Vendor Privacy Compliance
Effective Date: February 13, 2026
Our Commitment to Your Privacy
MediNote Health Inc. (“MediNote”) is committed to protecting the privacy and security of your personal health information (PHI) in accordance with Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) and the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This page explains how our third-party service providers handle your information and the safeguards we have in place to ensure compliance.
Our Approach to Vendor Privacy
MediNote selects and monitors third-party service providers through a rigorous privacy and security evaluation process. Before engaging any vendor that may access, process, or store personal health information, we:
- Conduct a Privacy Impact Assessment (PIA) to evaluate potential risks to patient privacy
- Review the vendor’s security certifications, compliance posture, and data handling practices
- Execute a Data Sharing Agreement (DSA) or Information Sharing Agreement (ISA) that contractually requires the vendor to comply with PHIPA and PIPEDA obligations
- Verify data residency requirements and cross-border data transfer safeguards
- Implement technical controls including encryption, access restrictions, and audit logging
- Perform ongoing monitoring and periodic reassessment of vendor compliance
Data Residency
All primary personal health information is stored within Canada. Our core infrastructure, including databases, file storage, and application servers, is hosted in the AWS Canada (Central) region (ca-central-1), located in Montreal, Quebec. This ensures that patient health records remain subject to Canadian privacy legislation at all times.
Where a vendor may process data outside of Canada (for example, transient processing for payment authorization), we ensure that:
- No personal health information is included in cross-border transmissions
- Appropriate contractual safeguards are in place under PIPEDA’s accountability principle
- Data is encrypted in transit and at rest using industry-standard protocols
Vendor Compliance Matrix
The following table summarizes the third-party service providers that MediNote engages, the nature of data they may access, and their compliance credentials.
| Vendor | Service | Data Handled | Location | Compliance |
|---|---|---|---|---|
| AWS | Cloud hosting, database (RDS), file storage (S3) | All PHI, user data, medical records | ca-central-1 (Canada) | SOC 2 Type II, ISO 27001, PIPEDA-compatible |
| Stripe | Payment processing | Payment card data, billing info (no PHI) | PCI DSS Level 1 certified infrastructure | SOC 2 Type II, PCI DSS Level 1 |
| Twilio | Voice calls for consultations | Call metadata, phone numbers (no PHI stored) | SOC 2 Type II certified infrastructure | SOC 2 Type II, PIPEDA-compatible |
| Sentry | Error tracking and monitoring | Error logs (PII auto-redacted, no PHI) | SOC 2 Type II certified infrastructure | SOC 2 Type II |
| Resend | Transactional emails | Email addresses, appointment confirmations (no medical content) | TLS-encrypted transmission | TLS encryption, SOC 2 Type II |
| Google Gemini | AI-powered clinical note assistance | De-identified clinical data only | Google Cloud (no persistent storage) | Google Cloud PIPEDA compliance, SOC 2 Type II |
Detailed Vendor Information
Amazon Web Services (AWS)
AWS provides the core infrastructure for MediNote, including application hosting, the PostgreSQL database (via Amazon RDS), and file storage (via Amazon S3).
- Data accessed: All personal health information, including patient records, medical documents, appointment data, and uploaded files
- Purpose: Hosting and delivering the MediNote platform; storing and retrieving patient health records as directed by MediNote
- Safeguards: AES-256 encryption at rest, TLS 1.2+ encryption in transit, VPC network isolation, IAM role-based access controls, CloudTrail audit logging
- Data residency: All data resides in the ca-central-1 (Montreal) region. No cross-border transfers occur for stored PHI
- Certifications: SOC 1/2/3 Type II, ISO 27001, ISO 27017, ISO 27018, CSA STAR, PIPEDA-compatible under the AWS Canadian Data Residency commitments
Stripe
Stripe processes payments for MediNote consultations and services.
- Data accessed: Payment card details, billing information, and transaction amounts. No personal health information is transmitted to Stripe
- Purpose: Securely processing patient payments for telehealth consultations, sick notes, and other medical services
- Safeguards: PCI DSS Level 1 compliance (the highest level of payment security certification), tokenization of card data, end-to-end encryption
- Data residency: Payment data is processed through Stripe’s PCI-certified infrastructure. MediNote does not transmit PHI to Stripe; only billing amounts and generic service descriptions are shared
- Certifications: PCI DSS Level 1, SOC 2 Type II
Twilio
Twilio provides voice calling capabilities used during doctor-patient consultations.
