Clinic data is patient data. We treat it like both.
This page is written for your legal team. Standards are cited by article. Architecture is named by region. If your DPO or counsel wants any of the underlying documents in writing, ask. We will send the originals.
Clean reference list. Each entry: the regulation by full name, the jurisdiction it applies to, the operative articles, the version or in-force date, and a one-line plain-English statement of what it means for the clinic. Counsel can map each row to the official source; we have linked nothing here that is not separately verifiable in the official Gazette or regulator portal.
| Regulation | Jurisdiction | Operative articles | Version / date | What it means |
|---|---|---|---|---|
| UAE Federal Decree-Law No. 45 of 2021 (PDPL) | United Arab Emirates | Articles 4-6 (lawful bases), 5 (consent: free, specific, informed, unambiguous, revocable), 7-8 (controller and processor obligations, ROPA, sub-processor controls), 9 (breach notification), 10-11 (DPO for high-risk processing), 13-18 (data subject rights), 21 (DPIA mandatory for high-risk processing), 22-23 (cross-border transfer regime). | Effective 2 January 2022. Enforceable from January 2023. | The federal data-protection law that governs personal data of UAE residents. The Executive Regulations remain in development; we operate to a 72-hour internal breach-notification target by default. |
| UAE Federal Law No. 2 of 2019 on the Use of ICT in Health Fields | United Arab Emirates | Article 4 (confidentiality), Article 12 (in-State storage controls), Article 13 (the operative residency rule for health data created or related to services delivered in the UAE), Article 16 (confidentiality and written approval for disclosure), Article 17 (Ministry licence required for health advertising via the central system), Article 20 (health data retention of at least 25 years from the patient's last health procedure), Article 23 (penalties of AED 100,000-200,000 for unlicensed health advertising), Article 24 (penalties of AED 500,000-700,000 for violation of the Article 13 extra-territorial storage rule). | In force; 25-year retention duty operative. | The operative residency law. Identifiable health data created in the UAE may not leave the UAE except by an authorised exception. We design around Article 13 by default, not as an afterthought. |
| DHA Standards for Medical Advertisement Content on Social Media | Dubai (DHA), code DHA/HRS/HPSD/ST-21 | Section 5.3-5.5 (Medical Director pre-approval workflow for all SMAs), Section 7.3 (Medical Director accountable for content), Section 7.4 (DHA-facility patients may not be featured in international accounts). | Version 1.1, issued 03/08/2022, effective 03/10/2022, scheduled revision 03/08/2027. Reaffirmed by the DHA's 2025 circular. | The standard every Dubai clinic's social-media advertising is judged against. We do not run unapproved creative, period. |
| DoH Abu Dhabi ADHICS + Circular 26/2023 | Abu Dhabi (DoH) | ADHICS Section CM 4.2 (local hosting reinforcement). Circular 26/2023 (mandates the Training Programme on Abu Dhabi Healthcare Guidelines for Health Media and Advertising). | ADHICS in force; Circular 26/2023 in force. | The Abu Dhabi-side cyber-security and advertising-training requirements. Only completed-training facilities may log advertising materials. |
| MOHAP Ministerial Decision No. 1412 of 2017 | United Arab Emirates (MOHAP) | Code of Practice for Marketing of Medical Products. MOHAP digital-ad licensing: AED 1,000 per month or AED 3,000 per year per website or digital link, application fee AED 100, review and approval typically 1-3 working days. | In force. | The federal-level marketing code for medical products. We treat the MOHAP licensing fee as a line item, not a surprise. |
| Federal Decree-Law No. 55 of 2023 on the Regulation of Media | United Arab Emirates | UAE Media Council licence required for digital advertising activity by media-services providers. | In force. | The wider media-regulation perimeter. Our entity is registered, and we operate inside the licence. |
| KSA PDPL - Royal Decree M/19 (2021), amended by M/148 (2023) | Kingdom of Saudi Arabia | Article 3 (extra-territorial scope: applies to processing of personal data of individuals residing in Saudi Arabia, including by entities outside the Kingdom). Article 20 (controller must notify on breach awareness). Article 24 of the Executive Regulations (breach notification within no more than 72 hours of awareness). Article 29 (cross-border transfer regime). | In force 14 September 2023. Fully enforceable 14 September 2024. | The Saudi data-protection law. Reaches us when a clinic on the platform has a KSA-resident data subject, and we comply accordingly. |
| SDAIA Regulation on Personal Data Transfer Outside the Kingdom of Saudi Arabia | Kingdom of Saudi Arabia (SDAIA) | Lawful purpose, safeguards, and approved-mechanism requirements for cross-border transfers of KSA personal data. | August 2024. | The binding instrument for KSA cross-border transfers. We treat it as the operative document, not the older guidance. |
| NCA Cloud Cybersecurity Controls 2:2024 | Kingdom of Saudi Arabia (National Cybersecurity Authority) | Updated controls reflecting changes related to data localisation requirements for cloud services serving Saudi entities. | 2024. | The cloud-side controls for Saudi entities. Relevant for any KSA clinic on the platform. |
| Qatar MoPH Department of Healthcare Professions Circular | Qatar (MoPH) | Prohibits patient images, videos, or data without consent; advertising of unlicensed devices or unregistered drugs; live-stream surgical content; content contrary to Islamic culture and Qatari traditions; and specific medical consultations to social-media followers. | June 2021. | The healthcare-advertising boundary in Qatar. Applies to any Doha or Lusail clinic onboarded. |
| Qatar Law No. 13 of 2016 on Personal Data Privacy Protection | Qatar | Operative privacy statute. (No official English translation published in the sources we rely on; we use local counsel for article-level interpretation.) | In force. | The wider privacy perimeter for Qatari data subjects. We name it explicitly because most agencies do not. |
| HIPAA | United States (named here only to be set aside) | Not applicable to UAE-based clinics. | - | We operate to HIPAA-grade controls. We do not claim HIPAA compliance for UAE clinics. See Section 8. |
We list these for verification, not for show. If a source has been amended since publication of this page, write to legal@clinicboost.ae and the page will be updated within 14 days, dated.
