Healthcare Data Processing Agreement
NUAMP — Cloud Productivity & AI Service
Last updated: June 20, 2026
Canadian Data Sovereignty
The NUAMP service is designed and operated so that your content — including any personal health information it contains — is processed and stored on Canadian infrastructure under the exclusive control of Northern Health Innovations Inc. AI features run on locally deployed models on NORHI-controlled hardware, and NORHI does not transmit your content to any third-party AI service or model provider.
This DPA governs personal health information held within the NUAMP productivity platform (email, calendar, tasks, documents, and related content). Personal health information processed through the NORHI Scribe clinical documentation tool is governed by the separate NORHI Scribe Healthcare Data Processing Agreement.
1. Introduction and Scope
(a) This Healthcare Data Processing Agreement ("DPA") establishes the terms under which Northern Health Innovations Inc. ("NORHI", "Processor") processes personal health information on behalf of the customer ("Custodian", "you") in connection with the NUAMP cloud productivity and AI service, including its email, calendar, task management, document, AI-assisted retrieval, voice-to-text, and inference features (collectively, the "Service").
(b) This DPA supplements and is incorporated by reference into the NUAMP Terms of Use (the "Principal Agreement"). In the event of a conflict between this DPA and the Principal Agreement with respect to the processing of personal health information, this DPA shall govern.
(c) This DPA applies whenever the Service is used to process personal health information as defined under applicable Canadian health privacy legislation, including the Personal Health Information Protection Act, 2004 (Ontario) ("PHIPA"), the Health Information Act (Alberta) ("HIA"), and the health-sector provisions of the Personal Information Protection and Electronic Documents Act ("PIPEDA"). Because NUAMP is a general productivity service that the Custodian controls, personal health information may be introduced into the Service through Customer Content such as email messages, calendar entries, tasks, contacts, and documents.
(d) Relationship to the NORHI Scribe DPA. Where the Custodian's subscription also includes the NORHI Scribe clinical documentation tool, personal health information processed through Scribe (clinical audio, transcriptions, and AI-generated clinical notes) is governed by the NORHI Scribe Healthcare Data Processing Agreement, not this DPA. Each DPA governs personal health information within its respective Service; neither displaces the other, and there is no gap between them.
(e) This DPA takes effect automatically upon the Custodian's first use of the Service to process personal health information and remains in effect for the duration of the Principal Agreement and for as long as NORHI retains any personal health information on behalf of the Custodian.
2. Definitions
In addition to terms defined in the Principal Agreement, the following definitions apply to this DPA:
"Custodian" means the health information custodian (as defined under PHIPA), custodian (as defined under HIA), or equivalent controller under applicable health privacy legislation, who determines the purposes and means of processing personal health information through the Service.
"Customer Content" means the content the Custodian or its authorized users create, upload, send, receive, or store through the Service, including email, calendar entries, tasks, contacts, documents, and other data.
"Personal Health Information" or "PHI" means information about an identifiable individual that relates to the individual's physical or mental health, the provision of health care to the individual, the individual's health number, or identification of a health care provider, as defined under PHIPA, HIA, or equivalent provincial legislation. For the purposes of this DPA, PHI means such information wherever it appears within Customer Content processed through the Service — for example, a patient's name in a calendar appointment, a task referencing a patient, or clinical content within an email or document.
"Privacy Breach" means the theft, loss, or unauthorized access to, use, disclosure, copying, or modification of PHI, whether or not the PHI has been used or further disclosed.
"Processor" means NORHI, acting as an agent or service provider of the Custodian for the purpose of processing PHI through the Service.
3. Roles and Responsibilities
(a) Custodian. The Custodian is and remains the health information custodian (or equivalent) of all PHI processed through the Service. The Custodian determines the purposes for which PHI is collected, used, and disclosed. The Custodian is responsible for:
- Determining the lawful basis for, and obtaining any required consent for, the collection, use, and disclosure of PHI introduced into the Service;
- Deciding what PHI, if any, to store within Customer Content, and configuring access for its authorized users accordingly;
- Responding to patient access, correction, and complaint requests under applicable health privacy legislation;
- Ensuring that all authorized users are permitted to access PHI and are bound by appropriate confidentiality obligations;
- Maintaining its own clinical system of record, as NUAMP is a general productivity service and not a designated clinical record; and
- Complying with all applicable professional regulatory requirements regarding the handling of PHI.
