Trust in a healthcare technology vendor requires more than a privacy policy page. It requires verifiable architecture decisions, documented compliance frameworks, and a clear accountability chain. Here is ours.
All MOVO-X patient data — structured records, consent logs, health card scans, triage summaries, audit logs — is stored exclusively in AWS ca-central-1 (Montréal, Canada). There is no cross-border data transfer to US or other foreign jurisdictions.
Patient data is encrypted at rest and in transit using current industry standards. No unencrypted patient data exists anywhere in the MOVO-X stack.
All plans comply with the federal Personal Information Protection and Electronic Documents Act. PIPEDA Schedule 1 10 principles implemented. Signed DPA on request.
Learn more →All 22 Law 25 requirements implemented: PIA, data minimisation, 72h breach notification to Commission d'accès à l'information, transfer prohibitions, DPO on record.
Learn more →PHIPA Information Sharing Agreement (ISA) and attestation letter provided with Enterprise contracts. PHIPA Officer designated.
Learn more →British Columbia Personal Information Protection Act and Alberta PIPA requirements satisfied. Available as addendum to standard DPA.
Learn more →OWASP Zed Attack Proxy (ZAP) automated security scan completed. Results available to Enterprise prospects under NDA.
Learn more →SOC 2 Type II audit engagement underway with a Canadian-accredited auditor. Expected completion Q4 2026. Bridge letter available on request.
Learn more →Every database table has Postgres Row-Level Security (RLS) enabled. The anonymous key cannot read any row — not a configuration option, but enforced at the database engine level.
Custom HS256 JWT issued per user/kiosk. Stored in httpOnly, sameSite=lax, secure-flagged cookies. No token in localStorage. 15-minute access token + rotating refresh token.
Kiosk devices authenticate with an API key + HMAC signature. Each kiosk is registered to a specific clinic. A compromised kiosk cannot access other clinics' data.
Strict CSP headers block XSS by default. No inline styles or scripts outside of explicitly allowlisted sources. Reviewed quarterly.
GitHub Dependabot and npm audit run on every pull request. Critical vulnerabilities blocked from merge. Weekly automated dependency update PRs.
PHI audit logs (who accessed which patient record, when, and from where) are retained for 7 years per PHIPA standards. Operational access logs (API calls, server events) are retained for 90 days and rotated. All logs are append-only and immutable.
Enterprise prospects can request our full security package: DPA, PHIPA ISA, OWASP ZAP report, penetration test summary, and SOC 2 bridge letter. Contact us to start the process.