Elanita Systems (Pty) Ltd is committed to complying with the Protection of Personal Information Act (POPIA), Act 4 of 2013. This page explains how we apply POPIA's eight conditions for lawful processing to our platform and operations.
What is POPIA?
The Protection of Personal Information Act (POPIA) is South Africa's data protection law, similar in intent to the GDPR in Europe. It governs how organisations collect, store, use, and share personal information about individuals.
For medical practices, POPIA is particularly important because patient information — including health records, diagnoses, and treatment notes — constitutes special personal information and receives the highest level of protection under the Act.
Our Role Under POPIA
Under POPIA, there are two key roles:
- Responsible party — the entity that determines the purpose and means of processing personal information. This is your practice.
- Operator — the entity that processes personal information on behalf of the responsible party. This is Elanita Systems (Pty) Ltd.
As the operator, we process patient data only as directed by your practice, in accordance with these Terms and our Privacy Policy, and we implement appropriate security measures to protect that data.
The Eight Conditions — How We Apply Them
Condition 1
Accountability
Elanita Systems takes responsibility for ensuring personal information in our platform is processed in compliance with POPIA. We maintain audit logs of all data access and changes.
Condition 2
Processing limitation
We process personal information only for the purposes of operating the Elanita platform. We do not use patient data for marketing, analytics, or any purpose beyond service delivery.
Condition 3
Purpose specification
Personal information is collected for specified, explicit, and legitimate purposes — practice management and patient care. We document and communicate these purposes clearly.
Condition 4
Further processing limitation
We do not process personal information in a way that is incompatible with the original purpose of collection. Data is never sold, shared, or repurposed without authorisation.
Condition 5
Information quality
Practices are responsible for the accuracy of data entered. Our platform provides tools to update and correct patient records at any time.
Condition 6
Openness
We are transparent about how we process personal information through this POPIA statement, our Privacy Policy, and our Terms of Service.
Condition 7
Security safeguards
We implement technical and organisational measures to protect personal information against loss, damage, and unauthorised access — including encryption, access controls, and audit logging.
Condition 8
Data subject participation
Patients have the right to access, correct, and request deletion of their personal information. Practices can action these requests through the platform, or contact us directly.
Security Measures in Place
| Measure |
Status |
Detail |
| TLS encryption (data in transit) |
Live |
All data transmitted over HTTPS with HSTS enforced |
| Data encryption at rest |
Live |
AES-256-GCM field-level encryption on 34 sensitive fields across 8 tables — the same standard used by governments and financial institutions worldwide — covering diagnoses, notes, medications, and all special personal information |
| Password hashing |
Live |
bcrypt with cost factor 12 — passwords never stored in plain text |
| Role-based access control |
Live |
Staff access limited to their role; doctors, nurses, and admin have separate permissions |
| Multi-tenant data isolation |
Live |
Every query is scoped to practice_id — no cross-practice data access is possible |
| Audit logging |
Live |
All logins, data access, and changes are logged with timestamp, user, and IP address |
| Rate limiting |
Live |
API rate limiting protects against brute force and abuse |
| Multi-factor authentication (TOTP) |
Planned |
TOTP-based MFA scheduled for implementation shortly after launch — will be available as an optional setting for all accounts |
| Database row-level security |
Live |
PostgreSQL Row Level Security enforced on all 23 tenant tables — every query is automatically scoped to the practice |
| Field-level encryption (special data) |
Live |
AES-256-GCM encryption applied to 34 sensitive fields across 8 tables — the same standard used by governments and financial institutions worldwide — covering diagnoses, consultation notes, medications, and all special personal information |
Your Responsibilities as a Practice
As the responsible party under POPIA, your practice is obligated to:
- Inform patients that their information is being recorded and stored electronically
- Obtain consent from patients before recording consultation audio using the AI transcription feature
- Ensure only authorised staff have access to the Elanita platform
- Report any suspected data breach to us at hello@elanita.co.za immediately
- Respond to patients who exercise their POPIA rights (access, correction, deletion)
- Appoint an Information Officer for your practice if required by POPIA
Data Breach Notification
In the event of a data breach affecting personal information, Elanita Systems (Pty) Ltd will:
- Notify affected practices as soon as reasonably possible
- Provide details of the nature and scope of the breach
- Notify the Information Regulator as required by POPIA
- Take immediate steps to contain and remediate the breach
Information Regulator
If you believe your POPIA rights have been violated, you may lodge a complaint with the Information Regulator of South Africa:
- Website: inforegulator.org.za
- Email: inforeg@justice.gov.za
- Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Contact Our Information Officer
For any POPIA-related queries, requests, or concerns:
- Email: hello@elanita.co.za
- Address: Block D, Midridge South, International Business Gateway, Midrand, 1685