(b) Processor. NORHI processes PHI solely on behalf of and under the instructions of the Custodian for the purpose of providing the Service. NORHI does not determine the purposes or means of processing PHI. NORHI acts as an agent of the Custodian within the meaning of PHIPA Section 17(1) or as a service provider within the meaning of equivalent provisions under HIA and PIPEDA.
4. Processing of Personal Health Information
(a) Purpose Limitation. NORHI shall process PHI contained in Customer Content only for the following purposes:
- Storing, transmitting, synchronizing, and making available Customer Content (email, calendar, tasks, contacts, and documents) so that it remains accessible to the Custodian and its authorized users;
- Providing AI-assisted features (such as retrieval, voice-to-text, and inference) over Customer Content at the Custodian's direction, using locally deployed models on NORHI-controlled hardware; and
- Performing technical operations necessary to provide the Service (authentication, session management, synchronization, and audit logging).
NORHI shall not process PHI for any other purpose without the Custodian's prior written instruction.
(b) No Secondary Use. NORHI does not use PHI to:
- Fine-tune AI models or otherwise modify model weights;
- Train, develop, or improve any AI or machine learning system;
- Conduct research, analytics, or statistical analysis (except aggregate, de-identified usage statistics that do not constitute PHI);
- Deploy advertising or behavioural tracking;
- Market products or services to patients or Custodians; or
- Any purpose other than providing the Service to the Custodian.
(c) Instructions. NORHI processes PHI in accordance with the Custodian's documented instructions as embodied in the Principal Agreement and this DPA. If NORHI believes that an instruction from the Custodian would violate applicable health privacy legislation, NORHI shall promptly notify the Custodian.
5. Infrastructure and Data Sovereignty
(a) Canadian Infrastructure. PHI is processed and stored on Canadian infrastructure under the exclusive control of NORHI. NORHI does not use a public cloud provider to process or store PHI.
(b) No Cross-Border Transfer. The Service is designed and operated so that PHI is not transferred, transmitted, stored, or otherwise made accessible outside Canada, and NORHI does not do so except as required by law. This commitment is implemented across the components of the Service, including storage, synchronization, AI processing, backups, and disaster recovery. An isolated, inadvertent technical event that NORHI promptly remediates and that results in no unauthorized access to, use of, or disclosure of PHI will be addressed through the incident-response process in this DPA and will not, in itself, constitute a breach of this Section.
(c) AI Inference. All AI inference (including retrieval, voice-to-text, and inference features) is performed using locally deployed models on NORHI-controlled hardware within Canada. No PHI is transmitted to any third-party AI service or public cloud provider.
(d) Network Architecture. The Service operates on infrastructure protected by:
- Network-level segmentation (separate application, database, and storage networks);
- WireGuard encrypted mesh networking between infrastructure nodes;
- TLS encryption for all data in transit; and
- Logical data isolation between Custodians.
6. Data Retention and Deletion
NUAMP is a system of record for the Customer Content the Custodian creates and stores in it. Unlike the NORHI Scribe clinical tool — which deletes clinical data within a fixed 90-day window — Customer Content in NUAMP is retained so that it remains available to the Custodian, and is deleted under the Custodian's control or on termination, as set out below.
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Customer Content (email, calendar, tasks, contacts, documents) | Retained for the duration of the subscription, or until the Custodian deletes it | Deleted on Custodian action, or on termination per (c) below |
| Account data (email, name, login history) | Duration of subscription + 90 days | Permanent deletion after retention period |
| Audit logs | Duration of subscription + 90 days | Permanent deletion after retention period |
| Encrypted backups | Subject to same schedules as primary data | Cascading deletion per backup rotation |
(a) The Custodian controls the retention of PHI it stores in Customer Content and may delete that content at any time through the Service. NORHI does not impose a fixed deletion window on Customer Content while the subscription is active.
(b) Upon termination of the Principal Agreement, NORHI shall delete all remaining Customer Content (including any PHI it contains) within ninety (90) days, except where the Custodian has exported or requested return of that content beforehand, and except for backups, which are deleted on their rotation schedule.
(c) NORHI may retain PHI beyond the stated retention periods only where required by applicable law, and only for so long as required. Any such retained PHI remains subject to the protections of this DPA.
