Healthcare organizations across Ontario trust Cyberimpact to communicate securely with patients, members, staff, and stakeholders through a platform designed with strong security and privacy safeguards.
Cyberimpact supports organizations that are subject to Ontario's Personal Health Information Protection Act, 2004 (PHIPA) by maintaining administrative, technical, and organizational safeguards designed to protect personal health information and support privacy compliance obligations.
While this page focuses on PHIPA, Cyberimpact also supports healthcare organizations across Canada, including organizations subject to Alberta's Health Information Act (HIA), Saskatchewan's Health Information Protection Act (HIPA), various provincial Personal Health Information Acts (PHIA), and the Personal Information Protection and Electronic Documents Act (PIPEDA). Cyberimpact maintains safeguards designed to help healthcare organizations protect personal health information and support their privacy and security obligations under applicable Canadian privacy legislation.
While PHIPA compliance ultimately depends on how each organization uses and governs its own processes and data, Cyberimpact provides security controls and contractual commitments designed to support organizations handling personal health information.
Cyberimpact provides email communication services to healthcare organizations and processes information on behalf of its customers in accordance with applicable agreements and customer instructions.
Healthcare organizations remain responsible for determining how personal health information is collected, used, disclosed, transmitted, and retained in accordance with PHIPA and other applicable laws and regulations.
Cyberimpact does not determine the purpose or appropriateness of the information customers choose to collect, store, or transmit through the platform.
Cyberimpact maintains security practices designed to support healthcare organizations in protecting personal health information in accordance with PHIPA's requirements for safeguards, confidentiality, and information security.
Our approach includes:
Encryption in transit and at rest
Role-based access controls
Multi-factor authentication for internal systems
Security monitoring and logging
Regular penetration testing and security assessments
Incident response and security management procedures
Vendor and infrastructure security reviews
Access management and least-privilege practices
Secure hosting infrastructure
Employee security awareness training
Formal privacy and security policies
Our security and governance practices are continuously reviewed as part of our broader commitment to protecting customer data and maintaining platform integrity.
SOC 2 Type 2
Encryption via TLS 1.2/1.3 and AES-256
Multi-factor authentication (MFA)
Data hosted in Canada
Web Application Firewall (WAF)
DDoS protection
Daily encrypted backups
Compliance with Law 25, PIPEDA, GDPR, CASL
Protecting your data is at the heart of everything we build. Explore how Cyberimpact manages information security, handles incidents, shares responsibilities with its customers, and supports compliance with Canadian privacy requirements.
Cyberimpact maintains a comprehensive information security program designed to support the confidentiality, integrity, and availability of customer data.
Key components of our program include:
Cyberimpact maintains documented procedures for identifying, investigating, managing, and responding to security and privacy incidents.
Our incident management processes include:
Where required by contract or applicable law, customers will be notified of incidents affecting their information.
Cyberimpact evaluates vendors and service providers that support the delivery of its services through security and risk assessment processes.
Where appropriate, service providers are subject to contractual, security, confidentiality, and privacy requirements designed to protect customer information and support Cyberimpact's security program.
Access to customer information is restricted to authorized personnel with a legitimate business need and governed by applicable security controls.
Protecting personal health information is a shared responsibility between Cyberimpact and its customers.
Cyberimpact provides safeguards and operational controls designed to support the protection of personal health information. Customers remain responsible for:
To help protect personal health information and reduce privacy risks, Cyberimpact recommends that customers:
Upon request and subject to appropriate confidentiality protections, Cyberimpact may provide additional security and compliance documentation, including:
Organizations seeking additional information may contact our team to discuss their security, privacy, and compliance requirements.
Cyberimpact is a Canadian company and operates its platform from infrastructure located in Canada.
Customer data is hosted in Canadian data centres, helping organizations address data residency considerations and supporting compliance with Canadian privacy requirements.
PHIPA does not provide a formal certification program.
Cyberimpact does not claim certification under PHIPA. Instead, Cyberimpact maintains administrative, technical, and organizational safeguards designed to support healthcare organizations in protecting personal health information and meeting their privacy obligations.
Compliance with PHIPA ultimately depends on how each organization configures, uses, and governs its own environment, processes, and data.
No. PHIPA does not provide a certification program. Cyberimpact maintains safeguards designed to support organizations that are subject to PHIPA requirements.
Yes. Customer data is hosted in Canadian data centres.
Yes. Additional documentation, including SOC 2 Type II reports and other security materials, may be available upon request and subject to appropriate confidentiality protections.
Many healthcare organizations use Cyberimpact to communicate with patients, members, staff, and stakeholders. Organizations remain responsible for determining the appropriateness of the information they choose to transmit and for complying with applicable legal and regulatory requirements.
Yes. Our team regularly works with healthcare organizations to address privacy, security, procurement, and compliance questions.
Questions about PHIPA, healthcare use cases, privacy requirements, or security practices?
Contact our team to discuss your organization's privacy, security, and compliance requirements.
Cyberimpact provides a set of documents intended for security, compliance, and IT governance teams.
Due to their sensitive nature, some documents require the signing of a non-disclosure agreement (NDA).
To obtain a document subject to an NDA, please complete the form below.
(sensitive information)
Cyberimpact PHIPA Readiness & Security Overview
Provides an overview of the administrative, technical, and organizational safeguards implemented to support organizations subject to PHIPA and other Canadian healthcare privacy laws.
Cyberimpact’s HIPAA Security Practices
Overview of the key administrative, technical, and organizational measures implemented to support organizations subject to HIPAA requirements.
Business Associate Agreements (BAA)
Agreement governing the handling of Protected Health Information (PHI) in accordance with HIPAA requirements.
System Security Plan (SSP)
Structured description of our architecture, controls, processes, and security operating model.
GDPR Compliance Assessment
Analysis of practices related to the management of personal data and their alignment with GDPR.
Technical architecture (high-level diagram)
Overview of the service architecture, including main components, data flows, and the overall organization of the system.
HECVAT lite 2.11
Standardized security and privacy assessment questionnaire (Higher Education Community Vendor Assessment Toolkit), used by educational institutions to assess risks related to technology service providers.
VPAT 2.5 (Accessibility)
Declares the level of compliance of our platform in terms of digital accessibility.
SOC 2 Type 2 Summary Letter
Summarizes the SOC 2 attestation without disclosing sensitive information.
Access now
Privacy Policy
Presents our practices for managing and protecting personal information.
Access now
Anti-spam Policy
Explains the mechanisms put in place to comply with Canadian anti-spam legislation.
Access now
Terms and Conditions
Describes contractual obligations, responsibilities, and limitations of service use.
Access now
To obtain one of our official documents available under NDA, such as our full SOC 2 report, our SSP, our GDPR assessment, or our VPAT, please complete the form below.
We invite you to provide the necessary information to allow us to process your request efficiently and provide you with documents tailored to your context.
We generally respond to requests within 3 to 5 business days*.
*Cyberimpact reserves the right not to respond to a request deemed not relevant or insufficiently justified in order to protect the confidentiality of sensitive information.
Cyberimpact — All rights reserved.