Trust Center

Your patient data is handled with care.

Your data is kept separate, every action is logged, and your team reviews the setup with us before anything goes live.

1
Your data stays separate

Demo data and your real patient data never mix. We can scope Canadian hosting and data residency before you launch.

2
Every action is logged

Access, reviews, and workflow events are recorded. Roles, sign-in, and break-glass access are set up for your team.

3
Reviewed with you first

Your legal, privacy, and security teams review the setup with us. Nothing goes live until you approve it.

Built for Canadian healthcare with PHIPA-aware deployment planning. Ask about Canada / PHIPA readiness

The details
What we review before you launch
Data flow & environments
Requires integrationStatus: Requires integration

Separate demo vs production data. Vitruviana can support Canada / PHIPA-oriented deployment review artifacts, but final compliance depends on customer-specific hosting, retention, subprocessors, agreements, clinic policies, safeguards, audit logging, and legal/privacy/security review before production use.

Access controls
Requires integrationStatus: Requires integration

Deployment review can cover role-based access control (RBAC), MFA options, audit logging, and break-glass procedures for sensitive workflows.

Retention & deletion
Requires integrationStatus: Requires integration

Retention windows and deletion workflows are configured by deployment, contract, and applicable jurisdiction.

Subprocessors
Requires integrationStatus: Requires integration

Infrastructure and AI subprocessor disclosure available during security review with deployment-specific data handling summaries.

Agreement review
Requires integrationStatus: Requires integration

BAA review can be scoped for eligible U.S. production deployments. Canadian deployments can review privacy, data-processing, hosting, applicable PHIPA and provincial privacy role mapping for health information custodian, agent, electronic service provider, or HINP roles only where customer counsel determines those roles apply, plus customer-specific agreements; readiness materials are not certification, legal advice, or a compliance determination.

Incident response
PlannedStatus: Planned

Incident response planning, notification workflow, and monitoring posture are planned and scoped during production deployment review.

Status labels
LiveLive demo/page path is available; not a production-readiness or real-patient-use claim.
PrototypeReviewable workflow pattern that still needs pilot review.
PlannedRoadmap item or design target, not currently live.
Requires integrationDepends on customer systems, agreements, and deployment review.
Canada / PHIPA deployment readiness
Canada / PHIPA-oriented deployment review
Requires integration

Scoping materials for your legal, privacy, security, and operational review.

Canada / PHIPA deployment scoping materials for customer legal, privacy, security, and operational review. These are customer-specific readiness materials, not compliance certification.

Vitruviana can support Canada / PHIPA-oriented deployment review artifacts. For customer-specific pilots, that means the review can scope a Canadian hosting option, data residency, configurable retention and deletion, subprocessor disclosure, agreements, encrypted transport, role-based access, audit logs, privacy impact and security assessment inputs, breach/incident workflow, consent/disclosure workflows, clinic operating policies, and applicable PHIPA and provincial privacy role mapping for health information custodian, agent, electronic service provider, or HINP roles only where customer counsel determines those roles apply.

PHIPA-oriented here means readiness materials for customer review, not certification. Final compliance depends on the selected hosting environment, retention settings, subprocessor approvals, agreements, clinic operating policies, audit logging, legal/privacy/security review, and the deployment-specific implementation. This page provides readiness language for customer-specific review only. It does not certify or determine PHIPA compliance for any customer deployment and is not a blanket compliance claim, certification, legal advice, or substitute for customer legal, privacy, security, and operational approval.

Public demos are sample-data demos only. Production personal health information or HIPAA PHI/ePHI where applicable should not be entered until the customer-specific deployment, agreements, hosting, retention, access model, audit logging, and operating procedures have been reviewed and approved.

Customer-specific PHIPA role mapping, including whether Vitruviana is treated as an agent, electronic service provider, HINP-related service, or other role, as confirmed by customer counsel
Canadian hosting option and data-residency needs can be scoped before launch
Configurable retention windows and deletion workflows by deployment
Subprocessor disclosure before production launch
Privacy impact and security assessment inputs can be scoped with the customer
Encrypted transport for app, API, and integration traffic reviewed by deployment
Administrative, technical, and physical safeguard review by deployment
Role-based access control (RBAC) for operator and clinician workflows
Audit logs for access, review, and workflow events scoped by deployment
Breach and incident notification workflow scoped with the customer
Customer-owned PHIPA operating review, including notice/contact person, consent and consent directives, access/correction, breach reporting, secure retention/disposal, agent training, safeguards, and audit logging where applicable
Consent, notice, and disclosure workflows scoped with the customer
Clinician review required before any draft output is used clinically
No production personal health information or HIPAA PHI/ePHI where applicable before deployment review, agreements, hosting, retention, access, and audit logging are approved
Public demo sample data only; sample-data demo only; do not enter personal health information
Canada / PHIPA-oriented deployment review means readiness artifacts for customer-specific review. Final compliance depends on hosting, retention, subprocessors, agreements, audit logging, clinic policies, applicable PHIPA and provincial privacy role mapping for health information custodian, agent, electronic service provider, or HINP roles only where customer counsel determines those roles apply, jurisdiction-specific requirements, access model, safeguards, and encrypted transport. It is not certification, legal advice, a PHIPA compliance determination, or a statement that any customer deployment satisfies PHIPA obligations. Deployment-specific legal, privacy, security, and operational review is required before production use.
Have questions about security?

Tell us about your workflow, jurisdiction, and hosting needs, and we'll connect you with the right pilot and security review path.