ARPPIPS · CAI · In force since 22 Sep 2023

Quebec Law 25 compliance.

The full mechanics of how MOVO-X processes Quebec patient data under Law 25 — the Act respecting the protection of personal information in the private sector (ARPPIPS). Data Processing Agreement clauses, Privacy Impact Assessment, incident response, audit rights, cross-border transfer policy.

Data residency
Canada · ca-central-1 (Montréal). No cross-border replication.
Privacy officer
Designated and disclosed in every signed DPA.
Incident response
72-hour controller + CAI notification, per s. 3.5 ARPPIPS.

DPA — required clauses.

Law 25 requires that when a controller (the clinic) entrusts personal information to a processor (MOVO-X), a written Data Processing Agreement is signed. The Act sets a minimum content. Every MOVO-X DPA covers these clauses verbatim.

Clause 1

Purpose of processing

MOVO-X processes patient PI strictly to deliver self check-in, queue management, payment posting, document capture, and clinical operations on behalf of the clinic. No analytics, no training data, no secondary use.

Clause 2

Confidentiality measures

AES-256 encryption at rest, TLS 1.2+ in transit, row-level security on every clinical table (deny-by-default), application-layer encryption for sensitive PHI fields, role-based access, immutable audit log of every read and write.

Clause 3

Use limitation

PI is used only to fulfil the mandate. MOVO-X will not access PI outside the documented support workflows; staff access is gated by named role and audited.

Clause 4

Incident notification

MOVO-X notifies the clinic of any confidentiality incident or attempted incident without undue delay (target: 24h discovery, 72h substantive notice with scope, cause, and mitigation). Notification to the CAI follows the s. 3.5 ARPPIPS protocol.

Clause 5

Audit rights

The clinic may audit MOVO-X's technical and organisational measures on reasonable notice — including reviewing access logs, infrastructure documentation, and personnel training records. SOC 2 reports available to in-contract customers.

Clause 6

Subprocessors

Subprocessor list disclosed at contract signature (current: Supabase / AWS ca-central-1, Vercel yul1, Resend, Twilio when SMS enabled). 30-day advance notice on additions; clinic may object.

Clause 7

Cross-border transfer

All Quebec patient PI is stored in Canada (ca-central-1). Any incidental cross-border transfer (e.g. support engineer outside Canada accessing a debugging log) requires a Privacy Impact Assessment (PIA) under ARPPIPS s. 17, performed before access.

Clause 8

Return / destruction on termination

On termination, MOVO-X exports the clinic's entire dataset (Postgres dump + document archive + audit log) within 30 days and destroys all copies on its systems on receipt of written confirmation, retaining only what legal retention requires.

Incident response playbook.

Sequence MOVO-X follows on any confirmed or suspected confidentiality incident affecting Quebec patient data.

  1. T+0 · Detection. Automated alerts (auth anomalies, query-volume spikes, RLS bypass attempts) plus on-call rotation. Incident logged in the audit table.
  2. T+15 min · Containment. Affected credentials rotated, suspicious sessions terminated, write-path locked if scope is unclear. CTO + named privacy officer paged.
  3. T+4 h · Scoping. Forensic snapshot of audit trail. Identify the data classes, patient count, geographic scope, and root cause.
  4. T+24 h · Clinic notification. Written incident notice to the controller — facts known, facts unknown, working hypothesis, remediation in flight.
  5. T+72 h · CAI notification. Where the incident reaches the "serious injury" threshold per ARPPIPS s. 3.5, MOVO-X assists the clinic in filing the Commission d'accès à l'information notification.
  6. T+30 d · Post-mortem. Public-facing write-up shared with the clinic. Mitigations baked into the platform.

Privacy Impact Assessment.

Per ARPPIPS s. 17 and the CAI guidance (published Sep 2023), a PIA is required before any cross-border transfer of PI and for any new processing carrying a privacy risk. MOVO-X provides a PIA template and walks the clinic through it during onboarding.

PIA scope
Data classes, processing purposes, retention, security measures, third-party recipients, cross-border flows, data-subject rights.
Methodology
Aligned to the CAI's 2023 guide. Identifies risks, quantifies likelihood + impact, documents mitigations.
Refresh cadence
On every material change to processing; minimum every 24 months.
Template provided
Yes — bilingual EN/FR. Disclosed under the signed DPA before pilot start.

Request the full DPA + PIA template.

MOVO-X provides the complete Law-25-aligned DPA, the PIA template, the IR runbook, and the SOC 2 report under NDA. Available on demand to Quebec clinics evaluating MOVO-X.