MOVO-X Canada complies with all Canadian federal and provincial health privacy regulations — from the federal PIPEDA framework to Quebec's strict Law 25 requirements. Every deployment includes a signed Data Processing Agreement.
Canada's health privacy landscape is layered — federal PIPEDA applies as a baseline, with provincial laws applying where they are deemed "substantially similar" by the Privacy Commissioner. MOVO-X is built to satisfy all of them simultaneously.
Quebec's Act respecting the protection of personal information in the private sector (Bill 64 / Law 25) is among the strictest privacy laws in North America. In force since September 2023, it mandates a signed DPA with every processor, a designated Privacy Officer, 72-hour breach notification to the CAI, and a Privacy Impact Assessment before any cross-border transfer.
MOVO-X provides a complete Law-25-aligned DPA, a bilingual PIA template, and an incident-response runbook to every Quebec clinic customer.
Full Law 25 compliance page →The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private-sector organisations collect, use, and disclose personal information in the course of commercial activity. It applies to MOVO-X as a software-as-a-service provider processing patient data on behalf of Canadian clinics.
Ontario's PHIPA regulates how "health information custodians" (physicians, clinics, hospitals) collect, use, and disclose "personal health information" (PHI). As a technology agent acting on behalf of custodians, MOVO-X operates under PHIPA's agent framework.
Both British Columbia's Personal Information Protection Act (BC PIPA) and Alberta's equivalent are deemed "substantially similar" to PIPEDA by the federal Privacy Commissioner — meaning PIPEDA does not apply to intra-provincial activity in those provinces, and the provincial law governs instead. MOVO-X's security and consent framework satisfies both.
AES-256 — every database row and uploaded document is encrypted before it touches storage.
TLS 1.3 enforced. HSTS with max-age=31536000, includeSubDomains.
Supabase Row Level Security — deny-all policies on anon and authenticated roles. Service-role key stays server-side only.
JWT (HS256) stored in httpOnly, sameSite=lax, Secure cookies. No localStorage tokens. Clinic-scoped JWT prevents cross-tenant access.
Immutable append-only log of every read and write to patient data. 7-year retention per PIPEDA.
Supabase project in ca-central-1 (Montréal). Vercel region yul1. No patient data leaves Canada.
DPA templates, PIA worksheets, incident-response runbooks, and security architecture docs are available under NDA to clinics evaluating MOVO-X.