Information Manager Services Agreement (Atlantic Canada PHIA-equivalent)

Version 1.0.0·Effective 2026-05-26

Information Manager Services Agreement (Atlantic Canada PHIA-equivalent)

This agreement governs the electronic services Phiusion Labs provides to you, a [ATLANTIC_CUSTODIAN_TERM] in [ATLANTIC_PROVINCE], under the [ATLANTIC_STATUTE_NAME] ([ATLANTIC_STATUTE_CITATION]). It binds you and Phiusion under the [ATLANTIC_STATUTE_SECTION] information-manager-agreement framework of the [ATLANTIC_STATUTE_NAME]. The agreement is specific to your province; if you also practice in another jurisdiction, the Privacy Notice for Practitioners covers your account information across all jurisdictions, and the Privacy Notice for Patients covers patient-facing terms.

You accept this agreement when you sign up as a health professional based in [ATLANTIC_PROVINCE]. A new major version of this agreement requires your acceptance before you can continue using the application; see §12 of the Privacy Notice for Practitioners for the versioning rules.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this agreement should be read to suggest that the application performs a regulated clinical function; clinical judgment remains entirely yours under your professional licence.

1. Phiusion's role: Information Manager

Phiusion Labs acts as an information manager to you under the [ATLANTIC_STATUTE_NAME], specifically its [ATLANTIC_STATUTE_SECTION] information-manager-agreement provision. The [ATLANTIC_STATUTE_NAME] describes an information manager as a person or body that, on behalf of a [ATLANTIC_CUSTODIAN_TERM], processes, stores, retrieves, or disposes of [ATLANTIC_PI_TERM], or that provides information-management or information-technology services to a [ATLANTIC_CUSTODIAN_TERM] in respect of [ATLANTIC_PI_TERM]. Phiusion falls within that description for the [ATLANTIC_PI_TERM] you place into the application.

For clarity:

  • Phiusion is not a [ATLANTIC_CUSTODIAN_TERM]. The [ATLANTIC_STATUTE_NAME] defines [ATLANTIC_CUSTODIAN_TERM] by reference to an enumerated list — health professionals, health-care facilities, health authorities or comparable bodies, public bodies, and similar entities to which the statute assigns the primary custodial duties. Phiusion is none of these; you are the [ATLANTIC_CUSTODIAN_TERM] of the [ATLANTIC_PI_TERM] records you create inside the application.
  • Phiusion is not an agent. The [ATLANTIC_STATUTE_NAME] defines "agent" of a [ATLANTIC_CUSTODIAN_TERM] broadly to include persons who, with the [ATLANTIC_CUSTODIAN_TERM]'s authorization, perform services for the [ATLANTIC_CUSTODIAN_TERM], including under a contract. Although that definition is drafted broadly, the [ATLANTIC_STATUTE_NAME] distinguishes agents (who exercise the [ATLANTIC_CUSTODIAN_TERM]'s own functions inside the [ATLANTIC_CUSTODIAN_TERM]'s program) from external service providers governed by an information-manager agreement under [ATLANTIC_STATUTE_SECTION] of the [ATLANTIC_STATUTE_NAME]; Phiusion is the latter, not the former.
  • [ATLANTIC_STATUTE_SECTION] information-manager-agreement provision applies. That section requires a written agreement between [ATLANTIC_CUSTODIAN_TERM] and information manager before [ATLANTIC_PI_TERM] is provided to the manager; the agreement must require the manager's compliance with the [ATLANTIC_STATUTE_NAME] and its regulations, including (where the [ATLANTIC_STATUTE_NAME] expressly so requires) the safeguard, retention, return-or-destruction, and audit duties the statute enumerates. §§4–6 of this agreement are how those duties are operationalized between you and Phiusion. This agreement is the [ATLANTIC_STATUTE_SECTION] information-manager-agreement instrument between you and Phiusion.

This role applies only to [ATLANTIC_PI_TERM] that you, as a [ATLANTIC_CUSTODIAN_TERM] in [ATLANTIC_PROVINCE], place into the application. Phiusion's own administrative records about you (account, billing, support) sit under the Privacy Notice for Practitioners; they are not [ATLANTIC_PI_TERM] under the [ATLANTIC_STATUTE_NAME], although they may be personal information under PIPEDA at the federal level.

