Trust Center

Security, privacy and compliance

Bio6 encrypts protected health information (PHI) at rest (AES-256) and in transit (TLS 1.3), segregates clinical attachments from public assets across two storage stores, redacts PHI from logs, and documents every cross-border transfer under Loi 25 art. 17.

Privacy Officer (Personne responsable de la protection des renseignements personnels)

Per Loi 25 art. 8 and the public-disclosure requirement of art. 3.1, Bio6 designates:

Name
John-Frederick Davidson
Title
Privacy Officer (RPRP)
Email
Privacy@bio6health.com
Access & rectification requests (DSAR)
Privacy@bio6health.com
Mailing address
[mailing address — to be added]

Certifications & attestations

Each row links to public evidence or is honestly marked “In progress” with a target date. Full audit reports are available under NDA — see the Audit artifacts section.

Snapshot: 2026-05-07. Source of truth: internal compliance register (Bio6_App).

Achieved(2)

Bio6 certifications and attestations, grouped by status. Achieved.
ItemJurisdictionTarget / achievedNotes
Privacy Officer (RPRP) designatedQC — Loi 25 art. 82026-04-26Mandate signed 2026-04-28.
MSSS CGGSI CrosswalkQC — MSSS2026-04-28PDF on file.

In review(1)

Bio6 certifications and attestations, grouped by status. In review.
ItemJurisdictionTarget / achievedNotes
CyberSecure Canada (CCCS)Canada — CCCS2026-09-30Submission filed 2026-04-29.

In progress(5)

Bio6 certifications and attestations, grouped by status. In progress.
ItemJurisdictionTarget / achievedNotes
Loi 25 program (PIA, DSAR, breach, retention, cross-border)QC — Loi 252026-08-31PIA-2026 signed; per-sub-processor cross-border PIA in progress.
PIPEDA alignmentCanada2026-08-31Tracks Loi 25 program.
HIPAA Security Rule mappingUS — HHS2026-07-31Checklist in repo; SSP underway.
SOC 2 Type IInternational — AICPA2026-10-31Readiness package filed 2026-04-29.
External penetration test (clinical app + auth-proxy + Blob)Bio6 — internal2026-09-30Required for SOC 2 + HITRUST.

Not started(8)

Bio6 certifications and attestations, grouped by status. Not started.
ItemJurisdictionTarget / achievedNotes
WCAG 2.1 AA audit + VPATInternational — W3C2026-09-30Required for Quebec public-sector procurement.
Public FHIR R4 CapabilityStatement + Inferno conformanceInternational — HL72026-10-31/api/fhir/metadata already returns v1.2.0; Inferno run pending.
TGV (BCH) — file opened, criteria grid requestedQC — public health network2026-09-30Quebec public-network gating cert.
ISO 27799 (health) gap assessmentInternational — ISO2026-12-31Stepping stone to ISO 27001.
Canadian Baseline FHIR IG (CA Core+)Canada — Infoway2026-12-31Required for Canadian health-network integration.
HITRUST e1US — HITRUST2027-02-28Highest-signal healthcare cert at our stage.
TGV — evaluation cycleQC — public health network2027-Q2Eligibility for Quebec health-network contracts.
SOC 2 Type IIInternational — AICPA2027-04-30Starts after Type I + 6 months of evidence.

Sub-processor register

Mandatory disclosure under Loi 25 art. 17. Public list — internal columns (contract numbers, BAA signature dates) are excluded.