7. Security Safeguards
NORHI implements the following technical, administrative, and physical safeguards to protect PHI, consistent with the requirement under PHIPA to take steps that are "reasonable in the circumstances" to protect PHI, and the requirement under HIA to establish "reasonable safeguards":
7.1 Technical Safeguards
- TLS encryption for all data in transit
- Encrypted database connections
- Mandatory two-factor authentication (TOTP) for all user accounts
- Minimum 12-character password requirement with account lockout after five failed attempts
- Session timeout after a period of inactivity
- Logical data isolation between Custodians (each Custodian's data is logically separated; no other user or Custodian can access another Custodian's PHI)
- Network-level segmentation of application, database, and storage components
- WireGuard encrypted mesh networking between infrastructure nodes
7.2 Administrative Safeguards
- NORHI personnel with access to systems that process PHI are bound by confidentiality agreements
- Access to PHI is restricted on a need-to-know basis; NORHI administrators cannot access Custodian PHI without explicit authorization, except as required by law
- Complete audit trail of all account and data access events
- Documented security incident response procedures
- Regular security reviews and vulnerability assessments
7.3 Physical Safeguards
- Infrastructure housed in Canadian colocation facilities with physical access controls, surveillance, and environmental protections
- No PHI stored on portable media or devices outside of secured infrastructure
7.4 Endpoint Security (Custodian Responsibility)
The safeguards in Sections 7.1 through 7.3 apply to PHI processed on NORHI infrastructure. The Custodian is responsible for the security of every device used by the Custodian, or by the Custodian's agents or delegates, to access the Service. The Custodian shall ensure that each such device is: (i) kept current with operating-system and application security updates; (ii) protected by full-disk encryption; (iii) configured to lock automatically after a short period of inactivity and to require a password, passcode, PIN, or biometric to unlock; and (iv) capable of being remotely locked and wiped if it is lost or stolen. This responsibility may be discharged by the Custodian or a delegate of the Custodian, but the Custodian remains accountable for it under PHIPA, HIA, and other applicable health-information legislation. NORHI's technical safeguards do not extend to these endpoint access devices, which remain under the Custodian's control.
8. Sub-processors
(a) As of the effective date of this DPA, NORHI does not use sub-processors for the processing of PHI. All PHI processing is performed by NORHI's own infrastructure and personnel.
(b) NORHI uses Helcim Inc., a Canadian payment processor, solely for the purpose of processing subscription payments. Helcim does not receive, access, or process PHI.
(c) If NORHI engages a sub-processor for PHI processing in the future, NORHI shall: (i) provide the Custodian with at least 30 days' prior written notice; (ii) ensure the sub-processor is bound by data protection obligations no less protective than those in this DPA; (iii) ensure the sub-processor processes PHI only within Canada; and (iv) remain fully liable for the acts and omissions of its sub-processors.
(d) The Custodian may object to a new sub-processor by providing written notice to NORHI within 15 days of receiving notification. If the objection cannot be resolved, the Custodian may terminate the Principal Agreement without penalty.
9. Privacy Breach Notification
(a) Notification to Custodian. If NORHI becomes aware of a Privacy Breach involving PHI, NORHI shall notify the Custodian at the first reasonable opportunity, and in any event within 72 hours of becoming aware of the breach.
(b) Content of Notification. The notification shall include, to the extent known:
- A description of the nature of the breach, including the categories and approximate number of records affected;
- The date or estimated date of the breach;
- A description of the PHI involved (in general terms, without reproducing the PHI);
- An assessment of the risk of harm to individuals;
- A description of the measures NORHI has taken or proposes to take to address the breach and mitigate harm; and
- The name and contact information of NORHI's designated contact for the breach.
(c) Cooperation. NORHI shall provide reasonable cooperation and assistance to the Custodian in:
- Investigating and remediating the breach;
- Fulfilling the Custodian's breach notification obligations to affected individuals and regulators under PHIPA (Section 12(2)), HIA (Section 60.1), PIPEDA, or other applicable legislation;
- Communicating with the Information and Privacy Commissioner of Ontario, the Information and Privacy Commissioner of Alberta, the Office of the Privacy Commissioner of Canada, or other relevant regulators; and
- Documenting the breach for the Custodian's records.
(d) Custodian's Obligations. The Custodian retains responsibility for determining whether a Privacy Breach constitutes a "significant" breach requiring notification under PHIPA or other applicable legislation, and for providing notification to affected individuals and regulators as required by law.
10. Access, Correction, and Complaints
(a) The Custodian is responsible for responding to patient requests for access to, or correction of, their PHI under applicable health privacy legislation.
(b) Because NUAMP is a system of record that retains Customer Content for the duration of the subscription, PHI the Custodian has stored in the Service generally remains available to the Custodian to locate, export, correct, or delete in responding to such requests.
