Compliance Requirements¶
This page tracks all regulatory compliance requirements for VitaraVox, mapped to specific Canadian privacy legislation and their implementation status.
Applicable Legislation¶
| Law | Jurisdiction | Relevance |
|---|---|---|
| PIPEDA | Federal (Canada) | Personal Information Protection and Electronic Documents Act — governs collection, use, and disclosure of personal information in commercial activities |
| PIPA | British Columbia | Personal Information Protection Act — BC's private-sector privacy law, substantially similar to PIPEDA |
| PHIPA | Ontario | Personal Health Information Protection Act — applies if expanding to Ontario clinics |
Compliance Items¶
1. Credential Encryption [MUST]¶
Legal Basis: PIPEDA Principle 4.7 (Safeguards) / PIPA s.34
"Personal information shall be protected by security safeguards appropriate to the sensitivity of the information."
Requirement: All stored credentials (OSCAR OAuth secrets, API keys) must be encrypted at rest using industry-standard encryption.
What VitaraVox Must Do:
- Encrypt all credential fields in the database using AES-256-GCM
- Store encryption keys separately from encrypted data (environment variables, not database)
- Mask credentials when displayed in the admin dashboard (show only last 4 characters)
- Never log or expose plaintext credentials
Status: :material-check-circle:{ .text-success } Done
Implementation: server/src/lib/crypto.ts provides AES-256-GCM encrypt/decrypt. ENCRYPTION_KEY required in production environment. Provider service encrypts on save and masks on read.
2. Audit Logging [MUST]¶
Legal Basis: PIPEDA Principle 4.1.4 (Accountability) / PIPA s.4
"Organizations shall be able to demonstrate compliance with their privacy policies and practices."
Requirement: All access to and modifications of personal information must be logged for accountability and breach investigation.
What VitaraVox Must Do:
- Log all data mutations (POST, PUT, DELETE) with user identity, action, resource, and timestamp
- Redact sensitive fields (passwords, secrets) from audit entries
- Retain audit logs for minimum 2 years
- Provide admin interface to query audit history
Status: :material-check-circle:{ .text-success } Done
Implementation: AuditLog model in database. Middleware captures all mutations automatically. Admin endpoint GET /api/admin/audit with pagination and filtering.
3. Privacy Officer Designation [MUST]¶
Legal Basis: PIPEDA Principle 4.1.1 / PIPA s.4(3)
"An organization shall designate an individual or individuals who are accountable for the organization's compliance."
Requirement: Each clinic must designate a Privacy Officer responsible for compliance oversight.
What VitaraVox Must Do:
- Provide fields for privacy officer name, email, and phone per clinic
- Require privacy officer designation before go-live
- Display privacy officer contact in compliance settings
Status: :material-check-circle:{ .text-success } Done
Implementation: ClinicConfig fields: privacyOfficerName, privacyOfficerEmail, privacyOfficerPhone. Pre-launch validation enforces designation.
4. Voice Recording Consent [SHOULD — Tier A]¶
Legal Basis: PIPEDA Principle 4.3 (Consent)
"The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information."
Requirement: Callers must be informed that calls are recorded and consent to recording before proceeding.
What VitaraVox Must Do:
- Include consent language in the system greeting played at the start of every call
- Document that continuing the call constitutes implied consent
- Reference consent practices in the privacy policy
Status: :material-check-circle:{ .text-success } Done
Implementation: Router assistant's system greeting includes: "This call is recorded for quality and scheduling purposes. By continuing, you consent to recording." Continuing the call = implied consent (standard in Canadian telephony).
Deferred: Full PatientConsent model with explicit opt-in/opt-out tracking — planned for post-launch.
5. Data Retention Policy [SHOULD — Tier A + B]¶
Legal Basis: PIPEDA Principle 4.5 (Limiting Retention)
"Personal information shall be retained only as long as necessary for the fulfilment of those purposes."
Requirement: Transcripts and call data must have defined retention periods and be automatically purged.
