Compliance matrix
Clause-by-clause, framework-by-framework
Privacy officers, general counsel, and InfoSec teams need to see specifics, not marketing language. Below is the current posture across the frameworks healthcare buyers actually evaluate. Updated each release.
| Obligation | PHIPA (ON) | Law 25 (QC) | PIPEDA (CA) | PIPA (BC/AB) | HIPAA (US) | GDPR (EU/UK) | HITRUST | SOC 2 Type II |
|---|---|---|---|---|---|---|---|---|
Lawful basis / explicit consent Voluntary participation; granular consent for personal results, aggregate inclusion, and EAP contact captured separately at provisioning. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ⊙ |
Data minimization On-device biometric processing; only derived numerical scores leave the device. No video upload or storage. Audit log records actor/category/scope, never individual scores. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ⊙ |
Right to access / delete / portability Self-service data export and deletion via account settings; tenant-level admin can request institution-scoped purge with provenance retained for 90 days. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ⊙ |
Encryption in transit / at rest TLS 1.3 in transit. AES-256 at rest via managed Supabase infrastructure. Per-tenant key separation on the roadmap. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ⊙ |
Breach notification Confirmed security incidents notified to Customer within 72 hours. Audit fix (2026-04-29): notification template + runbook are in_progress; status downgraded from "aligned" pending the documented runbook. | ◐ | ◐ | ◐ | ◐ | ◐ | ◐ | ◐ | ⊙ |
Data residency Canadian-residency option via Canadian-region Supabase + storage. US and EU residency available on Enterprise tier. Per-tenant override at hospital level. | ✓ | ✓ | ✓ | ✓ | n/a | ✓ | ✓ | n/a |
BAA / DPA / Acceptable Use Policy DPA template available on request; AUP contractually prohibits performance / hiring / credentialing / discipline / underwriting use of GRW data. Audit fix (2026-04-29): HIPAA Business Associate Agreement template + Security Rule risk analysis are in_progress; HIPAA cell downgraded from "aligned" pending these artifacts and a signed BAA with Modal (the GPU sub-processor). | ✓ | ✓ | ✓ | ✓ | ◐ | ✓ | n/a | n/a |
Audit log + access control RBAC with 7 named roles, scope-bound role assignments, append-only audit log. RLS on every individual-data table. Subtraction-attack mitigation via tiered n-minimum (5 / 10 / 20). | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Sub-processor disclosure Sub-processor list maintained in the procurement bundle. Material changes require 30-day notice and right to terminate. Audit fix (2026-04-29): Modal (US GPU inference for large clips) is being added to /legal sub-processor list; status downgraded to in_progress for GDPR / HIPAA pending publication and the Modal Article 28 / BAA execution. | ✓ | ✓ | ✓ | ✓ | ◐ | ◐ | ◐ | ⊙ |
Vulnerability management / pentest Annual third-party penetration test. SCA + SAST in CI on every PR. Critical CVEs patched within 7 days; high CVEs within 30. | n/a | n/a | n/a | n/a | ◐ | n/a | ◐ | ◐ |
SOC 2 Type II attestation In progress with external auditor. Attestation letter shared in procurement bundle on request. | n/a | n/a | n/a | n/a | ⊙ | n/a | ⊙ | ◐ |
HITRUST certification CSF v11 controls inventory mapped; certification scheduled post-SOC 2. | n/a | n/a | n/a | n/a | ⊙ | n/a | ◐ | n/a |
Right to object / opt-out (automated decision-making) GRW does not perform individual-level automated decisions affecting employment, benefits, or care. AUP contractually prohibits such use by Customer. | n/a | ✓ | ✓ | n/a | n/a | ✓ | n/a | n/a |
What “Aligned” actually means
Architectural controls, contractual commitments, and operational practice are in place today. Reviewable in the procurement bundle.
What “In progress” means
Work is underway with a defined target date. We share status letters in the procurement bundle. Material delays trigger Customer notification.
Need the underlying documentation?
The procurement bundle includes the AUP, DPA, BAA template, SOC 2 status letter, validation summary, architecture diagram, and clinical advisory roster. We share under a single-page NDA so we can keep documents current and specific.
Request the procurement bundle