Healthcare Data Processing Agreement
NORHI Scribe — AI Clinical Documentation
Last updated: March 26, 2026
Canadian Data Sovereignty
The NORHI Scribe service is designed and operated so that personal health information is processed and stored on Canadian infrastructure under the exclusive control of Northern Health Innovations Inc. AI inference is performed using locally deployed models on NORHI-controlled hardware, and NORHI does not transmit such data to any third-party AI service or model provider.
Audio from clinical encounters is processed in memory and, by design, is not written to disk, object storage, or other persistent medium. Only the resulting text transcription is stored.
1. Introduction and Scope
(a) This Healthcare Data Processing Agreement ("DPA") establishes the terms under which Northern Health Innovations Inc. ("NORHI", "Processor") processes personal health information on behalf of the customer ("Custodian", "you") in connection with the NORHI Scribe clinical documentation service ("Service").
(b) This DPA supplements and is incorporated by reference into: (i) the NORHI Scribe Software-as-a-Service Agreement; or (ii) the NORHI Scribe Terms of Service, as applicable (each, the "Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement with respect to the processing of personal health information, this DPA shall govern.
(c) This DPA applies whenever the Service is used to process personal health information as defined under applicable Canadian health privacy legislation, including the Personal Health Information Protection Act, 2004 (Ontario) ("PHIPA"), the Health Information Act (Alberta) ("HIA"), and the health-sector provisions of the Personal Information Protection and Electronic Documents Act ("PIPEDA").
(d) This DPA takes effect automatically upon the Custodian's first use of the Service to process personal health information and remains in effect for the duration of the Principal Agreement and for as long as NORHI retains any personal health information on behalf of the Custodian.
2. Definitions
In addition to terms defined in the Principal Agreement, the following definitions apply to this DPA:
"Custodian" means the health information custodian (as defined under PHIPA), custodian (as defined under HIA), or equivalent controller under applicable health privacy legislation, who determines the purposes and means of processing personal health information through the Service.
"Personal Health Information" or "PHI" means information about an identifiable individual that relates to the individual's physical or mental health, the provision of health care to the individual, the individual's health number, or identification of a health care provider, as defined under PHIPA, HIA, or equivalent provincial legislation. For the purposes of this DPA, PHI includes audio from clinical encounters (which is processed transiently in memory as described in Section 5(c)), transcriptions, AI-generated clinical notes, hand notes, and encounter metadata processed through the Service.
"Privacy Breach" means the theft, loss, or unauthorized access to, use, disclosure, copying, or modification of PHI, whether or not the PHI has been used or further disclosed.
"Processor" means NORHI, acting as an agent or service provider of the Custodian for the purpose of processing PHI through the Service.
3. Roles and Responsibilities
(a) Custodian. The Custodian is and remains the health information custodian (or equivalent) of all PHI processed through the Service. The Custodian determines the purposes for which PHI is collected, used, and disclosed. The Custodian is responsible for:
- Obtaining informed consent from patients before recording clinical encounters, including consent to the use of AI-assisted documentation;
- Determining the lawful basis for the collection, use, and disclosure of PHI;
- Responding to patient access, correction, and complaint requests under applicable health privacy legislation;
- Ensuring that all Clinician Users are authorized to access PHI and are bound by appropriate confidentiality obligations;
- Reviewing and verifying all AI-generated clinical notes before incorporating them into patient records;
- Exporting or transferring Clinical Data to the Custodian's permanent medical records within the 90-day retention period; and
- Complying with all applicable professional regulatory requirements regarding AI-assisted clinical documentation.
(b) Processor. NORHI processes PHI solely on behalf of and under the instructions of the Custodian for the purpose of providing the Service. NORHI does not determine the purposes or means of processing PHI. NORHI acts as an agent of the Custodian within the meaning of PHIPA Section 17(1) or as a service provider within the meaning of equivalent provisions under HIA and PIPEDA.
4. Processing of Personal Health Information
(a) Purpose Limitation. NORHI shall process PHI only for the following purposes:
- Receiving audio segments from clinical encounters and processing them transiently in server memory using locally deployed speech recognition models to produce text transcriptions (audio is not written to disk or any persistent storage at any point);
- Generating structured clinical notes (SOAP notes, consult notes, brief communications) using locally deployed AI models;
- Storing transcriptions, clinical notes, and encounter metadata temporarily to enable the Custodian to review, edit, and export clinical documentation; and
- Performing technical operations necessary to provide the Service (authentication, session management, audit logging).
NORHI shall not process PHI for any other purpose without the Custodian's prior written instruction.
