Canadian data sovereignty · PIPEDA · Law 25 · PHIPA · AES-256 · TLS 1.3

Why Canadian healthcare providers trust MOVO-X.

Trust in a healthcare technology vendor requires more than a privacy policy page. It requires verifiable architecture decisions, documented compliance frameworks, and a clear accountability chain. Here is ours.

Data Sovereignty

Your patient data never leaves Canada.

All MOVO-X patient data — structured records, consent logs, health card scans, triage summaries, audit logs — is stored exclusively in AWS ca-central-1 (Montréal, Canada). There is no cross-border data transfer to US or other foreign jurisdictions.

  • Database: Supabase Postgres 17, region ca-central-1 (Montréal)
  • Application: Vercel region yul1 (Montréal)
  • No US-hosted third-party APIs receive patient data
  • Zero US CLOUD Act exposure for patient PHI
Encryption

Industry-standard encryption, everywhere.

Patient data is encrypted at rest and in transit using current industry standards. No unencrypted patient data exists anywhere in the MOVO-X stack.

  • AES-256 encryption at rest (database + blob storage)
  • TLS 1.3 in transit (downgrade to TLS 1.2 only where required)
  • HSTS (max-age=63,072,000; includeSubDomains) enforced
  • Application-level envelope encryption for PII fields

Canadian compliance framework.

PIPEDA
Active

All plans comply with the federal Personal Information Protection and Electronic Documents Act. PIPEDA Schedule 1 10 principles implemented. Signed DPA on request.

Learn more →
Quebec Law 25
Active

All 22 Law 25 requirements implemented: PIA, data minimisation, 72h breach notification to Commission d'accès à l'information, transfer prohibitions, DPO on record.

Learn more →
PHIPA (Ontario)
Enterprise

PHIPA Information Sharing Agreement (ISA) and attestation letter provided with Enterprise contracts. PHIPA Officer designated.

Learn more →
BC PIPA / AB PIPA
Active

British Columbia Personal Information Protection Act and Alberta PIPA requirements satisfied. Available as addendum to standard DPA.

Learn more →
OWASP ZAP
Tested

OWASP Zed Attack Proxy (ZAP) automated security scan completed. Results available to Enterprise prospects under NDA.

Learn more →
SOC 2 Type II
In progress

SOC 2 Type II audit engagement underway with a Canadian-accredited auditor. Expected completion Q4 2026. Bridge letter available on request.

Learn more →

Security architecture.

Row-Level Security (RLS)

Every database table has Postgres Row-Level Security (RLS) enabled. The anonymous key cannot read any row — not a configuration option, but enforced at the database engine level.

JWT authentication

Custom HS256 JWT issued per user/kiosk. Stored in httpOnly, sameSite=lax, secure-flagged cookies. No token in localStorage. 15-minute access token + rotating refresh token.

Kiosk HMAC signing

Kiosk devices authenticate with an API key + HMAC signature. Each kiosk is registered to a specific clinic. A compromised kiosk cannot access other clinics' data.

Content Security Policy

Strict CSP headers block XSS by default. No inline styles or scripts outside of explicitly allowlisted sources. Reviewed quarterly.

Dependency scanning

GitHub Dependabot and npm audit run on every pull request. Critical vulnerabilities blocked from merge. Weekly automated dependency update PRs.

Audit logging

PHI audit logs (who accessed which patient record, when, and from where) are retained for 7 years per PHIPA standards. Operational access logs (API calls, server events) are retained for 90 days and rotated. All logs are append-only and immutable.

Security documentation available on request.

Enterprise prospects can request our full security package: DPA, PHIPA ISA, OWASP ZAP report, penetration test summary, and SOC 2 bridge letter. Contact us to start the process.