We are not ISO 27001 certified, SOC 2 attested, or HIPAA-certified as a covered entity today. We implement encryption, access control, consent, and audit logging aligned with those frameworks and publish our subprocessors. Formal certifications are on our roadmap as we scale with NHS, employer, and government partners.
All client and API traffic uses TLS 1.2+ (HTTPS). Internal service communication is encrypted. We do not transmit health data over unencrypted channels.
Databases, object storage, and backups use provider-managed encryption (AES-256 class). Keys are managed by our cloud providers with strict access boundaries — not stored alongside application code.
Production access is role-based, logged, and limited to engineers who need it. Secrets live in environment configuration — never in the repository.
Patients control sharing. Research and AI features use explicit consent flags. We do not sell personal health data.
Critical actions are logged. Where blockchain anchoring applies, records gain tamper-evident timestamps — supporting integrity, not replacing clinical governance.
We maintain runbooks for breach notification aligned with GDPR (72-hour regulator notice where required) and PDPL timelines for Saudi data subjects.
We map product and engineering controls to major frameworks. “Aligned” means our design and policies target these requirements — not that an external auditor has issued a certificate yet.
| Framework | Scope | Our posture |
|---|---|---|
| GDPR / UK GDPR | EU & UK data subjects | Lawful basis, DPIA-ready features, data subject rights, DPA available for B2B |
| Saudi PDPL | Kingdom of Saudi Arabia | Consent, purpose limitation, cross-border transfer controls, breach notification design |
| HIPAA (US) | US providers & partners | HIPAA-aligned administrative, technical, and physical safeguards; BAA available for covered entities when required |
| NHS & UK IG | UK health & care | Data Security and Protection Toolkit alignment; NHS research governance for studies |
| ISO 27001 | Global ISMS | Controls mapped; formal certification planned as scale demands |
We use vetted third parties to run the service. This list covers the main processors relevant to the website and platform. Enterprise customers receive an extended annex in our DPA.
| Processor | Purpose | Typical region |
|---|---|---|
| Cloud hosting (e.g. Vercel) | Marketing website, edge delivery, analytics | Global / EU options |
| Application API hosting | Patient records, provider workflows, sign-up ingestion | Contract-dependent region |
| Resend | Transactional email (contact, demo, notifications) | US / EU |
| Apple / Google | Mobile distribution, Sign in with Apple / Google where enabled | Global |
Hospitals, employers, researchers, and government buyers need a contractual wrapper around our technical controls. We provide a standard DPA covering processor obligations, subprocessor notification, breach assistance, and deletion on termination.
Request DPAQuestions, vulnerability reports, or data subject requests: info@wizzaid.com. For DPA and procurement: partners@wizzaid.app. Legal entity: Wizzaid Labs Ltd (16795420).