
  • Disclosure registers; operator contracts; data inventory.
  • Storage in SA; s72 safeguards for any cross‑border transfers.
Data & privacy
  • Business Continuity & Disaster Recovery plans established; restoration testing performed.
Data & privacy

POPIA
Lawful processing of personal & special personal information; security safeguards; operator duties; data subject rights; breach notifications.

HPCSA Ethics
Booklet 9 (patient records) & Booklet 10 (telehealth): documentation, retention, consent, confidentiality.

NHA
National Health Act: confidentiality, informed consent, duty to create & maintain health records.

ECTA
Electronic signatures & data messages; admissibility; retention in electronic form.

PAIA
Section 51 private body manual; access requests; POPIA‑aligned refusal grounds.

Compliance frameworks
Policies & Documents
Privacy Notice (POPIA)

Transparency, lawful bases, rights, operators, breach notices.

Enabler role, telehealth, e‑scripts, acceptable use, law & liability.

Terms & Conditions

ECTA recognition; SAPC Reg 33 verification; permanent copy.

Electronic Prescriptions

Section 51 manual; requests; forms/fees; remedies.

PAIA Essentials

Access, correction, objection, deletion constraints.

POPIA Rights & DSAR

General 6y; minors 21; occ health 20y; mental impairment until death.

Data & privacy
Privacy Notice (POPIA)
  • Scope. Applies to the Ubuntu Health website and Doctors/Patients apps. We process special personal information (health data) in line with legal and ethical duties.
  • Information we collect. Identification & contact; health information (symptoms, diagnoses, notes, prescriptions, referrals, medication history, results); account/technical data; website cookies.
  • Purposes & lawful bases. Provide healthcare via registered practitioners (and informed consent where required); maintain accurate clinical records (HPCSA/NHA); ensure security; service communications; optional marketing only with consent.
  • Consent & capacity. Specific, informed, voluntary; can be withdrawn. For minors/incapacitated persons, NHA hierarchy applies.
  • Operators. POPIA‑compliant contracts; process on documented instructions with appropriate safeguards.
  • Cross‑border. Data stored in SA; if transfers occur, POPIA s72 safeguards will apply.
  • Security. Encryption at rest/in transit; MFA; RBAC; audit logging; secure backups; vulnerability management; incident response.
  • Retention. Clinical records per HPCSA Booklet 9 & National Archives/DoH SOP; non‑clinical data retained only as necessary or by law.
  • Rights. Access, correction, objection, consent withdrawal, deletion where legally permissible; complaints to Information Regulator.
  • Breach notification. Notify affected individuals and the Information Regulator as soon as reasonably possible, with details and mitigation steps.
Terms & Conditions
  • Enabler role. Ubuntu Health provides software infrastructure; clinicians remain responsible for clinical decisions.
  • Eligibility & accounts. 18+ or competent consent; clinicians registered with HPCSA; credential confidentiality.
  • Telehealth. Provided by registered practitioners per Booklet 10; consent when enabled; proper documentation.
  • Prescriptions & e‑scripts. Valid electronic signatures (ECTA); direct pharmacy transmission preferred; if patient‑relayed, pharmacy must verify and keep permanent copy; no alterations/re‑use.
  • Acceptable use & security. No interference/unauthorised access; accounts may be suspended for violations.
  • Availability & changes. High availability target but no guarantee; material changes notified.
  • Liability & law. Indirect/consequential damages excluded (where permitted); South African law & competent courts.

  • Consent interface. 
    Non‑essential cookies only with consent; banner shows Accept all / Reject all / Settings; persistent Privacy Settings link.

  • Categories.
    Strictly necessary; optional analytics; optional marketing. Consent logs maintained; choices honoured.

Cookie & Tracking Policy (Website)

Identity verification; informed consent; explanation of limitations & alternatives; documentation;
confidentiality; escalation to in‑person care when clinically necessary.

