The full mechanics of how MOVO-X processes Quebec patient data under Law 25 — the Act respecting the protection of personal information in the private sector (ARPPIPS). Data Processing Agreement clauses, Privacy Impact Assessment, incident response, audit rights, cross-border transfer policy.
Law 25 requires that when a controller (the clinic) entrusts personal information to a processor (MOVO-X), a written Data Processing Agreement is signed. The Act sets a minimum content. Every MOVO-X DPA covers these clauses verbatim.
MOVO-X processes patient PI strictly to deliver self check-in, queue management, payment posting, document capture, and clinical operations on behalf of the clinic. No analytics, no training data, no secondary use.
AES-256 encryption at rest, TLS 1.2+ in transit, row-level security on every clinical table (deny-by-default), application-layer encryption for sensitive PHI fields, role-based access, immutable audit log of every read and write.
PI is used only to fulfil the mandate. MOVO-X will not access PI outside the documented support workflows; staff access is gated by named role and audited.
MOVO-X notifies the clinic of any confidentiality incident or attempted incident without undue delay (target: 24h discovery, 72h substantive notice with scope, cause, and mitigation). Notification to the CAI follows the s. 3.5 ARPPIPS protocol.
The clinic may audit MOVO-X's technical and organisational measures on reasonable notice — including reviewing access logs, infrastructure documentation, and personnel training records. SOC 2 reports available to in-contract customers.
Subprocessor list disclosed at contract signature (current: Supabase / AWS ca-central-1, Vercel yul1, Resend, Twilio when SMS enabled). 30-day advance notice on additions; clinic may object.
All Quebec patient PI is stored in Canada (ca-central-1). Any incidental cross-border transfer (e.g. support engineer outside Canada accessing a debugging log) requires a Privacy Impact Assessment (PIA) under ARPPIPS s. 17, performed before access.
On termination, MOVO-X exports the clinic's entire dataset (Postgres dump + document archive + audit log) within 30 days and destroys all copies on its systems on receipt of written confirmation, retaining only what legal retention requires.
Sequence MOVO-X follows on any confirmed or suspected confidentiality incident affecting Quebec patient data.
Per ARPPIPS s. 17 and the CAI guidance (published Sep 2023), a PIA is required before any cross-border transfer of PI and for any new processing carrying a privacy risk. MOVO-X provides a PIA template and walks the clinic through it during onboarding.
MOVO-X provides the complete Law-25-aligned DPA, the PIA template, the IR runbook, and the SOC 2 report under NDA. Available on demand to Quebec clinics evaluating MOVO-X.