Embedded Files
Overview
Overview
Heidi is fully compliant with Canadian privacy and security laws, including PIPEDA and all relevant provincial regulations.
Data residency: All data is securely stored in Canadian data centres.
Data usage: Data is never used for secondary purposes like model training or commercialisation.
Certifications: Heidi is a leader in compliance, and has obtained certifications such as ISO27001, ISO9001, and SOC 2 Type II.
Privacy Impact Assessments (PIAs): Completed across multiple jurisdictions - we are able to share examples on request.
Trusted across Canadian healthcare: Heidi has been deployed in OHTS, PCNS, FHTS, Health authorities and hospitals across Canada.
Resources
Resources
In response to questions around local compliance, privacy, and security, we’ve pulled together the resources below to make it easier to share and explore our industry-leading standards. Whether you're just looking for a quick overview or want to dig into the details, everything you need is here.
While we often exceed domestic standards due to operating in regions with some of the world’s strictest regulations (e.g. Europe, UK), our compliance work in Canada is specifically anchored to the publicly listed requirements from OntarioMD. We hope this provides a clear and helpful foundation as you conduct your assessments and prioritize provider safety.
- Reference documents
An easy-to-share 1-pager covering how Heidi meets privacy, security, and legal requirements in Canada.
A patient-facing 1-pager that explains what Heidi does and provides a privacy overview.
A clinician-facing 1-pager that explains what Heidi does and how to get started.
2. Compliance certifications
2. Compliance certifications
Visit our Trust Centre to download our compliance certifications (examples listed below) and learn more about controls, subprocessors and our latest compliance updates.
ISO27001:2022 Certification
SOC2 Type 2 Letter of Attestation
Common compliance FAQs
Common compliance FAQs
Below are answers to the most frequently asked compliance questions from clinicians, IT leads, privacy officers, and health system leaders across Canada.
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Yes. OntarioMD has confirmed that the Vendor of Record (VOR) list is optional:
“Purchasing an AI scribe using the VOR list is optional. You can still purchase solutions that are not on the VOR list.”
Source: Ontario MD Practice Hub
Thousands of clinicians across Canada continue to use Heidi with confidence. From OHTs and PCNs in Ontario, to emergency departments in Montreal, to rural teams in the Yukon, Heidi is there wherever care is delivered.
Does Heidi Health comply with Canadian privacy laws?
Does Heidi Health comply with Canadian privacy laws?
Yes. Heidi Health complies with all relevant legislation, including:
All provincial specific requirements, such as PHIPA, PIPA, Quebec Law 25, etc.
PIPEDA (Personal Information Protection and Electronic Documents Act)
FIPPA (Freedom of Information and Protection of Privacy Act)
Heidi ensures secure handling of personal health information (PHI) and sensitive data, consistent with these regulations. In addition, Heidi aligns with Infoway’s AI Use Guidelines and the Model Artificial Intelligence Governance Framework promoted in Ontario and other provinces.
All access to PHI is tightly governed, logged, and controlled under industry best practices. Further information can be found in our Trust Center.
Does Heidi use clinician or patient data to train its AI models?
Does Heidi use clinician or patient data to train its AI models?
No. Heidi Health does not use any patient data, including de-identified data, for model training, secondary use, or improving its AI.
Is Heidi Health’s data stored and processed in Canada?
Is Heidi Health’s data stored and processed in Canada?
Yes. Heidi Health ensures that all data is stored and processed within Canada for our Canadian users.
What happens if Heidi is discontinued or a clinician stops using it?
What happens if Heidi is discontinued or a clinician stops using it?
If you ever decide to stop using Heidi or if we were to discontinue the product, you won’t be left stranded.
Clinicians can export their data at any time, and we’ll work with you to make sure there’s a smooth transition to another tool if needed. Your data stays accessible and under your control throughout. We also have a full Business Continuity and Disaster Recovery Plan in place to cover any unexpected disruptions, whether it's a service outage or a broader issue.
There’s no lock-in, and no impact on your clinical workflow if you move on from Heidi.
Does Heidi delete notes securely?
Does Heidi delete notes securely?
Yes. Data retention periods are determined by clinicians, with options for automatic deletion if preferred over manual deletion. When data is deleted, it is securely destroyed using secure erasure methods and is unrecoverable from our servers.
What security measures does Heidi Health have in place?
What security measures does Heidi Health have in place?
Heidi is built with security at its core. We use a range of modern tools and practices to keep your data safe, including:
Intrusion Detection and Prevention (IDS/IPS)
Security Information and Event Management (SIEM)
Endpoint Detection and Response (EDR)
Data Loss Prevention (DLP)
Secure network configuration
Audit logs that are stored for forensic and accountability purposes
We also follow a "security by design" approach, meaning security isn’t something we bolt on later. It’s built into the way we design, develop and run Heidi every day.
Does Heidi undergo regular security assessments?
Does Heidi undergo regular security assessments?
Yes. We run regular security and privacy assessments to make sure everything’s working the way it should and that we’re keeping your data safe.
That includes annual penetration tests conducted by independent security firms, as well as ongoing internal reviews of our infrastructure and processes. We also complete Privacy Impact Assessments and Threat Risk Assessments, especially when anything significant changes in the system.
Our compliance and security team uses real-time monitoring tools and runs regular audits to catch issues early and reduce risk. It’s all part of how we stay proactive and make sure Heidi remains safe to use in clinical settings.
Does Heidi have recognised security certifications?
Does Heidi have recognised security certifications?
Yes, we do. Heidi is certified to several well-known and respected standards, including:
ISO 27001 - for how we manage information security
SOC 2 Type II - which confirms we meet high standards for security, availability and confidentiality
ISO 9001 - focused on quality management and continuous improvement
These certifications aren’t just for show, they reflect how we actually run the platform from product development to data handling and incident response.
We’ve also been approved for use by major hospitals and health networks across the country, including in Ontario, British Columbia, Quebec and the Yukon.
Does Heidi back up data and support disaster recovery?
Does Heidi back up data and support disaster recovery?
Absolutely. Heidi’s infrastructure is built with resilience and data integrity in mind. All clinical data is automatically and continuously backed up to secure, encrypted storage within Canadian data centres. Our Disaster Recovery and Business Continuity Plan, covers everything from hardware failures to broader service disruptions as well as:
Encrypted, automatic data backups
Systems to ensure minimal service disruption in the event of a failure or outage
Will Heidi warn clinicians if something goes wrong?
Will Heidi warn clinicians if something goes wrong?
Yes. Heidi has built-in safeguards that notify users if any part of the conversation is not fully processed or transcribed, ensuring clinicians are aware of missing or incomplete data before relying on the output.
Page updated
Report abuse