PIPEDA Alignment Overview

TranslationalAI is designed with privacy and regulatory alignment at its core. Our platform aligns with PIPEDA and healthcare data protection standards, ensuring clinician control, ephemeral storage, and Canadian data residency for healthcare professionals who prioritize patient privacy.

Through Canadian data residency, encryption standards, audit logging, and session-based architecture, we deliver healthcare-grade security designed to meet Canada's highest privacy standards.

🍁 Canadian Data Residency

Your Data Stays in Canada

All data is processed within Canada-hosted cloud infrastructure under Business Associate Agreements, ensuring alignment with PIPEDA requirements.

  • Data remains in Canada at all times
  • Cloud infrastructure hosted in Canadian regions
  • Database services with Canadian data residency
  • No cross-border data transfers

🗑️ Data Retention & Privacy

Ephemeral by Design

Our platform operates with minimal data retention, reducing long-term exposure risks through automatic deletion and stateless operations.

  • ChartPrepper: PDFs deleted immediately after processing
  • LightScribe: Temporary note retention with automatic expiry
  • Partner in Practice: Operates entirely in-session with no data storage
  • Default stateless behavior reduces risk exposure

🔒 Encryption & Access Control

Healthcare-Grade Security

Multiple layers of encryption and access controls protect your data with industry-leading security standards.

  • TLS 1.2+ secures all data in transit
  • AES-256 encryption for data at rest
  • Managed encryption keys for cloud storage
  • Key management services for database encryption
  • Role-based access with comprehensive auditing

📊 Audit Logging & Security Monitoring

SOC 2-Style Monitoring

Comprehensive logging and monitoring ensure complete visibility into system access and operations.

  • SOC 2-style logging for logins, uploads, deletions, and scribe activity
  • Automated alerts for repeated failures or anomalies
  • Regular log reviews with secure storage
  • Complete audit trail for compliance reporting

📋 Vendor Contracts & Subprocessors

Verified Business Associate Agreements

All cloud providers operate under strict Business Associate Agreements with no unauthorized data sharing.

  • BAAs signed with Canadian cloud infrastructure providers
  • Comprehensive logging and monitoring services under BAA
  • No third-party data sharing without explicit user consent
  • No data used for AI training purposes

⚡ Session-Based Architecture

Stateless by Design

Our architecture minimizes data persistence, reducing breach risk through intelligent session management.

  • Applications are stateless by design
  • No persistent storage unless explicitly saved by user
  • Short-lived cache with automatic expiry
  • Reduced risk exposure in event of security incident

PIPEDA 10 Principles Alignment

📋

1. Accountability

Privacy Officer designated. Subprocessor list maintained. SOC 2-style audit logging in place.

🎯

2. Identifying Purposes

Privacy policy clearly outlines why data is collected and how it's used.

3. Consent

Consent banner implemented with tracking. No data processed without opt-in.

📏

4. Limiting Collection

Only essential patient fields captured (demographics, complaint). No excess data stored.

5. Limiting Use & Retention

Session-based design with automatic deletion: ChartPrepper deletes files post-processing; LightScribe uses temporary note retention with automatic expiry.

🎯

6. Accuracy

Input validation and PHI redaction routines ensure data accuracy.

🛡️

7. Safeguards

TLS 1.2+, AES-256 encryption, role-based access, audit logging, and key management services.

📖

8. Openness

Public privacy policy accessible in footer. Clear language used throughout.

👤

9. Individual Access

DSAR endpoint available for data access, export, or deletion requests.

⚖️

10. Challenging Compliance

Complaint process with 30-day SLA. Escalation route to Privacy Commissioner available.

Alignment Summary

PIPEDA: Consent-driven use, ephemeral storage, DSAR endpoint, public privacy policy, vendor BAAs
Canadian Data Sovereignty: All data processing and storage within Canadian borders
HIPAA-Ready (US): Infrastructure designed to scale to HIPAA-aligned regions using same encrypted-by-default approach

Privacy-First Healthcare Technology You Can Trust

Built by Canadian doctors for Canadian healthcare professionals who prioritize patient privacy.

This overview describes privacy commitments, not implementation details.

Questions about our privacy approach?

Contact Our Privacy Officer