At Heidi, we take pride in meeting (and often exceeding) Canadian standards for privacy and security.
Canadian Compliance
Heidi complies with PIPEDA and every relevant provincial and territorial privacy law, including Ontario’s PHIPA, Alberta and BC’s PIPA laws, Quebec’s Law 25, and health information acts in Saskatchewan, Manitoba, Nova Scotia, New Brunswick, Newfoundland and Labrador, Prince Edward Island, Yukon, and the Northwest Territories.
Data residency: All information is stored exclusively in secure Canadian data centres.
Responsible data use: Your data is never used for secondary purposes such as model training or commercialisation.
Certifications: Heidi maintains internationally recognised standards including ISO 27001, ISO 9001, and SOC 2 Type II.
Privacy Impact Assessments (PIAs): Completed across multiple provinces and territories; examples are available on request.
Trusted in care: Heidi is already in use across Ontario Health Teams, government-funded community clinics, Primary Care Networks, Family Health Teams, health authorities, and hospitals from coast to coast to coast.
Resources for Peace of Mind
We know privacy, security, and local compliance are top of mind for Canadian providers. To make things simple, we’ve gathered key resources in one place —
General Compliance Overview (Download)
An easy-to-share one-pager covering how Heidi meets privacy, security, and legal requirements in Canada.
Compliance Certifications
Visit our Trust Centre to download our compliance certifications (examples listed below) and learn more about controls, subprocessors and our latest compliance updates.
ISO27001:2022 Certification
SOC2 Type 2 Letter of Attestation
Common Compliance FAQs
Below are answers to the most frequently asked compliance questions from clinicians, IT leads, privacy officers, and health system leaders across Canada.
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Yes. Supply Ontario has confirmed that the Vendor of Record (VOR) list is optional:
“Purchasing an AI scribe using the VOR list is optional. You can still purchase solutions that are not on the VOR list.”
Source: Supply Ontario Practice Hub
Thousands of clinicians across Canada continue to use Heidi with confidence. From OHTs and PCNs in Ontario, to emergency departments in Montreal, to rural teams in the Yukon, Heidi is there wherever care is delivered.
Does Heidi Health comply with Canadian privacy laws?
Does Heidi Health comply with Canadian privacy laws?
Yes. Heidi is fully compliant with Canadian privacy and security laws, including PIPEDA, PHIPA, FIPPA, PIPA, Quebec Law 25, and all other relevant provincial regulations.
Does Heidi use clinician or patient data to train its AI models?
Does Heidi use clinician or patient data to train its AI models?
No. Heidi Health does not use any patient data, including de-identified data, for model training, secondary use, or improving its AI.
Is Heidi Health’s data stored and processed in Canada?
Is Heidi Health’s data stored and processed in Canada?
Yes. Heidi Health ensures that all data is stored and processed within Canada for our Canadian users.
What happens if Heidi is discontinued or a clinician stops using it?
What happens if Heidi is discontinued or a clinician stops using it?
If you ever decide to stop using Heidi or if we were to discontinue the product, you won’t be left stranded.
Clinicians can export their data at any time, and we’ll work with you to make sure there’s a smooth transition to another tool if needed. Your data stays accessible and under your control throughout. We also have a full Business Continuity and Disaster Recovery Plan in place to cover any unexpected disruptions, whether it's a service outage or a broader issue.
There’s no lock-in, and no impact on your clinical workflow if you move on from Heidi.
Does Heidi delete notes securely?
Does Heidi delete notes securely?
Yes. Data retention periods are determined by clinicians, with options for automatic deletion if preferred over manual deletion. When data is deleted, it is securely destroyed using secure erasure methods and is unrecoverable from our servers.
What security measures does Heidi Health have in place?
What security measures does Heidi Health have in place?
Heidi is built with security at its core. We use a range of modern tools and practices to keep your data safe, including:
Intrusion Detection and Prevention (IDS/IPS)
Security Information and Event Management (SIEM)
Endpoint Detection and Response (EDR)
Data Loss Prevention (DLP)
Secure network configuration
Audit logs that are stored for forensic and accountability purposes
We also follow a "security by design" approach, meaning security isn’t something we bolt on later. It’s built into the way we design, develop and run Heidi every day.
Does Heidi undergo regular security assessments?
Does Heidi undergo regular security assessments?
Yes. We run regular security and privacy assessments to make sure everything’s working the way it should and that we’re keeping your data safe.
That includes annual penetration tests conducted by independent security firms, as well as ongoing internal reviews of our infrastructure and processes. We also complete Privacy Impact Assessments and Threat Risk Assessments, especially when anything significant changes in the system.
Our compliance and security team uses real-time monitoring tools and runs regular audits to catch issues early and reduce risk. It’s all part of how we stay proactive and make sure Heidi remains safe to use in clinical settings.
Does Heidi have recognised security certifications?
Does Heidi have recognised security certifications?
Yes, we do. Heidi is certified to several well-known and respected standards, including:
ISO 27001 - for how we manage information security
SOC 2 Type II - which confirms we meet high standards for security, availability and confidentiality
ISO 9001 - focused on quality management and continuous improvement
These certifications aren’t just for show, they reflect how we actually run the platform from product development to data handling and incident response.
We’ve also been approved for use by major hospitals and health networks across the country, including in Ontario, British Columbia, Quebec and the Yukon.
Does Heidi back up data and support disaster recovery?
Does Heidi back up data and support disaster recovery?
Absolutely. Heidi’s infrastructure is built with resilience and data integrity in mind. All clinical data is automatically and continuously backed up to secure, encrypted storage within Canadian data centres. Our Disaster Recovery and Business Continuity Plan, covers everything from hardware failures to broader service disruptions as well as:
Encrypted, automatic data backups
Systems to ensure minimal service disruption in the event of a failure or outage
Will Heidi warn clinicians if something goes wrong?
Will Heidi warn clinicians if something goes wrong?
Yes. Heidi has built-in safeguards that notify users if any part of the conversation is not fully processed or transcribed, ensuring clinicians are aware of missing or incomplete data before relying on the output.