Security & Compliance
Built from the ground up to protect sensitive health information. Canadian hosting, encryption everywhere, and full regulatory compliance.
Our Canadian Data Promise
Every byte of your data—patient records, session notes, files, backups, and AI processing—stays in Canada. We use Canadian-region infrastructure from Railway, AWS (ca-central-1), and RunPod Canadian pods. Your patients' protected health information (PHI) never crosses international borders.
Security Built In, Not Bolted On
100% Canadian Hosting
All data—databases, files, backups, and AI processing—is hosted exclusively in Canadian data centers. Your patients' PHI never crosses borders.
End-to-End Encryption
TLS 1.2+ for all data in transit. AES-256 encryption for all data at rest. Your data is protected at every step.
Role-Based Access
Granular permissions ensure staff only see what they need. Owners, admins, clinicians, and support staff have appropriate access levels.
Audit Logging
Comprehensive logs of all access and changes. Know who accessed what and when. Required for compliance and incident response.
Automatic Backups
Daily encrypted backups stored in Canada. Point-in-time recovery capability. Your data is safe even in worst-case scenarios.
Secure Infrastructure
Built on Railway, AWS, and RunPod with enterprise-grade security. Regular security audits and penetration testing.
Regulatory Compliance
Promptly is designed to help you meet your regulatory obligations across multiple jurisdictions.
PIPEDA
Canada (Federal)Personal Information Protection and Electronic Documents Act
Canada's federal privacy law governing how private-sector organizations collect, use, and disclose personal information.
PHIPA
OntarioPersonal Health Information Protection Act
Ontario's health privacy law establishing rules for the collection, use, and disclosure of personal health information.
Law 25
QuebecQuebec Privacy Law (Bill 64)
Quebec's modernized privacy legislation with strict consent and data protection requirements.
GDPR
European UnionGeneral Data Protection Regulation
EU regulation on data protection and privacy. We align with GDPR principles for any EU users.
HIPAA
United StatesHealth Insurance Portability and Accountability Act
US law protecting sensitive patient health information. We follow HIPAA safeguards for US-based patients.
How We Handle Your Data
Data Minimization
We only collect and process the minimum data required to provide our services. No unnecessary data collection, no selling data to third parties.
Purpose Limitation
Your data is used solely to provide clinical operations services. We never use patient data to train AI models without explicit, written consent.
Data Retention
Clinical records are retained per regulatory requirements (typically 10 years). You can configure retention policies per your jurisdiction. AI processing logs are retained for 90 days (metadata only).
Right to Deletion
We support data subject access requests and right to erasure (subject to legal retention requirements). Request deletion through your account settings or contact support.