HPSuite+ Terms & Conditions
FOR HEALTHCARE PROFESSIONALS & MEDICAL PRACTICES
Last Updated: May 2026
1. LEGAL STATUS AND GOVERNANCE (POPIA 2026)
1.1. Compliance Framework: Both parties agree to comply with the Protection of Personal Information Act (POPIA), 2013, and the Regulations Relating to the Processing of Health Information (Government Gazette No. 54268, March 2026). 1.2. Role Designation: You (the "Practice") are the Responsible Party. HPSuite+ is the Operator. 1.3. Duty of Confidentiality: As per Regulation 5.3 of the 2026 Health Data Regulations, HPSuite+ hereby enters into this written agreement to maintain absolute confidentiality regarding all health information. Access is restricted to authorized personnel required for technical maintenance only. 1.4. Mandatory Patient Consent: You warrant that you have obtained explicit, documented consent from patients for the processing of their "Special Personal Information" on a cloud platform. You indemnify HPSuite+ against any claim resulting from a failure to secure such consent.
2. DATA RESIDENCY AND SECURITY
2.1. Local Hosting (Sovereignty): HPSuite+ warrants that all Patient Personal Information is hosted locally within the Republic of South Africa. This ensures compliance with Regulation 6 (Cross-Border Transfers) of the 2026 Health Regulations. 2.2. Technical Standards: HPSuite+ employs AES-256 encryption at rest and TLS 1.3 encryption in transit. 2.3. Mandatory MFA: To maintain the integrity of the platform, the Practice must enable Multi-Factor Authentication (MFA) for all user accounts. HPSuite+ disclaims all liability for breaches resulting from the Practice’s failure to use MFA or for compromised credentials (e.g., "weak" passwords). 2.4. Audit Logs: HPSuite+ maintains automated access logs. You acknowledge that these logs are the definitive record of who accessed patient data via your account.
3. BREACH AND NOTIFICATION PROTOCOL
3.1. Notification: In accordance with Section 22 of POPIA, HPSuite+ will notify the Practice immediately (within 24 hours) of discovering a confirmed data breach. 3.2. Legal Burden: As the Responsible Party, the legal obligation to notify the Information Regulator and the Data Subjects (Patients) remains solely with the Practice. HPSuite+ will provide necessary technical data to assist this process but will not communicate directly with patients.
4. LIMITATION OF LIABILITY & INDEMNITY
4.1. Clinical Sovereignty: HPSuite+ is an administrative and filing tool only. It does not provide medical advice, diagnosis, or triage. The Practice remains 100% liable for all clinical decisions, prescriptions, and patient outcomes. 4.2. Third-Party Links (WhatsApp): If the Practice utilizes the WhatsApp "Click-to-Chat" feature, you acknowledge that this moves the conversation to a third-party platform (Meta). HPSuite+ is not liable for the security, privacy, or POPIA compliance of any communication occurring on WhatsApp. 4.3. Aggregated Indemnity: You hereby indemnify HPSuite+ against any "Attorney-and-Client" scale costs, fines from the Information Regulator, or civil damages arising from:
-
Misuse of the platform by your staff.
-
Processing data without a valid legal basis.
-
Clinical negligence or malpractice.
5. DATA RETENTION AND SECURE DISPOSAL
5.1. Regulatory Retention: You are responsible for ensuring records are kept for the period mandated by the HPCSA (typically 6–10 years). 5.2. Irreversible Deletion: As per Regulation 5.2.2 of the 2026 Health Regulations, HPSuite+ provides a mechanism for the irreversible deletion of health records. 5.3. Certificate of Destruction: Upon termination of service and after a 30-day "Data Export Window," HPSuite+ will purge your database. A digital Certificate of Destruction will be issued to the Practice, confirming the data has been deleted in a manner that prevents recovery.
6. SUB-PROCESSORS
6.1. Authorization: You grant HPSuite+ general authorization to engage sub-processors (e.g., local SMS gateways, local cloud infrastructure). HPSuite+ warrants that all sub-processors are bound by the same data protection obligations set out in these Terms.
7. GOVERNING LAW
These Terms are governed by the laws of the Republic of South Africa. Any dispute shall be settled via arbitration in Durban, South Africa, under the rules of the Arbitration Foundation of Southern Africa (AFSA).