Most marketing agencies running healthcare ads in Dubai do not have a documented data-residency policy. They run patient enquiries through Google Sheets. They forward WhatsApp messages to personal phones. They use AI tools whose terms of service permit training on the data submitted to them. Most clinics signing with most agencies have no idea any of this is happening, until a vendor due-diligence questionnaire arrives, or a DHA audit request lands on the medical director's desk.
Here is what we do differently.
The rule, first. Under UAE Federal Law 2 of 2019 Article 13, identifiable patient data created by health services delivered in the UAE may not be stored, processed, generated, or transformed outside the UAE except by a resolution issued by the competent health authority in coordination with the Ministry. We design around this rule by default. Our architecture starts with the question “where is the bucket?” and works outward from there.
Primary patient-data store. Microsoft Azure UAE North (Dubai) for production. Microsoft Azure UAE Central (Abu Dhabi) for redundancy. AWS me-central-1 (UAE) is the supported secondary for clinics that prefer AWS-side architecture.
Voice agent transcripts and call recordings. Stored in UAE-resident object storage. Twilio voice telephony is region-pinned to EU or Bahrain for the carrier leg, with audio streamed to a UAE-resident bucket immediately on call completion. The bucket is the source of truth, not the carrier.
LLM inference for any prompt that touches PHI. Azure OpenAI in UAE North. The prompt and the response stay inside the region. Where Anthropic is required for KSA-side flows, we route through AWS Bedrock in Bahrain.
Marketing top-of-funnel (non-PHI). GoHighLevel US. Only marketing fields. Never PHI. Never identifiable health information. Never anything that, in counsel's reading, would engage Article 13.
KSA-side secondary. AWS me-south-1 (Bahrain) for redundancy and KSA latency. Bahrain is not UAE-onshore on a strict reading of Article 13; we say so explicitly and we do not use it as the primary store for UAE-onshore PHI.
If your IT team wants the architecture diagram and sub-processor list as a PDF, ask. We will send it the same day. Request the architecture diagram.
Most agencies will not name their sub-processors in writing. We do, with the residency limits stated. This is the table the procurement team can copy into a vendor due-diligence questionnaire. The first row is the one most often missing in the agency contracts we have read.
| Vendor | Function | Default residency | UAE / KSA satisfaction | Our workaround |
|---|---|---|---|---|
| GoHighLevel (GHL) | CRM, marketing automation | US-hosted | No, for PHI under UAE Federal Law 2/2019 | Used only for non-PHI marketing fields. PHI routed to Azure UAE North or AWS me-central-1. HIPAA add-on signed where the BAA is operationally relevant. |
| Twilio | Voice and SMS telephony | Global, region-pinnable | Partial. No UAE-resident voice region. | Messaging pinned to EU or Bahrain region. Voice recordings stored in a UAE-resident object-storage bucket. |
| ElevenLabs | Voice synthesis (AI agent voice) | US-hosted | No | Acceptable for non-PHI scripts only. PHI never passes into prompts or output. |
| OpenAI / Anthropic | LLM inference | US-hosted. Anthropic also EU and AWS Bedrock. | No native UAE residency | Azure OpenAI in UAE North for any PHI-touching prompt. Or Anthropic via AWS Bedrock in Bahrain for KSA-side flows. |
| Microsoft Azure UAE North / UAE Central | Primary cloud infrastructure | United Arab Emirates | Yes | Primary recommended infrastructure for PHI and identifiable patient records. |
| AWS me-central-1 (UAE) | Secondary cloud infrastructure | United Arab Emirates | Yes | Acceptable secondary store for PHI. Used for redundancy and architectural choice. |
| AWS me-south-1 (Bahrain) | Regional redundancy | Bahrain | Yes for many GCC interpretations. Not UAE-onshore on the strict reading of Federal Law 2/2019 Article 13. | Used for redundancy and KSA-side latency. Not used as the primary store for UAE-onshore PHI. |
| Vercel | Marketing site hosting | US / EU | Marketing site only | The clinicboost.ae marketing site lives here. No PHI. |
If a vendor on this list ever changes its residency posture, we notify all active clinics in writing within 14 days. If a new vendor is added, we update this list within 14 days. Each row has a Data Processing Agreement available to clinic counsel on request, with the relevant clauses highlighted.
