Compliance and Security

ClinicalFlow is designed to meet the highest standards of security and privacy, with a focus on Canadian data residency and compliance with federal and provincial regulations.

Our Commitment to Compliance

PIPEDA & PHIPA Compliance

Our system is designed to be compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA) of Ontario.

Data Residency in Canada

All data at rest, including transcripts and clinical notes, is stored within Canada. All data processing is also handled by services hosted in Canadian data centers (Montréal, Québec).

De-identification of Data

We use Google Cloud Data Loss Prevention (DLP) to de-identify transcripts, removing personal and health identifiers to protect patient privacy, in accordance with PHIPA's risk-based standard.

Access Control

We enforce the principle of least privilege using Google Cloud Identity and Access Management (IAM), ensuring that only authorized personnel have access to sensitive data.

Secure Infrastructure

VPC Service Controls are used to create a service perimeter, preventing data exfiltration and ensuring that services can only communicate with each other privately.