Internal documents referenced in this agreement — the Retention Schedule, the Breach Notification Playbook, and the privacy-incident register — are available to regulators and to data subjects on request.

2. Services Phiusion provides

Phiusion supplies the following electronic services to you as a [ATLANTIC_CUSTODIAN_TERM] in [ATLANTIC_PROVINCE]:

  • Application hosting. Web application access from the Phiusion domain, including authentication, session management, and user-interface delivery.
  • Patient-record storage. Storage of patient profiles, health-background fields, photo sessions, wellness-documentation sessions, and treatment selections that you enter or that the application generates on your behalf.
  • Photo storage and processing. Secure object storage for patient photos, including a background-removal preprocessing step performed before storage.
  • SkinXS API access. Routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to your workspace for your professional review and curation.
  • Telemetry and reliability monitoring. Error reporting, performance counters, and feature-usage signals that allow Phiusion to keep the application running and to investigate problems you report.
  • Breach detection. Monitoring for unauthorized access, abnormal query patterns, and credential compromise, plus the incident-response workflow described in the Breach Notification Playbook.
  • Backups and restoration. Encrypted database and storage backups, with restoration available on your written request.

Phiusion does not make autonomous clinical decisions, does not generate prescriptions, and does not produce patient-facing output without your curation step. SkinXS suggests; you decide.

3. [ATLANTIC_PI_TERM] handling

Phiusion handles [ATLANTIC_PI_TERM] strictly within the four corners of your [ATLANTIC_CUSTODIAN_TERM] authority. The [ATLANTIC_STATUTE_NAME] limits the use of [ATLANTIC_PI_TERM] to the purpose for which it was collected (or a directly related purpose), and separately limits the disclosure of [ATLANTIC_PI_TERM] to the cases the statute permits; as an information manager, Phiusion's use and disclosure are both narrower still, confined to what you have authorized in this agreement and in any supplemental written instructions.

  • Collection. Phiusion collects only [ATLANTIC_PI_TERM] that you, the [ATLANTIC_CUSTODIAN_TERM], choose to enter into the application (or that the application generates on your behalf — for example, SkinXS scores computed from photos you upload). Phiusion does not solicit [ATLANTIC_PI_TERM] from any other source and does not purchase data about your patients.
  • Use. Phiusion uses [ATLANTIC_PI_TERM] only to deliver the services in §2 and to discharge Phiusion's information-manager duties under [ATLANTIC_STATUTE_SECTION]. This includes operational uses such as error investigation, capacity planning, and security monitoring. [ATLANTIC_PI_TERM] is not used for marketing, advertising, profiling, or model training without a separate written authorization grounded in patient consent (see the AI Improvement Consent and the Privacy Notice for Patients).
  • Disclosure. Phiusion does not disclose [ATLANTIC_PI_TERM] to third parties except to the sub-processors disclosed at Sub-Processors (each acting on documented instructions, see §8) or where legally compelled by a valid [ATLANTIC_PROVINCE] or Canadian instrument. If compelled, Phiusion will, where lawful, give you advance notice so that you may challenge the demand.
  • Retention. [ATLANTIC_PI_TERM] is retained for the period you set as [ATLANTIC_CUSTODIAN_TERM]. Phiusion's default retention windows for backups and operational logs are published in the Retention Schedule; if you require shorter retention for a specific dataset, write to privacy@phiusionlabs.app.
  • Destruction. When you direct destruction (account closure, a specific deletion request, or end of retention), Phiusion deletes the active record and isolates any backup copy that cannot be targeted-deleted, letting the backup age out under the schedule. A destruction confirmation is available on request.
  • No secondary use. Phiusion does not use [ATLANTIC_PI_TERM] for any purpose outside the services in §2 and the [ATLANTIC_STATUTE_SECTION] information-manager duties described in this agreement. Any new use requires your prior written authorization, which you may give or withhold consistent with the use- and disclosure-limits of the [ATLANTIC_STATUTE_NAME]. Where the statute or its regulations specify the sections that govern use and disclosure, those govern; this agreement does not relax them.

