Trust & compliance
For medspa owners, IT buyers, and compliance officers evaluating Delam. Everything that keeps patient data safe, documented, and provable. PIPEDA, PHIPA, and Quebec Law 25 are live today. HIPAA and SOC 2 Type II land Q2 2026.
- AES-256 encryption at rest
- Canadian data residency
- 7-year audit retention
Compliance certifications
Six regulatory regimes, documented and provable.
Canadian clinics are PIPEDA, PHIPA, and Quebec Law 25 compliant with Delam today. US enterprise customers get a BAA on request now, with HIPAA and SOC 2 Type II attestation landing Q2 2026.
PIPEDA
Live todayCanadian data residency, patient access and correction workflows, breach register, Principle 9 and Principle 10 support.
Quebec Law 25 (P-39.1)
Live todayExplicit consent, automated-decision disclosure, 72-hour breach notification, cross-border PIA, designated privacy officer.
PHIPA (Ontario)
Live todayPHI custodian workflows, consent capture, agent agreements, reasonable safeguards, patient access and correction.
HIPAA
Q2 2026Architected to HIPAA standards today, Business Associate Agreement on request. Formal attestation lands Q2 2026 for US enterprise.
SOC 2 Type II
Q2 2026Independent audit of security, availability, and confidentiality trust service criteria. Report available on request after attestation.
PCI DSS (via Stripe)
Live todayTokenized payments, no raw card data ever touches Delam servers. Stripe Checkout, Payment Element, and webhook signature verification.
Encryption & infrastructure
Encrypted at rest, encrypted in transit, hosted in Canada.
Field-level encryption with quarterly key rotation. TLS 1.3 only. AWS ca-central-1 Postgres, Supabase Toronto for files. Photos behind short-lived signed URLs, never public.
Encryption at rest
AES-256-GCM envelope encryption at the column level, not just the disk. Key material isolated in a managed KMS, rotated quarterly. Every PHI field (name, phone, DOB, notes, photos) is encrypted independently.
NIST SP 800-175B, SP 800-57 Pt.1 Rev.5
Encryption in transit
TLS 1.3 exclusively, with HSTS preload on every delam.ai domain. No fallback ciphers, no plaintext endpoints. Stripe webhooks verified via HMAC-SHA256 before any state change hits the database.
IETF RFC 8446
Canadian data residency
Postgres runs in AWS ca-central-1 (Montreal). Files live in a private Supabase bucket in Toronto. Backups, search indexes, and the audit ledger all stay inside Canadian borders by default.
Quebec Law 25, Article 17 (2024)
Private photo storage
Before and after photos sit in a private Supabase bucket behind one-hour signed URLs. No public URL exists. Revocation invalidates existing URLs and flushes caches in under 60 seconds.
CPSO Policy 4-12, CNO Advertising Guidelines
Access control & audit
Least privilege, logged forever.
Role-based permissions, 5-minute cache, every PHI event routed through auditPHIAccess(). Seven-year retention by default, configurable to ten for pediatrics. One ledger, one query, on demand.
Role-based access control
Dot-notation permissions (clients.view, payroll.export, clients.phone.view) enforced on backend, frontend, and the audit log. Roles are bundles of permissions, 5-minute in-memory cache, invalidated on any change. Owners bypass checks; every bypass is logged.
Audit logging, 7-year retention
Every PHI read, write, export, and consent event routes through auditPHIAccess() and appends to an immutable ledger. Retention defaults to seven years per CPSO Policy 4-12, configurable to ten for pediatric records in Ontario under PHIPA O. Reg. 329/04.
Context on every event
Each audit row captures staff ID, patient ID, action, purpose, IP address, user agent, device fingerprint, and jurisdiction. Exportable as CSV or JSON for complaint responses, IPC or CAI audits, and internal QA reviews.
Photo consent gating
The PhotoConsent model is a required foreign key on every before and after photo. No consent row, no bytes stored. The requirePhotoConsent middleware enforces this in the database layer, not the UI, so a missed UI check cannot produce a compliance hole.
Privacy commitments
Five rules that never get traded away.
When regulations conflict, the strictest rule wins. These are non-negotiable across every jurisdiction Delam operates in.
Breach notification under 72 hours
Quebec Law 25 and PIPEDA both require notification within a reasonable time. Delam treats 72 hours as the internal escalation clock. Affected clinics are notified first, then patients, then the OPC and CAI where applicable.
Patient data access and correction
PIPEDA Principles 9 and 10, plus Law 25 and PHIPA equivalents, grant patients the right to access and correct their personal information. The patient app exposes a request flow; the clinic dashboard includes a one-click export (CSV or JSON) with audit trail.
