PDPA-Compliant CRM for Clinics & Service Businesses

A PDPA & MOH-Aligned Summary with Source References

The Bellix system is a secure, cloud-based platform used to manage appointments, customer communication, and workflow automation. It is a white-labeled software solution, deployed by Bellix Labs and backed by globally trusted infrastructure. This document outlines how the system aligns with Singapore’s PDPA and, where applicable, Ministry of Health (MOH) expectations.

1. Designed for Front-Facing, Service-Based Businesses

The Bellix system is designed to support:

- Appointment scheduling

- Storing customer contact information

- Sending WhatsApp/email reminders

- Automating marketing and follow-up flows

This system is suitable for consulting, coaching, education, wellness, TCM administration, and service-based industries. It is not intended for storing clinical data such as NRIC numbers, diagnoses, prescriptions, or medical records.

Source:

PDPA Advisory Guidelines on Healthcare : https://www.pdpc.gov.sg/guidelines-and-consultations/2020/02/advisory-guidelines-on-key-concepts-in-the-pdpa#Healthcare

MOH Cybersecurity Guidelines for Healthcare Providers (2023), Section 2.1.3

2. Enterprise-Grade Security

The Bellix system applies industry-standard security protocols including:

- AES-256 encryption for stored data

- TLS 1.2 or higher encryption for data in transit

- Hosting on certified cloud providers (Google Cloud and AWS) with SOC 2 and ISO 27001 certifications

- Daily automated backups and disaster recovery

- Role-based access control and multi-factor authentication

Source:

PDPA Section 24 – Protection Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr24-

3. Compliant with Singapore’s PDPA

The Bellix system supports your compliance with PDPA through:

- Prevention of unauthorized access

- Secure user permissions

- Ability to delete or export customer records on demand

- System activity logs and breach notification protocols

Relevant PDPA Clauses:

Section 24 – Protection Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr24-

Section 25 – Retention Limitation Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr25-

Section 23 – Accuracy Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr23-

4. Secure Cloud Hosting with International Transfers Allowed

Customer data is hosted in secure, internationally recognized cloud data centers located in the United States. PDPA allows such transfers if "comparable protection" is in place, which includes contractual safeguards, encryption, and certification under international frameworks.

Source:

PDPA Section 26 – Transfer Limitation Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr26-

EU-U.S. Data Privacy Framework : https://www.dataprivacyframework.gov/s/

5. Full Control and Visibility Over Your Data

- You retain control over all customer records and system activity, including:

- User permissions and access rights

- Data retention and deletion

- Exporting customer lists or communications

- Reviewing audit logs and historical changes

Source:

PDPA Section 11 – Accountability Obligation : https://sso.agc.gov.sg/Act/PDPA2012#pr11-

MOH Cybersecurity Essentials Checklist – Items 4 & 8

6. Consent and Purpose Limitation Still Apply

Using Bellix does not override the need for customer consent. You must:

Inform customers about how their data will be used

Obtain consent before storing or contacting them

Allow customers to update or withdraw their data at any time

We recommend including consent clauses in your booking forms and WhatsApp flows.

Relevant PDPA Clauses:

Sections 13–15 – Consent Obligation: https://sso.agc.gov.sg/Act/PDPA2012#pr13-

Section 18 – Purpose Limitation Obligation: https://sso.agc.gov.sg/Act/PDPA2012#pr18-

Use of Bellix in Non-Medical Businesses

If your business operates in (but not limited to):

- Coaching or consulting

- Education or training

- Wellness, personal care, or beauty services

- Lifestyle and service appointments

The Bellix system allows you to:

- Manage clients and appointments securely

- Automate WhatsApp/email communication

- Remain fully aligned with PDPA standards

7. Additional Guidance for Medical Clinics and TCM Providers

Medical and TCM providers may use Bellix in a hybrid setup for non-clinical functions only.

Permitted Uses:

- Booking appointments

- WhatsApp/SMS reminders and marketing

- General notes (e.g., "new patient")

- Patient name and contact information

Source:

MOH Cyber and Data Security Guidelines for Healthcare Providers (2023), Section 2.1.3: "Administrative data such as patient demographics and appointment details also constitute health information and must be protected accordingly."

Restricted Data – Must Be Stored in a MOH-Compliant System:

- NRIC/passport numbers

- Diagnosis and medical conditions

- Prescription records or clinical notes

- Medical images, test results, or treatment history

Source:

MOH Healthcare Services Act (HCSA) : https://www.moh.gov.sg/home/our-healthcare-system/healthcare-services-act

PDPA Section 26 – Transfer Limitation Obligation: https://sso.agc.gov.sg/Act/PDPA2012#pr26-

MOH-Recommended Hybrid Setup

MOH allows and recommends separating systems for different functions:

- Clinical system (e.g., Vault Dragon, Plato) – stores patient records, diagnosis, and treatment

- Bellix system – handles admin tasks, marketing, scheduling, and communications

This aligns with:

MOH Cybersecurity Essentials (Checklist for clinics)

MOH SmartCMS Requirements for Tier 1 CMS systems

8.Data Compliance Table