- Data accessed: Phone numbers and call metadata (duration, timestamps). Call content is not recorded or stored by Twilio
- Purpose: Facilitating real-time voice consultations between patients and physicians as part of the telehealth service
- Safeguards: TLS/SRTP encryption for voice calls, API key authentication, no call recording enabled, call metadata retained only for service delivery
- Data residency: Call signalling may transit through Twilio’s global infrastructure, but no PHI is stored by Twilio. Consultation content remains solely between the patient and physician
- Certifications: SOC 2 Type II, ISO 27001, PIPEDA-compatible
Sentry
Sentry provides error tracking and application monitoring to help MediNote maintain platform reliability and quickly resolve technical issues.
- Data accessed: Application error logs and stack traces. Personally identifiable information (PII) is automatically scrubbed before transmission. No personal health information is sent to Sentry
- Purpose: Identifying and resolving software errors to ensure the platform remains secure and available for patient care
- Safeguards: PII auto-redaction, data transmitted through a tunnelled route (/monitoring) to prevent ad-blocker interference, TLS encryption in transit
- Data residency: Error logs are processed in Sentry’s infrastructure. Since no PHI or PII is transmitted, cross-border considerations do not apply
- Certifications: SOC 2 Type II
Resend (Email Service)
Resend delivers transactional emails on behalf of MediNote, including appointment confirmations, password resets, and account notifications.
- Data accessed: Email addresses and non-medical notification content (appointment times, account status). No medical content, diagnoses, or clinical information is included in emails
- Purpose: Delivering time-sensitive transactional communications to patients and healthcare providers
- Safeguards: TLS encryption for all email transmission, DKIM and SPF authentication to prevent email spoofing, no storage of email content beyond delivery
- Data residency: Email is transmitted via TLS-encrypted channels. Since no PHI is included in email content, cross-border transit of email delivery infrastructure does not expose health information
- Certifications: SOC 2 Type II, TLS encryption
Google Gemini (AI Clinical Assistance)
Google Gemini provides AI-powered assistance for generating clinical documentation, including SOAP notes and history of present illness (HPI) summaries, under physician supervision.
- Data accessed: De-identified clinical data only. Patient-identifying information (name, date of birth, health card number) is stripped before any data is sent to the AI model
- Purpose: Assisting physicians in drafting structured clinical notes to improve documentation quality and reduce administrative burden. All AI-generated content is reviewed and approved by a licensed physician before becoming part of the patient record
- Safeguards: Data de-identification prior to transmission, TLS encryption in transit, no persistent storage of patient data by Google, API-level access controls
- Data residency: Data is processed through Google Cloud’s API infrastructure. No identifiable PHI is transmitted, and Google does not retain submitted data for model training when using the API
- Certifications: Google Cloud SOC 1/2/3 Type II, ISO 27001, ISO 27017, PIPEDA compliance under Google Cloud’s Canadian data protection commitments
PHIPA Agent Requirements
Under the Personal Health Information Protection Act, 2004 (PHIPA), third-party service providers who handle personal health information on behalf of a health information custodian are classified as “agents” (Section 17). As a health information custodian, MediNote requires all agents to:
- Comply with PHIPA requirements — Agents must handle PHI in accordance with PHIPA and any applicable regulations, as if they were bound by the same obligations as the custodian
- Limit use to specified purposes — PHI may only be used or disclosed for the purposes specified by MediNote, consistent with the purpose limitation principle
- Implement appropriate safeguards — Agents must maintain administrative, technical, and physical safeguards that are no less protective than those required under PHIPA
- Notify MediNote of any breach — Agents must immediately notify MediNote of any unauthorized access to, use of, disclosure of, or loss of PHI
- Permit audits and inspections — MediNote retains the right to audit agent practices and verify compliance with contractual privacy obligations
- Return or destroy PHI upon termination — Upon termination of the service agreement, agents must securely return or destroy all PHI in their possession, and provide written certification of destruction where applicable
PIPEDA Accountability Principle
Under PIPEDA Principle 1 (Accountability), MediNote remains responsible for personal information that is handled by third parties on our behalf. This means:
- MediNote’s Privacy Officer has overall accountability for compliance with privacy legislation, including oversight of all vendor relationships involving personal information
- We implement contractual measures (Data Sharing Agreements and Information Sharing Agreements) that require third parties to provide a comparable level of protection