Telehealth & Informed Consent (HPCSA Booklet 10)
Electronic Prescriptions (ECTA & SAPC Guidance)

Computer‑generated & electronically signed prescriptions recognised by ECTA. Direct transmission prescriber → pharmacy preferred; if sent to patient, pharmacy must verify authenticity & store permanent copy.

We publish a Section 51 PAIA Manual explaining how to request records, categories held, and grounds for refusal/redaction aligned with POPIA. Requests follow prescribed forms/fees and statutory timelines; remedies via the Information Regulator or courts.

PAIA — Essentials

  • Submit requests.
     privacy@ubuntuhealth.co.za or in‑app Privacy & Data settings.

  • Verification. ID / multi‑factor checks; responses within statutory timeframes; accessible format.

  • Deletion constraints. 
    Clinical record duties, legal holds, and third‑party privacy may limit deletion.

POPIA Rights & DSAR
Records Retention (HPCSA/NHA)
  • General records: at least 6 years after becoming dormant.
  • Minors: retain until 21st birthday.
  • Occupational health: 20 years post‑treatment.
  • Mentally impaired patients: until patient’s death.
  • Final disposal per National Archives & Dept of Health SOP with secure destruction & logging.

Safeguards: encryption, MFA, RBAC, audit trails, backups, vulnerability management. Process: Detect → Contain → Assess (scope, risk) → Notify Information Regulator & affected individuals as soon as reasonably possible → Remediate → Review & improve. Evidence preserved; communications factual & clear.

Security & Incident Response (POPIA)

We will publish our current operator list (hosting, messaging, analytics) here. Each operator is bound by POPIA‑compliant contractual terms including security safeguards, confidentiality and breach assistance.

Request the current list via privacy@ubuntuhealth.co.za.

Operators / Subprocessors
How do you handle patient data?

Data is processed to provide healthcare services and maintain clinical records in line with HPCSA/NHA. Access is strictly controlled; audit trails capture record access & changes.

Our software uses advanced AI inference to process your anonymized patient data through pre-trained, medically specialized language models, helping doctors generate potential diagnostic insights and streamline clinical decision-making. This inference applies a fixed model to new inputs without retraining or altering it, ensuring rapid, secure assistance tailored to South African private practices. Patients and doctors retain full control, with outputs always requiring professional review per HPCSA guidelines.

Key Features Covered
  • Data Handling: Only de-identified data (stripped of names, IDs, and personal links) is processed, complying with POPIA’s special information rules on purpose limitation and security.
  • User Benefits: Faster symptom analysis, treatment suggestions, and admin efficiency—enhancing care without replacing clinical judgment.
  • Transparency: No data storage by the AI provider beyond the query session; audit logs track usage for accountability.

Consent and Controls
By using our software, you consent to this anonymized inference for diagnostic support, with easy opt-out options in settings. Withdraw anytime via account preferences, triggering immediate cessation and data purge requests. We prioritize trust through clear disclosures, regular compliance audits, and human oversight, aligning with National Health Act and HPCSA ethical AI standards.

Do you encrypt data at rest?

Yes. Industry‑standard encryption at rest and in transit; key management & rotation per policy.

Where is the data stored?

Hosted in South Africa. If cross‑border transfers are introduced, POPIA s72 safeguards will apply.

FAQ
  • POPIA Condition 7 (security safeguards; operator duties; security compromises)
  • HPCSA Booklet 9 (patient records) & Booklet 10 (telehealth)
  • National Health Act 61 of 2003
  • ECTA 25 of 2002 (data messages & e‑signatures)
  • SAPC Regulation 33 (electronic prescriptions; pharmacy verification; permanent copy)
  • Information Regulator eServices portal (breach reporting)
References

Information Officer: <Name> Email: privacy@ubuntuhealth.co.za

Deputy Information Officer(s): <Names>

Support: support@ubuntuhealth.co.za

Address: Unit 5, 4 Derby Place, Derby Downs Office Park, Westville, KwaZulu-Natal 3629.

Governance & Contact
Unleash Tomorrow's Potential, Today.
How can we support your digital transformation goals?