Cross-border transfer PIA
Any cross-border data flow, for example to a US-hosted AI inference service, requires a documented privacy impact assessment. Direct identifiers are stripped before the request leaves Canadian infrastructure, standard contractual clauses are on file, and the transfer is disclosed in the clinic privacy notice.
Minor data handling (under 14)
Law 25 forbids collecting information from a child under 14 without parental consent, unless the collection is clearly in the child's interest. Delam captures guardian contact on every minor record, applies stricter retention, and requires an age-verification gate before processing.
Reproductive health PHI carve-out
Per the 2024 HIPAA Privacy Rule update, Delam never uses or discloses PHI for investigations relating to lawful reproductive health care. This rule is enforced at the query layer; a PHI access request tagged reproductive health refuses without a patient-initiated release.
AI safety
AI assists, clinicians decide.
Identifiers stripped before any prompt leaves Canadian infrastructure. Automated-decision disclosure per Law 25. No training on identifiable PHI without consent. Human review required for anything consequential.
PHI stripped before AI prompts
Direct identifiers (full name, full DOB, full address, SSN, payment cards) are masked before any call transcript or note drafts reaches an AI model. Internal patient IDs or age ranges replace names wherever the task allows.
Automated decision disclosure
Quebec Law 25 requires plain-language disclosure before any automated step that affects a person. The AI front desk opens every call with this disclosure; the dashboard logs when automated scoring (for example the noShowRisk) influenced a decision.
No training on identifiable PHI
Delam never trains or fine-tunes models on identifiable PHI without explicit, scoped, revocable patient consent. The default assumption is zero PHI in any training corpus, full stop.
Human review for consequential decisions
Final clinical diagnoses, prescriptions, marketing audience lists, and law-enforcement PHI requests are never produced by AI without human review. The AI drafts; a licensed professional signs.
People also ask
Security, answered.
- Is Delam HIPAA compliant?
- Delam is architected to HIPAA standards today: AES-256-GCM field-level encryption at rest, TLS 1.3 in transit, role-based access control, audit logging on every PHI read and write, and Business Associate Agreements available on request. Formal HIPAA attestation plus SOC 2 Type II land Q2 2026, ahead of the US enterprise rollout. PIPEDA, Quebec Law 25, and Ontario PHIPA are live today.
- Where is my clinic's patient data stored?
- Patient data lives in Canada. Postgres runs in AWS ca-central-1 (Montreal). Files, including before/after photos, sit in a private Supabase bucket in Toronto. Backups, the audit ledger, and search indexes all stay inside Canadian borders. Any cross-border transfer, for example to a US-hosted AI inference service, requires a documented privacy impact assessment and direct identifiers are stripped before the request leaves our infrastructure.
- Who has access to my clinic's data?
- Only staff you invite, scoped to permissions you assign. Delam uses dot-notation role-based access control (for example clients.view, clients.phone.view, payroll.export) enforced on the backend, frontend, and audit log. Delam engineers do not have production database access by default; any break-glass access is logged, ticketed, and disclosed to the clinic. Raw phone numbers require a separate clients.phone.view permission that most roles do not hold.
- What happens if there's a data breach?
- Quebec Law 25 and PIPEDA both require notification within a reasonable time; Delam treats 72 hours as the internal escalation clock. Affected clinics are notified first, then patients, then the Office of the Privacy Commissioner of Canada and the Commission d'accès à l'information du Québec where applicable. Delam ships the notification workflow built in, a prewritten patient notice template, a breach register retained two years, and a designated privacy officer on file.
- Can I get a SOC 2 report or Business Associate Agreement?
- SOC 2 Type II and HIPAA attestation land Q2 2026. A Business Associate Agreement is available on request for US clinics that need BAA coverage before formal attestation lands. Canadian clinics can be PIPEDA, Law 25, and PHIPA compliant with Delam today without waiting on SOC 2. Email [email protected] for the current security package, including penetration test summary and sub-processor list.
― Related
- Canada hub
PIPEDA, PHIPA, Quebec Law 25 compliant by default.
- Medspa EMR
PHI-grade records with field-level encryption and audit logging.
- Consent forms
Revocable, bilingual, per-appointment, seven-year audit trail.
- AI front desk
Law 25 disclosure on every call, PHI stripped before prompts.
- About Delam
Built in Canada for the membership era of aesthetic medicine.
Talk to security
Evaluate Delam with your compliance team.
Request the security package, including penetration test summary, sub-processor list, and BAA template. Or preview your branded app in two minutes.