4. Safeguards

The [ATLANTIC_STATUTE_NAME] requires [ATLANTIC_CUSTODIAN_TERM]s to take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality, integrity, and availability of [ATLANTIC_PI_TERM]. Phiusion, as your information manager under the [ATLANTIC_STATUTE_SECTION] information-manager agreement, contractually adopts equivalent safeguards so that your statutory safeguard duty is supported end-to-end. The safeguards are commensurate with the sensitivity of the data and consistent with the [ATLANTIC_PROVINCE] privacy regulator's guidance under the [ATLANTIC_STATUTE_NAME]. The categories are:

  • Technical. TLS 1.2 or higher in transit; AES-256 at rest; row-level security in the database so that each [ATLANTIC_CUSTODIAN_TERM] sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; key management with rotation; segmented production environments.
  • Organizational. A named Privacy Officer at Phiusion (Jonathan Garbutt, privacy@phiusionlabs.app); a documented information-security programme; annual penetration testing; vulnerability-management with severity-keyed SLAs; mandatory privacy and security training for all personnel with production access.
  • Administrative. Background checks and confidentiality undertakings for engineering and support staff; role-based access control ("RBAC") with least-privilege defaults; access logging on every read and write of [ATLANTIC_PI_TERM]; quarterly access reviews; written sub-processor agreements; written vendor agreements with Universkin SAS (BAA and DPA, available to you on request).

These safeguards are operationalized through the personnel directives in §5 and the Sub-Processors listing. Phiusion is prepared to respond in writing to any safeguard-related question you, or the [ATLANTIC_PROVINCE] privacy regulator on your behalf, may pose under the [ATLANTIC_STATUTE_NAME] or this agreement.

5. Directives to Phiusion's agents

The [ATLANTIC_STATUTE_NAME], read with its regulations and the [ATLANTIC_PROVINCE] privacy regulator's guidance, requires [ATLANTIC_CUSTODIAN_TERM]s to establish policies and procedures (including training expectations) for their agents and to maintain records of access to and use of [ATLANTIC_PI_TERM] sufficient to support oversight and audit. Although Phiusion is not itself a [ATLANTIC_CUSTODIAN_TERM] or an agent in the statutory sense, Phiusion adopts equivalent directives for its own personnel — including personnel of Universkin SAS, the French company that builds and operates the platform on Phiusion's behalf — so that the chain from you to the people who touch [ATLANTIC_PI_TERM] is unbroken:

  • Need-to-know. No member of Phiusion or Universkin staff may access [ATLANTIC_PI_TERM] except where the access is required to deliver a service listed in §2 or to respond to a written request from you.
  • Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. Privileges are reviewed quarterly and revoked on role change.
  • Training. Every individual with any path to [ATLANTIC_PI_TERM] completes privacy and security training at onboarding and annually thereafter, in line with the training expectations the [ATLANTIC_STATUTE_NAME] and its regulations read into the [ATLANTIC_CUSTODIAN_TERM]'s safeguard duty. Records of completion are kept for the period set in the Retention Schedule.
  • Confidentiality. Every individual signs a confidentiality undertaking that survives termination. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
  • Logging and review. Access to [ATLANTIC_PI_TERM] is logged so that you can discharge your statutory record-keeping and access-audit duty under the [ATLANTIC_STATUTE_NAME]. Logs are reviewed on a defined cadence and on demand following any incident, and are available to you under §6.
  • No secondary use. Personnel may not use [ATLANTIC_PI_TERM] for any purpose outside the services described in §2, and may not export [ATLANTIC_PI_TERM] from the production environment except where doing so is required to deliver a service you have requested.

These directives apply equally to Universkin SAS staff. The BAA and DPA between Phiusion Labs and Universkin SAS make the directives contractually binding on Universkin.

6. Audit and access logs

The [ATLANTIC_STATUTE_NAME] requires [ATLANTIC_CUSTODIAN_TERM]s to maintain records of access to and use of [ATLANTIC_PI_TERM] sufficient to support audit and oversight. The [ATLANTIC_STATUTE_SECTION] information-manager-agreement provision of the [ATLANTIC_STATUTE_NAME], and this agreement, give you the right to audit Phiusion's compliance with the safeguards in §4 and the directives in §5.