Sub-processors used by Bio6, with processing region and agreement status.
VendorServiceData categoryProcessing regionDPA / BAACross-border PIA
SupabasePostgreSQL DB, Auth, StoragePHI (encrypted at rest)US-East-1DPA on file; BAA available, pending counter-signDocumented (PIA-2026)
VercelEdge hosting + runtimeRequest bodies in transitGlobal edgeDPA on Enterprise; BAA pendingDocumented (PIA-2026)
Vercel Blob (private + public)File storage — clinical attachments (private), logos / exercises (public)PHI (private store only)USBundled with VercelDocumented (PIA-2026)
OpenAILLM — note summarization, AI scribePHI when invoked (ZDR + BAA path)USDPA available; BAA + ZDR pendingDocumented (PIA-2026)
AnthropicLLM — Claude APIPHI when invoked (ZDR + BAA path)USDPA available; BAA + ZDR pendingDocumented (PIA-2026)
SendGridTransactional emailPatient name + email in templatesUSDPA available; BAA pendingDocumented (PIA-2026)
TwilioSMS / voicePhone, appointment metadataUSDPA available; BAA pendingDocumented (PIA-2026)
UpstashRedis — rate-limit, cacheKeys only, no PHIUS/EUDPA needed if keys hash PHIN/A
StripeBilling — clinic-level onlyNo PHIUSDPA on fileN/A
Google Workspace (Calendar)Read-only calendar overlay (clinician-initiated OAuth)No PHI flows TO GoogleGlobal (Google)Per-clinic — each connecting clinic must hold its own Workspace BAAPer-clinic Workspace DPA

List refreshed quarterly. Material changes notified to active customers with 30 days' notice. Source of truth: internal vendor register, last reviewed 2026-04-26, next review 2027-04-26.

Encryption & data architecture

The full document is kept internal. Public summary:

  • All client traffic served over TLS 1.3; HSTS enforced on production domains.
  • PHI at rest is encrypted with AES-256 — databases, backups, and private storage.
  • Keys are managed by infrastructure providers (Supabase, Vercel); rotation per provider standards.
  • Private store for clinical attachments (PHI); separate public store for assets (logos, exercise videos) — no overlap.
  • No PHI in URLs or application logs; server-side redaction before write.
  • Audit logs retained per HIPAA Security Rule §164.312(b) and the Loi 25 retention schedule — specifics under NDA.

Full document (under NDA)

Vulnerability disclosure

Bio6 welcomes responsible vulnerability reports. Researchers who follow our policy are covered by safe-harbor.

Public bug-bounty program coming Q3 2026.

Audit artifacts

Available under NDA — request from security@bio6health.com. Copies are not hosted on this public site.

  • MSSS CGGSI Crosswalk2026-04-28
  • CyberSecure Canada Submission Package2026-04-29
  • SOC 2 Type I Readiness Package2026-04-29
  • Certification Status Report2026-04-28

Request access

Procurement FAQ

Answers drawn from typical Quebec health-IT RFP grids. Subject to counsel review before final publication.

  • Where is patient data stored?
    US-East-1 via Supabase and Vercel Blob. A cross-border PIA is documented (PIA-2026) for every sub-processor that handles PHI, per Loi 25 art. 17.
  • What is your breach-notification timeline?
    72 hours to the Commission d'accès à l'information (CAI) under Loi 25. Notification to the OPC if there is a real risk of significant harm under PIPEDA. Affected individuals notified as soon as practicable.
  • Do you sign DPAs / BAAs?
    Yes. DPA template available and BAA available — contact security@bio6health.com for per-customer status.
  • How often do you penetration test?
    Annual external penetration test. Next is targeted for 2026-09-30 as part of the SOC 2 program.
  • How long are audit logs retained?
    Per HIPAA Security Rule §164.312(b) and the Loi 25 retention schedule. Per-deployment specifics available under NDA.
  • Do employees pass background checks?
    Yes — pre-employment criminal record check and reference check.
  • How are sub-processor changes communicated?
    30 days' written notice to active customers before any material change to the sub-processor register.
  • What happens to data when a contract ends?
    Export available in standard formats (CSV, FHIR R4); certificate of destruction issued within 30 days of contract end.
  • Are you Loi 25 compliant?
    Yes. Privacy Officer designated, PIA-2026 signed, per-sub-processor cross-border PIA, public sub-processor register, retention schedule documented.
  • Do you support the Dossier Santé Québec (DSQ)?
    Not yet. On the roadmap, targeted for Q1 2027.
Last refreshed
7 May 2026 Manually maintained until live Notion register integration.
Procurement contact
security@bio6health.com
Detailed roadmap (under NDA, @bio6health.com accounts)
https://docs.bio6health.com/conformity/roadmap
CIUSSSUniversité LavalCIRRISCRDPCHU de QuébecIRDPQBio6 LabsLaval UniversityCIUSSSUniversité LavalCIRRISCRDPCHU de QuébecIRDPQBio6 LabsLaval University