PHIPA/PIPEDA Business Associate Agreement

"Personal Health Information" (PHI) means identifying information about an individual in oral or recorded form relating to their physical or mental health, provision of health care, health care provider identity, payment for health care, donation of body parts, health number, or substituted decision-maker information, as defined under PHIPA.

"Custodian" means the dental practice that is a health information custodian as defined under PHIPA, responsible for the collection, use, and disclosure of PHI.

"Agent" means DentinFlow Inc., acting on behalf of the Custodian for the purpose of processing PHI in connection with the Service.

"Breach" means the theft, loss, or unauthorized use, disclosure, copying, modification, or disposal of PHI, or unauthorized access to PHI.

"Service" means the DentinFlow dental practice management platform and all associated features, integrations, and support services.

As an Agent of the Custodian, DentinFlow agrees to:

• Process PHI only for the purposes of providing the Service and as directed by the Custodian
• Not use or disclose PHI for any purpose other than providing the Service, except as required by law
• Ensure that all employees and subcontractors who handle PHI are bound by appropriate confidentiality obligations
• Implement and maintain administrative, technical, and physical safeguards to protect PHI
• Comply with PHIPA, PIPEDA, and any other applicable Canadian federal or provincial privacy legislation
• Cooperate with the Custodian in responding to individual access requests or complaints
• Not transfer PHI outside of Canada without the Custodian's written consent, except where necessary for Service provision (e.g., cloud infrastructure) and with appropriate safeguards in place

DentinFlow maintains the following security measures to protect PHI:

Technical Safeguards:

• Encryption of PHI in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access controls with principle of least privilege
• Multi-factor authentication for administrative access
• Automated intrusion detection and security monitoring
• Regular vulnerability scanning and penetration testing
• Secure API authentication using JWT tokens

Administrative Safeguards:

• Privacy and security training for all personnel handling PHI
• Documented information security policies and procedures
• Background checks for employees with access to PHI
• Incident response and breach management procedures

Physical Safeguards:

• Data hosted in SOC 2 Type II certified facilities
• Physical access controls at data centre facilities
• Redundant infrastructure with automated backups

In the event of a Breach involving PHI, DentinFlow will:

• Notify the Custodian within 72 hours of becoming aware of the Breach
• Provide a detailed description of the Breach, including the nature of the PHI involved, the estimated number of individuals affected, and the measures taken to mitigate harm
• Cooperate with the Custodian in investigating the Breach and notifying affected individuals and regulatory authorities as required under PHIPA (s. 12) and PIPEDA
• Take immediate steps to contain the Breach and prevent further unauthorized access
• Provide ongoing updates as the investigation progresses

The Custodian retains responsibility for notifying the Information and Privacy Commissioner of Ontario and affected individuals as required under PHIPA.

Collection: DentinFlow collects PHI only as necessary to provide the Service and only as directed by the Custodian. The Custodian is responsible for obtaining appropriate consent from patients.

Use: PHI is used exclusively to provide Service features including appointment management, patient communication (SMS, email, AI voice), analytics, and related functionality.

Storage: PHI is stored in encrypted databases hosted on infrastructure located in Canada and the United States. All cross-border transfers are conducted with appropriate safeguards as required by PIPEDA.

Retention: PHI is retained for the duration of the subscription plus 90 days. Upon request, PHI will be exported to the Custodian in a standard format. After the retention period, PHI is permanently deleted from all systems and backups.

Disposal: PHI is disposed of using secure deletion methods that render the information unrecoverable. Certificates of destruction are available upon request.

The Custodian has the right to:

• Request documentation of DentinFlow's security measures and compliance practices
• Conduct or commission a third-party audit of DentinFlow's handling of PHI, with reasonable advance notice (minimum 30 days)
• Review audit logs of access to PHI within the Service
• Receive annual compliance reports summarizing security measures, incidents, and improvements

DentinFlow will cooperate with reasonable audit requests and provide access to relevant documentation, facilities, and personnel.

This BAA is effective upon the Custodian's acceptance of DentinFlow's Terms of Service and remains in effect for the duration of the subscription.

Termination: This BAA terminates when the Custodian's subscription ends, subject to the data retention and disposal obligations described above.

Survival: Sections related to confidentiality, data disposal, breach notification, and audit rights survive termination of this BAA.

Material Breach: Either party may terminate this BAA immediately upon written notice if the other party materially breaches its obligations and fails to cure the breach within 30 days of receiving notice.

Regulatory Changes: If changes to PHIPA, PIPEDA, or other applicable legislation require modification of this BAA, the parties agree to negotiate amendments in good faith.