Privacy and Security Policy

1. Our Role and Responsibilities

CHIME Technology provides:

• Onsite hardware sales and installation.

• Locally installed software solutions used by clinic staff.

• Ongoing consulting, custom development, technical support, hardware maintenance, and system management.

While we facilitate and support clinic operations through our products and services, all PHI remains under the direct custody and control of the medical clinic at all times.

2. Data Residency and Access

In the ordinary course:

• All software and patient data is stored locally onsite at the clinic, on clinic owned hardware

• Our staff may access the clinic’s system remotely for support and management purposes, only with client authorization.

• We do not copy, transfer, or store PHI on our own servers or devices

• Any access to PHI is incidental to our role in system maintenance and troubleshooting and is governed by strict privacy and confidentiality obligations. Our employees comply with all requirements of the customer and temporarily access such data only if necessary to discharge their obligations and do not copy or retain any such data, for any purpose, under any circumstances.

• By design, customer usage data is not backed up, nor retained within our company’s records.

• By design, personal health information is not backed up, nor retained within our company’s records.

3. Security Measures

To ensure the safety and integrity of your data, we employ commercially reasonable practices, including the following:

• Remote access is secured via encrypted SSH or similar secure channels.

• Administrative accounts used for remote access are controlled, monitored, and restricted to authorized personnel.

• We dispose and destroy of any unnecessary data as soon as possible.

• We do not discuss or display it in an environment where it may be viewed or overheard by unauthorized individuals.

• We properly identify such information as sensitive to all recipients, by labeling it “Sensitive," and provide training to personnel, explicitly mentioning the classification, or similar means.

• We follow industry best practices in software security, including regular updates, access controls, and audit logs.

4. Privacy Commitments

• We strive to comply with all applicable privacy laws, including the Personal Health Information Protection Act (PHIPA) of Ontario.

• All staff and consultants with potential access to PHI are bound by confidentiality agreements and receive training on data privacy.

• We work with clinics to support their own privacy compliance efforts and offer guidance on secure system configuration.

5. Client Control and Consent

• Clinics retain full control over their systems and may limit or revoke our access at any time.

• We operate strictly under the direction of the clinic and will never access or use PHI for any purpose other than delivering authorized services.

• Should any non-routine transfer or backup of PHI be required (e.g., during data recovery), it will only be done with explicit consent and proper safeguards.

6. Breach Notification and Incident Response

In the unlikely event of unauthorized access or data compromise:

• We will notify the clinic immediately upon discovery.

• We will assist with investigation, remediation, and reporting obligations as required under PHIPA and other applicable laws.

• We continuously evaluate and improve our privacy and security protocols to reduce risk.