(b) No Secondary Use. NORHI does not use PHI to:
- Fine-tune AI models or otherwise modify model weights;
- Train, develop, or improve any AI or machine learning system;
- Conduct research, analytics, or statistical analysis (except aggregate, de-identified usage statistics that do not constitute PHI);
- Market products or services to patients or Custodians; or
- Any purpose other than providing the Service to the Custodian.
(c) Instructions. NORHI processes PHI in accordance with the Custodian's documented instructions as embodied in the Principal Agreement and this DPA. If NORHI believes that an instruction from the Custodian would violate applicable health privacy legislation, NORHI shall promptly notify the Custodian.
5. Infrastructure and Data Sovereignty
(a) Canadian Infrastructure. PHI is processed and stored on Canadian infrastructure under the exclusive control of NORHI. NORHI does not use a public cloud provider to process or store PHI.
(b) No Cross-Border Transfer. The Service is designed and operated so that PHI is not transferred, transmitted, stored, or otherwise made accessible outside Canada, and NORHI does not do so except as required by law. This commitment is implemented across the components of the Service, including audio processing, transcription, note generation, storage, backups, and disaster recovery. An isolated, inadvertent technical event that NORHI promptly remediates and that results in no unauthorized access to, use of, or disclosure of PHI will be addressed through the incident-response process in this DPA and will not, in itself, constitute a breach of this Section.
(c) Audio Processing. Audio from clinical encounters is captured in short segments in the Clinician's browser and transmitted to NORHI's on-premises servers via encrypted connection. Each audio segment is held in server memory (RAM) only for the duration of speech recognition processing (typically seconds). Upon completion of transcription, the audio data in memory is released and garbage collected. By design, audio is not written to disk, object storage, database, backup media, or other persistent medium, and NORHI does not create, store, or retain audio files in the processing pipeline.
(d) AI Inference. All AI inference (speech recognition and clinical note generation) is performed using locally deployed models on NORHI-controlled hardware within Canada. No PHI is transmitted to any third-party AI service or public cloud provider.
(e) Network Architecture. The Service operates on infrastructure protected by:
- Network-level segmentation (separate application, database, and storage networks);
- WireGuard encrypted mesh networking between infrastructure nodes;
- TLS encryption for all data in transit; and
- Logical data isolation between Custodians.
6. Data Retention and Deletion
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Audio from clinical encounters | Not retained; processed in memory only | Released from server memory immediately after transcription; never persisted |
| Transcriptions | 90 days from creation | Deleted within 90 days; irrecoverable |
| AI-generated clinical notes | 90 days from creation | Deleted within 90 days; irrecoverable |
| Hand notes | 90 days from creation | Deleted within 90 days; irrecoverable |
| Encounter metadata | 90 days from creation | Deleted within 90 days; irrecoverable |
| Account data (email, name, login history) | Duration of subscription + 90 days | Permanent deletion after retention period |
| Audit logs | Duration of subscription + 90 days | Permanent deletion after retention period |
| Encrypted backups | Subject to same schedules as primary data | Cascading deletion per backup rotation |
(a) The 90-day deletion limit for Clinical Data is a fundamental retention control of the Service and cannot be extended. This ensures that PHI is not retained beyond the period necessary for the Custodian to review and export clinical documentation.
(b) Audio from clinical encounters is not included in backups or any persistent storage, as it exists only transiently in server memory during processing.
(c) Upon termination of the Principal Agreement, NORHI shall delete all remaining PHI in accordance with the retention schedules above. Clinical Data that has already been deleted prior to termination cannot be recovered.
(d) NORHI may retain PHI beyond the stated retention periods only where required by applicable law, and only for so long as required. Any such retained PHI remains subject to the protections of this DPA.
