Rivet is designed to be consistent with Canada’s Personal Information
Protection and Electronic Documents Act (PIPEDA) and Ontario’s Personal
Health Information Protection Act (PHIPA). Rivet acts as your agent
under PHIPA s.2 — handling client information on your behalf, under your
direction.
Your role and Rivet’s role
PHIPA and Rivet
The legal characterization. Rivet as agent + electronic-service provider.
Where each piece of law fits.
Your role as custodian
What being a health information custodian means in practice — and what
Rivet does on your behalf.
The Data Processing Agreement
The agreement you accept when you sign up. What it covers, who the
sub-processors are, what changes when you cancel.
Client data handling
What Rivet stores about your clients, retention defaults, and your
client’s right to deletion.
Voicemail in Canada
Voicemail audio and transcription run on Canadian hardware. What that
means precisely, and where the database actually lives.
Safeguards and incident response
Encryption
HTTPS everywhere, AES-256 at rest, biometric-locked sessions, WebRTC
DTLS-SRTP for video.
Audit logging
The append-only log that records who touched what, and why metadata is
all that goes in it.
Breach response
The five phases. Who Rivet notifies. How Rivet helps you meet your own
notification obligations.
Measurement vs. clinical content
The line between what Rivet captures and what belongs in your EHR — and
why that line is the whole point.
Practitioner security
The handful of habits that keep your account, your sign-in email, and
your device honest.