(c) If NORHI receives a request or complaint directly from a patient relating to PHI processed on behalf of the Custodian, NORHI shall promptly redirect the request to the Custodian and shall not respond to the patient directly except to acknowledge receipt and redirect.
11. Audit and Compliance
(a) NORHI shall maintain records of its processing activities under this DPA sufficient to demonstrate compliance with applicable health privacy legislation.
(b) Upon reasonable written request (no more than once per year), NORHI shall make available to the Custodian information necessary to demonstrate compliance with this DPA, which may include: a summary of security safeguards in place, confirmation of data location and infrastructure controls, sub-processor status, and breach notification records relating to the Custodian.
(c) Where required by applicable health privacy legislation or by order of a regulatory authority, NORHI shall cooperate with audits or inspections relating to the Custodian's PHI, subject to reasonable advance notice and scope limitations to protect the security and confidentiality of NORHI's systems and other Custodians' data.
12. Not a Medical Device; No Clinical Advice
(a) The Service is a general productivity and AI tool. It is not a medical device and is not intended for use in diagnosing, treating, mitigating, or preventing a disease, disorder, or abnormal physical state, or any of their symptoms. The Service is not licensed under the Food and Drugs Act (Canada) or the Medical Devices Regulations, and provides no diagnostic, treatment, or clinical decision-support output.
(b) Any AI-generated output is an aid only and must be reviewed by the Custodian or its authorized users before any reliance. NORHI does not provide medical advice, diagnosis, or treatment recommendations.
(c) The Custodian is solely responsible for all clinical decisions, documentation, and patient care, including decisions made with or without reference to outputs generated by the Service.
13. Provincial Legislation — Specific Provisions
13.1 PHIPA (Ontario)
(a) Where the Custodian is a health information custodian as defined under PHIPA, NORHI acts as an agent of the Custodian within the meaning of PHIPA Section 17(1). NORHI shall comply with the conditions and restrictions imposed by the Custodian on the use and disclosure of PHI and shall not use or disclose PHI except as permitted by the Custodian or as required by law.
(b) NORHI shall notify the Custodian at the first reasonable opportunity if NORHI becomes aware that any condition or restriction imposed by the Custodian has been contravened.
(c) For the purposes of PHIPA Section 12(2) (breach notification), NORHI shall provide notification and cooperation as described in Section 9 of this DPA.
13.2 HIA (Alberta)
(a) Where the Custodian is subject to the Health Information Act (Alberta), NORHI acts as an information manager within the meaning of HIA. The terms of this DPA satisfy the requirements of HIA Section 66(2) for an agreement with an information manager.
(b) NORHI shall comply with HIA and the regulations thereunder in its handling of health information on behalf of the Custodian.
(c) For the purposes of HIA Section 60.1 (duty to notify), NORHI shall provide notification and cooperation as described in Section 9 of this DPA.
13.3 PIPEDA (Health Sector)
(a) Where the Custodian operates in a jurisdiction where health information is governed by PIPEDA or where PIPEDA applies to the commercial collection, use, or disclosure of personal health information, NORHI's obligations under this DPA are designed to support the Custodian's compliance with PIPEDA Principles, including accountability, purpose limitation, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance.
(b) NORHI shall support the Custodian's accountability obligations by maintaining the safeguards, breach notification procedures, and processing limitations described in this DPA.
14. Term and Termination
(a) This DPA takes effect upon the Custodian's first use of the Service to process PHI and continues for the duration of the Principal Agreement.
(b) Upon termination of the Principal Agreement, the provisions of this DPA shall survive to the extent necessary to address any PHI still held by NORHI, and shall continue to apply until all PHI has been deleted in accordance with Section 6.
(c) Sections 4(b) (No Secondary Use), 5 (Infrastructure and Data Sovereignty), 6 (Data Retention and Deletion), 7 (Security Safeguards), 9 (Privacy Breach Notification), 10 (Access, Correction, and Complaints), 11 (Audit and Compliance), and 12 (Not a Medical Device) survive termination of this DPA.
15. Contact
For questions regarding this DPA or NORHI's processing of personal health information:
Northern Health Innovations Inc.
Attention: Privacy Officer
5600-100 King Street West
Toronto, Ontario M5X 1A9
Canada
Email: privacy@norhi.ca
Phone: (647) 601-5499
Toll-free: (844) 283-3615