Data Processing Agreement

Last updated: October 21, 2025

1. Parties and Purpose

This Data Processing Agreement (“Agreement”) forms part of the Service Agreement between ClinicGlide Technologies Inc. (“ClinicGlide”, “Processor”) and the subscribing customer (“Customer”, “Controller”).

It governs ClinicGlide’s processing of personal data on behalf of the Customer in connection with ClinicGlide’s workflow-automation and voice-interaction services, including Clara Voice.

ClinicGlide’s systems are classified as Level 1 Administrative Solutions under Health Canada’s functional hierarchy. They support scheduling, communications, and administrative operations only and do not process, store, or infer clinical, diagnostic, or treatment information.

Processing under this Agreement complies with PIPEDA and any applicable provincial privacy laws (e.g., PHIPA (ON), HIA (AB), PHIA (NS), etc.), with the exception of the Province of Quebec.

2. Roles and Responsibilities

  • Customer (Controller): Determines the purposes and means of processing.

  • ClinicGlide (Processor): Processes personal data solely on documented Customer instructions.

  • Sub-processors: May be engaged under § 7.

 ClinicGlide never sells, shares, or repurposes Customer data for unrelated purposes.

3. Nature and Purpose of Processing

ClinicGlide processes limited personal data to:

  • enable real-time and asynchronous voice interactions,

  • automate appointment scheduling and related notifications, and

  • maintain diagnostic and audit logs for service continuity, support, and billing.

    ClinicGlide does not collect or process medical records, clinical notes, or assessment content.

4. Categories of Personal Data

Personal data processed may include:

  • Caller or recipient identifiers (name, phone number, email).

  • Call audio recordings, transcripts, and metadata.

  • User account and authentication details for clinic staff.

  • Appointment Information - when an EMR is connected with a legacy-style integration, such as Jane App, we store limited, non-medical data needed to schedule appointments.

  • Worker and access transaction logs.

ClinicGlide does not process diagnostic, treatment, or medical record content.

5. Data Residency and Infrastructure

All Customer data is stored and processed exclusively within Microsoft Azure Canada Central region.

If telephony or speech services are used for media routing or synthesis:

·       audio and metadata are processed transiently, and

·       retained only in encrypted form within ClinicGlide’s Canadian tenancy for troubleshooting or audit purposes.

No data is transferred or stored outside Canada without prior written authorization from the Customer.

6. Security Measures

ClinicGlide maintains administrative, technical, and physical safeguards proportionate to risk, including:

  1. Encryption: AES-256 at rest; Managed Microsoft keys; TLS 1.2+ in transit.

  2. Access Control: Role-based; least-privilege; MFA for admin accounts

  3. Tenant Isolation: Logical segregation of Customer data within Azure services

  4. Audit & Monitoring: Centralized logging; continuous monitoring; retention ≥ 90 days

  5. Backups: Encrypted daily backups; 30-day rotation and purge

  6. Incident Response: 72-hour notification of confirmed breach (§ 11)

  7. Personnel Training: Annual privacy and security training for authorized staff

7. Sub-processors

ClinicGlide may use the following sub-processors to provide the Services.

Microsoft Azure: Infrastructure, compute, database, storage; Canadian hosted (Azure Canada Central)

Twilio Inc.: Telephony and media transport; United States hosted (transient)

OpenAI for Azure: Intent, inference for NLP/voice; Canadian hosted (Azure Canada Central)

VAPI Technologies: Voice automation and telephony interface; United States (transient)

ElevenLabs Inc.: Speech synthesis / audio rendering (transit only); United States (transient)

ClinicGlide will notify Customers of any intended addition or replacement of sub-processors that materially affects data protection obligations.

8. Data Retention and Deletion

ClinicGlide retains personal data only as long as necessary to fulfill service functions or meet legal obligations.

Data Type; Retention Period; Post-Retention Action

Call audio; 30 days; Auto-deletion (Azure policy)

Transcripts & metadata; 1 year

Worker & access logs; 1 year, then anonymize and retain for audit integrity; N/A

Cached scheduling data (for cached EMR integrations); 12 months rolling; Auto-purge

Contact reference records (non-medical); 12 months rolling from system startup; Purge or anonymize; EMR remains system of record

Billing & accounting records; 7 years; Archive (statutory requirement)

Backups; 30 days; Encrypted ;rotation and purge

Upon termination of Services, ClinicGlide deletes or anonymizes Customer data per this section unless legal obligations require longer retention.

9. Customer Instructions and Rights

ClinicGlide processes personal data only on documented Customer instructions.

 The Customer retains control over access, export, correction, and deletion.

 ClinicGlide provides administrative tools and APIs to action these rights and to propagate deletions to dependent systems, including cached data.

10. Confidentiality

All personnel and contractors with potential access to personal data are bound by written confidentiality obligations and complete privacy and security training appropriate to their roles.

11. Incident Response and Notification

If ClinicGlide becomes aware of a confirmed or suspected security incident involving Customer data, it will:

1.       Notify the Customer without undue delay and no later than 72 hours after confirmation.

2.       Provide known details, including scope, nature, and mitigation steps.

3.       Co-operate fully in any investigation, remediation, or regulatory reporting required under applicable law.

12. Audit and Compliance

ClinicGlide maintains detailed records of processing and administrative access.

 Upon reasonable written request, ClinicGlide will make available evidence of privacy and security controls, including penetration-test summaries or audit attestations, subject to confidentiality and security constraints.

13. Termination

This Agreement remains in effect for as long as ClinicGlide processes personal data for the Customer.

 Upon termination of Services, data will be deleted or anonymized per § 8, unless longer retention is required by law.

14. Governing Law

This Agreement is governed by the laws of the Province of New Brunswick and the federal laws of Canada applicable therein.

15. Contact

ClinicGlide Technologies Inc.

 Attention: Data Protection Officer

 45 Loddington St., Fredericton, NB E3C 2S3

 privacy@clinicglide.com