Encryption
- At rest: AES-256.
- In transit: TLS 1.3.
- Field-level encryption for personally identifiable information.
- Role-based access control with audit logging on read and write, retained for the duration of the engagement plus seven years.
Retention windows
- Marketing inquiry data. 24 months from last contact, by default. Extendable on written instruction from the clinic.
- Identifiable patient data under contract. At least 25 years from the patient's last health procedure, per UAE Federal Law 2 of 2019, Article 20. This is a clinic-level legal duty; we honour it as the clinic's processor, with retention controls aligned to the clinic's own clinical-records policy.
- Commercial billing records. 5-7 years per UAE commercial law.
Right to erasure
Patient right-to-erasure requests are acknowledged within 72 hours and completed within 30 days where the lawful basis permits. Erasure cannot override the Article 20 25-year retention duty for clinical records. That is a clinic-level legal obligation, not a platform choice, and we say so on the request acknowledgement.
Patient-side consent
The first message a patient receives, on any channel we operate, is a clearly worded opt-in. Marketing communications and clinical communications are channel-separated; a patient consenting to one does not, by default, consent to the other. Consent must be free, specific, informed, unambiguous, and revocable (UAE PDPL Article 5).
Withdrawing consent is one tap. The withdrawal is processed within minutes and audit-logged with timestamp. Consent records are exportable on demand by the clinic, and by the data subject on request.
The DHA pre-approval workflow
Every social-media advertisement we produce on a Dubai clinic's behalf goes through the DHA Standard ST-21 v1.1 pre-approval flow. We draft. The clinic's Medical Director reviews and approves under Section 5.3-5.5. The approval is logged before launch, with the Medical Director's digital signature held in the engagement record.
We do not run unapproved creative. We do not feature DHA-facility patients in international accounts (Section 7.4). We do not use empty-certainty language (“100%”, “assured success”, “immediate results”). We do not use government or regulator logos without written approval.
For Abu Dhabi clinics, the DoH side runs in parallel: only facilities that have completed the Training Programme on Abu Dhabi Healthcare Guidelines for Health Media and Advertising (Circular 26/2023) may log advertising materials. We confirm completion at onboarding, in writing.
What we say
We operate to HIPAA-grade controls. Encryption at rest and in transit, audit logging, role-based access, and Business Associate Agreements with US-hosted sub-processors where one is operationally relevant.
What we will not say
We are not HIPAA-compliant, because the question is not the right one for a UAE clinic.
HIPAA is a United States statute. It does not govern UAE clinics and it does not govern the patient-data flows that originate inside the UAE. The clinic's regulatory perimeter is defined by the UAE PDPL (Federal Decree-Law 45/2021), UAE Federal Law 2 of 2019, the relevant emirate's health authority (DHA, DoH, MOHAP), and, for KSA clinics, the KSA PDPL (Royal Decree M/19, as amended by M/148) and the SDAIA Personal Data Transfer Regulation (August 2024).
Anyone offering HIPAA compliance as a UAE clinic guarantee is misreading the law. Even if, in some cases, the agency means well, the framing is wrong. We are happy to put this paragraph in writing, signed, on letterhead, for any procurement officer who needs it.
Detection
Continuous monitoring across the production stack. Alerting on anomalous read patterns, failed-auth bursts, and unexpected outbound traffic. Tooling named in the architecture diagram available on request.
Containment
Target: 1 hour from detection to containment.
Notification
UAE PDPL Article 9 requires notification “without undue delay”. The specific timeline is set by the Executive Regulations, which remain in development as of this writing. Our internal target is 72 hours from confirmation, in line with the standard set by Article 24 of the KSA PDPL Executive Regulations.
Disclosure
Disclosure to the clinic and, where applicable, to affected patients, is jointly drafted by the clinic's legal counsel and our team. We do not draft notification copy unilaterally.
Post-incident report
Delivered within 14 days of containment.
Whose name is on the line
Faheem ud Din, engineering accountability. Besnik, clinic-side accountability. Both signatures appear on every breach disclosure we issue.
Any clinic on contract can request a compliance audit at any time. No charge. No notice required. We will produce, within ten business days:
- The current data-flow diagram for your engagement.
- The current sub-processor list, with versioning.
- Retention logs for the in-scope data categories.
- The breach-response runbook, version-controlled.
- Our Record of Processing Activities (ROPA) per UAE PDPL Articles 7-8, scoped to your engagement.
- The completed Data Protection Impact Assessment for the voice-AI workflow per UAE PDPL Article 21.
We will sit on a video call with your legal counsel and walk it through, line by line, until they have what they need. If they find something missing or wrong, we fix it on the call and reissue the document the same week.
Request a compliance audit. The subject line will be pre-filled.
If your legal team has a list of questions, send the list. We answer in writing within 48 hours.
We chose to publish this page before we needed it. Most agencies publish it only when a procurement officer asks twice.