7. Security Safeguards
NORHI implements the following technical, administrative, and physical safeguards to protect PHI, consistent with the requirement under PHIPA to take steps that are "reasonable in the circumstances" to protect PHI, and the requirement under HIA to establish "reasonable safeguards":
7.1 Technical Safeguards
- TLS encryption for all data in transit, including audio segments transmitted from the browser to NORHI servers
- Encrypted database connections
- In-memory-only audio processing with no persistence to disk or object storage
- Mandatory two-factor authentication (TOTP) for all user accounts
- Minimum 12-character password requirement with account lockout after five failed attempts
- Session timeout after eight (8) hours of inactivity
- Deletion of text-based clinical data no later than 90 days after creation
- Logical data isolation between Custodians (each Custodian's data is logically separated; no other user or Custodian can access another Custodian's PHI)
- Network-level segmentation of application, database, and storage components
- WireGuard encrypted mesh networking between infrastructure nodes
7.2 Administrative Safeguards
- NORHI personnel with access to systems that process PHI are bound by confidentiality agreements
- Access to PHI is restricted on a need-to-know basis; NORHI administrators cannot access Custodian PHI without explicit authorization, except as required by law
- Complete audit trail of all account and data access events
- Documented security incident response procedures
- Regular security reviews and vulnerability assessments
7.3 Physical Safeguards
- Infrastructure housed in Canadian colocation facilities with physical access controls, surveillance, and environmental protections
- No PHI stored on portable media or devices outside of secured infrastructure
7.4 Endpoint Security (Custodian Responsibility)
The safeguards in Sections 7.1 through 7.3 apply to PHI processed on NORHI infrastructure. The Custodian is responsible for the security of every device used by the Custodian, or by the Custodian's agents or delegates, to access the Service. The Custodian shall ensure that each such device is: (i) kept current with operating-system and application security updates; (ii) protected by full-disk encryption; (iii) configured to lock automatically after a short period of inactivity and to require a password, passcode, PIN, or biometric to unlock; and (iv) capable of being remotely locked and wiped if it is lost or stolen. This responsibility may be discharged by the Custodian or a delegate of the Custodian, but the Custodian remains accountable for it under PHIPA, HIA, and other applicable health-information legislation. NORHI's technical safeguards do not extend to these endpoint access devices, which remain under the Custodian's control.
8. Sub-processors
(a) As of the effective date of this DPA, NORHI does not use sub-processors for the processing of PHI. All PHI processing is performed by NORHI's own infrastructure and personnel.
(b) NORHI uses Helcim Inc., a Canadian payment processor, solely for the purpose of processing subscription payments. Helcim does not receive, access, or process PHI.
(c) If NORHI engages a sub-processor for PHI processing in the future, NORHI shall: (i) provide the Custodian with at least 30 days' prior written notice; (ii) ensure the sub-processor is bound by data protection obligations no less protective than those in this DPA; (iii) ensure the sub-processor processes PHI only within Canada; and (iv) remain fully liable for the acts and omissions of its sub-processors.
(d) The Custodian may object to a new sub-processor by providing written notice to NORHI within 15 days of receiving notification. If the objection cannot be resolved, the Custodian may terminate the Principal Agreement without penalty.
9. Privacy Breach Notification
(a) Notification to Custodian. If NORHI becomes aware of a Privacy Breach involving PHI, NORHI shall notify the Custodian at the first reasonable opportunity, and in any event within 72 hours of becoming aware of the breach.
(b) Content of Notification. The notification shall include, to the extent known:
- A description of the nature of the breach, including the categories and approximate number of records affected;
- The date or estimated date of the breach;
- A description of the PHI involved (in general terms, without reproducing the PHI);
- An assessment of the risk of harm to individuals;
- A description of the measures NORHI has taken or proposes to take to address the breach and mitigate harm; and
- The name and contact information of NORHI's designated contact for the breach.
(c) Cooperation. NORHI shall provide reasonable cooperation and assistance to the Custodian in:
- Investigating and remediating the breach;
- Fulfilling the Custodian's breach notification obligations to affected individuals and regulators under PHIPA (Section 12(2)), HIA (Section 60.1), PIPEDA, or other applicable legislation;
- Communicating with the Information and Privacy Commissioner of Ontario, the Information and Privacy Commissioner of Alberta, the Office of the Privacy Commissioner of Canada, or other relevant regulators; and
- Documenting the breach for the Custodian's records.
(d) Custodian's Obligations. The Custodian retains responsibility for determining whether a Privacy Breach constitutes a "significant" breach requiring notification under PHIPA or other applicable legislation, and for providing notification to affected individuals and regulators as required by law.
10. Access, Correction, and Complaints
(a) The Custodian is responsible for responding to patient requests for access to, or correction of, their PHI under applicable health privacy legislation.
(b) NORHI shall provide reasonable assistance to the Custodian in responding to such requests, including providing the Custodian with access to PHI held within the Service to the extent it has not been deleted.
(c) Given the 90-day deletion of Clinical Data and the fact that audio is not retained in any form, the Custodian acknowledges that PHI may no longer be available within the Service at the time a patient request is received. The Custodian is responsible for exporting and maintaining clinical documentation in its own systems of record.
