Compliance

We build to the Digital Personal Data Protection Act, 2023. You are the Data Fiduciary for the personal data your organisation collects; Spexx acts as a Data Processor on your behalf. We collect only the data a feature needs, keep a record of processing, and support access, correction, and erasure of personal data.

Consent and purpose limitation are enforced in the product, not just in policy. Where we process data for you, the terms are set out in our Data Processing Addendum.

We have a named Grievance Officer for data-protection complaints and data-principal requests, with contact details and response timelines published here: grievance redressal.

Live: DPDP-aligned processing, DPA, grievance officer.

Spexx Health is built to be ABDM-ready. That means the data model and APIs are designed for the Ayushman Bharat Digital Mission building blocks: linking a facility through the Health Facility Registry (HFR), associating an ABHA number to a patient record, and recording the consent that ABDM requires before health information is shared.

ABDM participation is granted per facility, so onboarding happens one facility at a time. We treat HFR linkage and the ABDM milestones as a rollout that is in progress, not a flag we have already flipped for everyone.

For interoperability outside ABDM, clinical records can be exported as FHIR resources so they move cleanly into other systems and registries.

Live: FHIR export, ABHA and consent capture in the record. In progress: HFR facility linkage and full ABDM gateway integration, per facility.

Invoicing is GST-native. Every invoice carries the seller and buyer GSTIN where applicable, HSN or SAC codes, and a tax breakdown that splits correctly into CGST and SGST for intra-state supplies or IGST for inter-state supplies, based on place of supply.

Live: GST-compliant invoicing with CGST, SGST, and IGST.

Customer data is stored and processed in an India region. Keeping data in-country is a deliberate default for healthcare and for organisations that need their records to stay within Indian jurisdiction.

Live: India data residency.

We are working toward formal, independently audited certifications. ISO/IEC 27001 and SOC 2 are planned. We have not yet completed either audit, and we will say so plainly until a report is in hand rather than claim a status we do not hold.

Planned: ISO/IEC 27001, SOC 2.