- We conduct due diligence before engaging any new vendor and maintain ongoing oversight through periodic compliance reviews
- Individuals may direct privacy complaints and access requests to MediNote, even where a third-party vendor is involved in data processing
- We maintain a record of all third-party service providers who may access personal information and the specific purposes for which access is granted
Privacy Impact Assessments
MediNote conducts a Privacy Impact Assessment (PIA) for each new vendor integration or significant change to an existing vendor relationship that involves personal health information. Our PIA process includes:
- Data flow mapping — Identifying what personal information will be shared, how it will be transmitted, where it will be stored, and who will have access
- Risk assessment — Evaluating potential threats to confidentiality, integrity, and availability of personal health information
- Mitigation measures — Implementing technical and organizational controls to reduce identified risks to an acceptable level
- Cross-border analysis — Assessing whether any personal information may be processed or stored outside of Canada and ensuring appropriate safeguards
- Compliance verification — Confirming the vendor’s certifications, security posture, and contractual commitments meet PHIPA and PIPEDA requirements
- Ongoing review — PIAs are reviewed and updated when vendor services change, when new data types are involved, or at minimum on an annual basis
Breach Notification
In the event of a privacy breach involving a third-party vendor, MediNote follows a structured breach response process in accordance with PHIPA (Section 12) and PIPEDA breach notification requirements:
- Immediate containment — Upon becoming aware of a breach, we work with the vendor to immediately contain the incident and prevent further unauthorized access
- 72-hour notification — Under PHIPA, the Information and Privacy Commissioner of Ontario (IPC) must be notified of a breach of PHI at the first reasonable opportunity. MediNote targets notification within 72 hours of confirming a breach
- Affected individual notification — We notify affected individuals at the first reasonable opportunity, providing details about the nature of the breach, the information involved, and steps being taken to mitigate harm
- Regulatory reporting — Where required, we report to the Information and Privacy Commissioner of Ontario (IPC) under PHIPA and to the Office of the Privacy Commissioner of Canada (OPC) under PIPEDA
- Investigation and remediation — A thorough investigation is conducted to determine root cause, and corrective measures are implemented to prevent recurrence
- Documentation — All breach incidents, including vendor-related breaches, are documented in our breach registry with details of the investigation, notification, and remediation actions taken
Cross-Border Data Transfers
MediNote’s primary commitment is to keep all personal health information within Canada. Where ancillary services involve infrastructure that may be located outside of Canada (for example, certain email relay servers or payment processing nodes), we ensure that:
- No identifiable personal health information is included in cross-border data flows
- Contractual protections require a comparable level of privacy protection regardless of jurisdiction, consistent with PIPEDA’s accountability principle
- Where possible, we use Canadian or in-region processing endpoints
- Patients are informed of any material cross-border data handling through this disclosure
Note: Under PIPEDA, organizations may transfer personal information to service providers in other jurisdictions provided that contractual or other means ensure a comparable level of protection. MediNote does not transfer identifiable PHI outside of Canada.
Your Rights
Under PHIPA and PIPEDA, you have the right to:
- Request access to your personal health information held by MediNote or our agents
- Request a list of the third parties to whom your information has been disclosed
- Request corrections to inaccurate or incomplete information
- Withdraw consent for non-essential uses of your information (subject to legal retention requirements)
- File a complaint with MediNote’s Privacy Officer or with the applicable regulatory authority
Related Policies
For more information about how MediNote protects your privacy, please review:
- Privacy Policy — How we collect, use, and disclose personal information
- Health Privacy Notice — Your rights under PHIPA and how we protect your health information
- Terms of Service — The terms governing your use of MediNote’s platform
Contact Our Privacy Officer
If you have questions about how our third-party vendors handle your personal health information, or if you wish to exercise any of your privacy rights, please contact:
Regulatory Authorities
- Ontario: Information and Privacy Commissioner of Ontario (IPC)
- Canada (Federal): Office of the Privacy Commissioner of Canada (OPC)
Last reviewed: February 13, 2026. This vendor privacy compliance page is reviewed at least annually and updated whenever there is a material change in our vendor relationships or applicable privacy legislation.