Compliance & Best Practices

Enterprise compliance framework for Canadian healthcare

---

In This Section

Page	Description
Overview	Regulatory landscape and data processing
PIPEDA	Federal privacy requirements
PHIPA	Ontario health privacy requirements
SOC 2 Type II	Trust services framework
Implementation	Prioritized compliance roadmap

---

Regulatory Summary

VitaraVox operates under Canadian healthcare privacy law:

Jurisdiction	Legislation	Applicability
Federal	PIPEDA	All provinces except QC, AB, BC (partial)
Ontario	PHIPA	Health information custodians
British Columbia	PIPA	Commercial organizations
Quebec	Bill 64	All organizations (stricter)

---

VitaraVox Role

Role	Entity	Responsibility
Controller	Medical Clinic	Patient consent, purpose limitation
Processor	VitaraVox	Process as instructed, security
Sub-processor	Vapi.ai	Call handling, same obligations

---

Data Classification

Sensitive (PHI)

Data	Stored By	Access
Patient demographics	OSCAR	Via API only
BC PHN	OSCAR	Via API only
Medical records	OSCAR	NEVER accessed

Configuration (Non-PHI)

Data	Stored By	Access
Clinic settings	Vitara DB	Admin UI
OSCAR credentials	Vitara DB (encrypted)	System only
Working hours	Vitara DB	Admin UI

Analytics (Metadata)

Data	Stored By	Retention
Call logs	Vitara DB	1 year
Audit logs	Vitara DB	7 years
Waitlist	Vitara DB	Until registered

---

Compliance Status

Requirement	Status	Notes
Data encryption (transit)	✅	TLS 1.2+
Data encryption (rest)	✅	AES-256 for credentials
Access controls	✅	RBAC in admin UI
Audit logging	✅	All admin actions
Breach notification plan	⚠️	Needs formalization
Business Associate Agreement	⚠️	Template needed
Privacy policy	⚠️	Needs update
SOC 2 certification	⬜	Planned for 2026

---

Start Here

1. Understand the landscape → Overview
2. Federal requirements → PIPEDA
3. Ontario health privacy → PHIPA
4. Enterprise certification → SOC 2
5. What to do first → Implementation