What VitaraVox Must Do:
- Define configurable retention periods per clinic (transcripts: 90 days default, call logs: 365 days default)
- Automatically null out transcripts after the retention period
- Delete call log records after the longer retention period
- Provide admin controls to adjust retention periods and trigger manual purges
Status: :material-check-circle:{ .text-success } Done
Implementation: ClinicConfig fields: transcriptRetentionDays (default 90), callLogRetentionDays (default 365). Scheduled job runs daily at 3 AM. Admin can trigger manual purge via POST /api/admin/data-retention/run.
6. BAA/DPA with Third Parties [MUST — Legal Process]¶
Legal Basis: PIPEDA Principle 4.1.3 (Accountability for Transfers)
"An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing."
Requirement: Data Processing Agreements must be signed with all third parties that process personal health information.
What VitaraVox Must Do:
- Sign DPA with Vapi.ai (voice processing, transcript storage)
- Review and document OCI Toronto data processing terms (hosting)
- Track BAA/DPA signing status per clinic
- Block go-live if required agreements are unsigned
Status: :material-progress-clock:{ .text-warning } In Progress
Implementation: ClinicConfig fields track BAA signing status (baaVapiSigned, baaHostingSigned with timestamps). DPA templates drafted. Legal execution pending.
See also: BAA/DPA Templates
7. Transcript Minimization [SHOULD]¶
Legal Basis: PIPEDA Principle 4.4 (Limiting Collection)
"The collection of personal information shall be limited to that which is necessary for the purposes identified."
Requirement: Only collect and retain the minimum personal information necessary.
What VitaraVox Must Do:
- Auto-delete full transcripts after retention period (via item 5)
- Retain call summaries longer as they contain less PHI
- Avoid collecting unnecessary personal data during voice interactions
Status: :material-check-circle:{ .text-success } Done (covered by Data Retention Policy)
Implementation: Retention policy (item 5) nulls transcripts after configurable days while keeping summaries for the longer retention period. Voice prompts only ask for information needed for the specific task.
8. Breach Notification Plan [MUST — Document Only]¶
Legal Basis: PIPEDA s.10.1 / PIPA s.29.3
"An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable to believe the breach creates a real risk of significant harm."
Requirement: A documented breach response procedure must exist before handling PHI.
What VitaraVox Must Do:
- Document the breach notification procedure (who, what, when)
- Define escalation chain and timelines (72 hours to Privacy Commissioner)
- Identify affected parties notification process
- Maintain breach records
Status: :material-check-circle:{ .text-success } Done
Implementation: Documented procedure — see Breach Response Plan. Zero code changes; this is a process document.
9. Security Hardening [SHOULD]¶
Legal Basis: PIPEDA Principle 4.7 (Safeguards)
"Security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification."
Requirement: Application and infrastructure security controls appropriate for healthcare data.
What VitaraVox Must Do:
- HTTP security headers (Helmet)
- Rate limiting on authentication and API endpoints
- Input validation on all endpoints
- Structured logging for incident investigation
- Environment variable validation (fail-fast if secrets missing in production)
- Circuit breaker for external service calls (OSCAR Bridge)
- Automated database backups
Status: :material-check-circle:{ .text-success } Done
Implementation: Covered by reliability theme — Helmet headers, rate limiting (auth: 5/min, webhook: 300/min, API: 100/min), Zod input validation, Pino structured logging, env validation, Opossum circuit breaker, automated pg_dump backups.
Compliance Summary¶
| # | Item | Priority | Status | Legal Reference |
|---|---|---|---|---|
| 1 | Credential Encryption | MUST | Done | PIPEDA 4.7 / PIPA s.34 |
| 2 | Audit Logging | MUST | Done | PIPEDA 4.1.4 / PIPA s.4 |
| 3 | Privacy Officer | MUST | Done | PIPEDA 4.1.1 / PIPA s.4(3) |
| 4 | Voice Recording Consent | SHOULD | Done | PIPEDA 4.3 |
| 5 | Data Retention | SHOULD | Done | PIPEDA 4.5 |
| 6 | BAA/DPA | MUST | In Progress | PIPEDA 4.1.3 |
| 7 | Transcript Minimization | SHOULD | Done | PIPEDA 4.4 |
| 8 | Breach Notification | MUST | Done | PIPEDA s.10.1 / PIPA s.29.3 |
| 9 | Security Hardening | SHOULD | Done | PIPEDA 4.7 |