Where your data lives
Your health records are stored in Canada. Patient databases and uploaded documents
are held in Google Cloud regions in Montréal and Toronto (northamerica-northeast1
and northamerica-northeast2).
Some processing happens outside Canada: our serverless functions, application hosting, and AI features currently run in United States regions, under our business associate agreements and with provider data-logging disabled. So while your data is stored in Canada, it may be processed in the US today. We’re working to bring more processing into Canadian regions as our providers support them. You can see exactly where each provider operates on our Subprocessors page.
Who is responsible for what
Coldstream follows a shared-responsibility model:
- The clinician or clinic is the custodian of patient information — the “health information custodian” or “covered entity” under applicable law. They remain responsible for lawful collection, patient consent, and who on their team has access.
- Coldstream processes that information on the clinic’s behalf, as a service provider, and is responsible for the security of the platform.
How we protect it
We take reasonable administrative, physical, and technical measures to help protect personal information against loss, theft, and unauthorized access:
- Encryption in transit and at rest, managed by Google Cloud.
- HIPAA-eligible services only, with non-eligible analytics disabled.
- Access controls (authenticated, least-privilege) and audit logging of access to sensitive records.
What we will never do
- We do not sell or rent your personal information, and we do not share it for others’ advertising or marketing.
- We do not use your data to train AI models. AI that processes health information runs only under our providers’ data-protection terms — Google’s Cloud Data Processing Addendum for Vertex AI, and a business associate agreement with OpenAI (zero-retention).
If something goes wrong
If a privacy breach affecting information under our care occurs, we will notify the affected custodian(s) without undue delay and cooperate with any mandatory reporting to the relevant privacy authority (for example, under PIPEDA and BC PIPA).
Questions
Our privacy contact is Brett Poulin — contact@coldstream.info.