Compliance & data security

Your patients' data never leaves Canada.

Threvix Health is architected for Canadian healthcare privacy law. Every decision — from where models run to how data flows — is built to meet the requirements of PIPEDA and Quebec’s Law 25.

PIPEDA Compliant · Quebec Law 25 Compliant

Data architecture

Threvix operates a split architecture. Clinical workflows that handle raw patient data run entirely on Canadian infrastructure. Features that use external API inference apply automated de-identification before any outbound request.

Fully local — Canada only

  • AI Scribe — Uploaded audio files, live dictation, and dialogue capture are processed on Canadian servers. Speech recognition, transcription, and clinical note generation never send audio outside the country.
  • Medical Image Analysis — Imaging models run on Canadian infrastructure. Patient images and results are processed and stored exclusively in Canada.
  • Note Generation, Autocorrection & OCR — Note drafting, grammar correction, and scheduling OCR run on locally deployed models with no external data sharing.

De-identified API — storage in Canada

  • General Clinical Inquiries & Differential Diagnosis — These features are powered by state-of-the-art large language models via secure API. Every query is stripped of all protected health information before leaving Canadian infrastructure. The API receives only a de-identified clinical vignette. All stored data remains in Canada.

PHI de-identification

Our de-identification engine runs locally and is applied automatically to every API-bound request. There is no opt-out and no manual step.

What gets removed or transformed

  • Patient name → [REDACTED]
  • Date of birth → Age range (e.g., “40–49”)
  • Address, postal code → [REDACTED]
  • Phone, email, health card number → [REDACTED]
  • Physician name, clinic identifiers → [REDACTED]
  • Vitals, symptoms, clinical observations → Retained (non-identifying, required for inference)

The inference API receives no information that could identify a patient.

Canadian data residency

All patient data — audio, transcripts, clinical notes, images, and diagnostic results — is stored on servers located in Canada. Infrastructure is configured to enforce Canadian-region-only deployment. No identifiable patient data is replicated, cached, or stored outside Canada at any point. For API-based features, only de-identified parameters leave Canadian infrastructure, and the inference provider does not retain them.

PIPEDA

Threvix meets PIPEDA’s ten fair information principles:

  • Accountability — A designated privacy officer oversees compliance and third-party data handling.
  • Identifying purposes — Data is processed solely to deliver clinical AI features. No secondary use.
  • Consent — Clinics obtain patient consent through their own workflows. Threvix provides infrastructure; the clinic controls the consent relationship.
  • Limiting collection — We collect only the minimum data each feature requires. No behavioural analytics, device fingerprints, or patient browsing data.
  • Limiting use, disclosure, and retention — Data is used only for its stated clinical purpose. Retention is configurable by the clinic. Data is never sold or used for model training.
  • Accuracy — All AI outputs are presented as drafts. The physician reviews and approves before anything enters the patient record.
  • Safeguards — Encryption in transit (TLS 1.2+) and at rest (AES-256). Role-based access controls, least-privilege principles, and audit logging.
  • Openness — This page.
  • Individual access — Patients may request access to or deletion of their data through their clinic. We provide the tools to fulfil these requests.
  • Challenging compliance — Contact our privacy officer at the address below.

Quebec Law 25

Threvix is headquartered in Montreal and primarily serves Quebec clinics. Law 25 is core to our compliance posture.

  • Privacy Impact Assessments — Conducted before deploying new AI models, changing data flows, or onboarding new service providers.
  • Privacy by default — De-identification is automatic. Data minimization is enforced at the system level, not by user configuration.
  • Designated privacy officer — Appointed per Law 25 requirements and serves as point of contact for the CAI.
  • Incident response — Breach notification protocol meets Law 25 reporting requirements, including notification to the Commission d’accès à l’information where required.
  • Transparency — All compliance documentation available in English and French.
  • Cross-border transfer controls — Data is de-identified before leaving Canadian infrastructure, rendering it non-personal under the law. Contractual safeguards with the inference provider impose obligations equivalent to Quebec privacy law.

Vendor agreements

For API-based features only (general clinical inquiries and differential diagnosis), the following are in place with our inference provider:

  • Data Processing Agreement (DPA)
  • Zero Data Retention (ZDR)
  • No training on customer data — contractually guaranteed

All other features run on self-hosted models on Canadian infrastructure with no third-party data sharing. We do not publicly disclose our inference provider. Clinics may request vendor details under NDA during procurement.

AI model licensing

Our locally deployed models — powering speech recognition, transcription, note generation, autocorrection, de-identification, and OCR — are open-weight models released under the Apache 2.0 license. This is a permissive license that allows unrestricted commercial use and modification. We maintain all required license notices and attribution.

Running these models on our own infrastructure means that for core clinical workflows, no patient data is shared with any third party. For API-based features, vendor agreements described above govern all data handling.

Contact

Questions about compliance, data handling, or our security posture: privacy@threvix.com

Clinics conducting procurement due diligence may request technical documentation or vendor details under NDA.

Last updated: March 2026

View plansEmail privacy

Related