(d) If NORHI receives a request or complaint directly from a patient relating to PHI processed on behalf of the Custodian, NORHI shall promptly redirect the request to the Custodian and shall not respond to the patient directly except to acknowledge receipt and redirect.
11. Audit and Compliance
(a) NORHI shall maintain records of its processing activities under this DPA sufficient to demonstrate compliance with applicable health privacy legislation.
(b) Upon reasonable written request (no more than once per year), NORHI shall make available to the Custodian information necessary to demonstrate compliance with this DPA, which may include: a summary of security safeguards in place, confirmation of data location and infrastructure controls, sub-processor status, and breach notification records relating to the Custodian.
(c) Where required by applicable health privacy legislation or by order of a regulatory authority, NORHI shall cooperate with audits or inspections relating to the Custodian's PHI, subject to reasonable advance notice and scope limitations to protect the security and confidentiality of NORHI's systems and other Custodians' data.
12. Not a Medical Device; No Clinical Advice
(a) The Service is not a medical device and is not intended for use in diagnosing, treating, mitigating, or preventing a disease, disorder, or abnormal physical state, or any of their symptoms. The Service is not licensed under the Food and Drugs Act (Canada) or the Medical Devices Regulations. The Service provides no diagnostic, treatment, or clinical decision-support output and generates draft documentation only; consistent with subsection (b), every output is subject to independent review and approval by the Custodian or a Clinician User, exercising independent professional judgment, before any clinical use. The Service is therefore not intended to function as, and does not function as, a medical device.
(b) AI-generated clinical notes are a documentation aid only. All outputs must be reviewed, edited, and approved by the Custodian or its Clinician Users before use in any patient record, chart, or clinical communication. NORHI does not provide medical advice, diagnosis, or treatment recommendations.
(c) The Custodian is solely responsible for all clinical decisions, documentation, and patient care, including decisions made with or without reference to outputs generated by the Service.
13. Provincial Legislation — Specific Provisions
13.1 PHIPA (Ontario)
(a) Where the Custodian is a health information custodian as defined under PHIPA, NORHI acts as an agent of the Custodian within the meaning of PHIPA Section 17(1). NORHI shall comply with the conditions and restrictions imposed by the Custodian on the use and disclosure of PHI and shall not use or disclose PHI except as permitted by the Custodian or as required by law.
(b) NORHI shall notify the Custodian at the first reasonable opportunity if NORHI becomes aware that any condition or restriction imposed by the Custodian has been contravened.
(c) For the purposes of PHIPA Section 12(2) (breach notification), NORHI shall provide notification and cooperation as described in Section 9 of this DPA.
13.2 HIA (Alberta)
(a) Where the Custodian is subject to the Health Information Act (Alberta), NORHI acts as an information manager within the meaning of HIA. The terms of this DPA satisfy the requirements of HIA Section 66(2) for an agreement with an information manager.
(b) NORHI shall comply with HIA and the regulations thereunder in its handling of health information on behalf of the Custodian.
(c) For the purposes of HIA Section 60.1 (duty to notify), NORHI shall provide notification and cooperation as described in Section 9 of this DPA.
13.3 PIPEDA (Health Sector)
(a) Where the Custodian operates in a jurisdiction where health information is governed by PIPEDA or where PIPEDA applies to the commercial collection, use, or disclosure of personal health information, NORHI's obligations under this DPA are designed to support the Custodian's compliance with PIPEDA Principles, including accountability, purpose limitation, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance.
(b) NORHI shall support the Custodian's accountability obligations by maintaining the safeguards, breach notification procedures, and processing limitations described in this DPA.
14. Term and Termination
(a) This DPA takes effect upon the Custodian's first use of the Service to process PHI and continues for the duration of the Principal Agreement.
(b) Upon termination of the Principal Agreement, the provisions of this DPA shall survive to the extent necessary to address any PHI still held by NORHI, and shall continue to apply until all PHI has been deleted in accordance with Section 6.
(c) Sections 4(b) (No Secondary Use), 5 (Infrastructure and Data Sovereignty), 6 (Data Retention and Deletion), 7 (Security Safeguards), 9 (Privacy Breach Notification), 10 (Access, Correction, and Complaints), 11 (Audit and Compliance), and 12 (Not a Medical Device) survive termination of this DPA.
15. Contact
For questions regarding this DPA or NORHI's processing of personal health information:
Northern Health Innovations Inc.
Attention: Privacy Officer
5600-100 King Street West
Toronto, Ontario M5X 1A9
Canada
Email: privacy@norhi.ca
Phone: (647) 601-5499
Toll-free: (844) 283-3615