  • Access logs. Phiusion captures access events on read and write of [ATLANTIC_PI_TERM] in the application. The log fields include actor, timestamp, record identifier, and the operation performed. Logs are retained for the period set in the Retention Schedule and are available to you under the audit process below. [ATLANTIC_PROVINCE] does not require a separate published audit-summary artifact under the [ATLANTIC_STATUTE_NAME] — the [ATLANTIC_STATUTE_SECTION] information-manager agreement itself, together with §4 and §5, is the audit surface, and Phiusion's responses to written information-requests are the first-line audit channel.
  • [ATLANTIC_CUSTODIAN_TERM] audits. You may, on reasonable notice (ordinarily 30 days), audit Phiusion's compliance with this agreement either through (i) Phiusion's responses to a written information-request, (ii) review of third-party assurance reports we hold (SOC 2 Type II, penetration-test summaries, vendor questionnaires), (iii) targeted log extracts for [ATLANTIC_PI_TERM] in your workspace, or (iv) on-site or virtual interviews with named Phiusion staff. Audits must be scoped to controls relevant to the [ATLANTIC_STATUTE_NAME], conducted during business hours, and subject to confidentiality protections.
  • Cost. Phiusion absorbs the cost of a routine annual audit at the information-request and assurance-report level. Out-of-scope or repeat audits within the same year may be invoiced at our reasonable cost.
  • Regulator audit. Phiusion will cooperate with any audit, review, or investigation conducted by the [ATLANTIC_PROVINCE] privacy regulator under the [ATLANTIC_STATUTE_NAME], and will keep you informed in line with the breach-notification expectations in §7.

7. Breach notification

The [ATLANTIC_STATUTE_NAME] establishes the breach-notification framework for [ATLANTIC_PI_TERM]. The chain runs from the information manager to the [ATLANTIC_CUSTODIAN_TERM] and from the [ATLANTIC_CUSTODIAN_TERM] onward to affected individuals and, where the statute and its regulations so require, the [ATLANTIC_PROVINCE] privacy regulator. Phiusion's role in the chain is as follows:

  • Information manager → [ATLANTIC_CUSTODIAN_TERM]. If Phiusion has reason to believe that [ATLANTIC_PI_TERM] under your custody has been stolen, lost, or accessed, used, or disclosed contrary to the [ATLANTIC_STATUTE_NAME], Phiusion will notify you at the first reasonable opportunity. "First reasonable opportunity" means: as soon as Phiusion confirms the incident's scope sufficiently to inform you usefully, and in any event without undue delay. We do not wait for a full forensic report before notifying.
  • Information provided. The notification will identify, to the extent then known: what data was affected, how many records, the nature and timing of the incident, the steps Phiusion has taken in response, and a contact at Phiusion for follow-up.
  • [ATLANTIC_CUSTODIAN_TERM] → individuals and regulator. The [ATLANTIC_STATUTE_NAME] reserves to you, the [ATLANTIC_CUSTODIAN_TERM], the decision and obligation to notify affected individuals where the statutory threshold is met; reporting to the privacy regulator with jurisdiction in [ATLANTIC_PROVINCE] follows the [ATLANTIC_STATUTE_NAME], its regulations, and that regulator's guidance. Phiusion does not notify the regulator directly except where Phiusion is contacted as a witness or evidence-holder. Phiusion will assist you in preparing your notification on request.
  • Playbook. The end-to-end workflow — internal triage, [ATLANTIC_CUSTODIAN_TERM] notification, regulator support, individual notification templates, post-incident review — is documented in the Breach Notification Playbook.

Phiusion logs confirmed and suspected privacy incidents in an internal register and retains the register for the period set in the Retention Schedule.

8. Sub-processors and pass-through obligations

Phiusion uses the sub-processors listed at Sub-Processors to deliver the services. Each sub-processor is bound by a written agreement that flows down, in substance, the same restrictions Phiusion accepts under this agreement — confidentiality, security safeguards, breach notification, restrictions on secondary use, and audit cooperation.

  • Material-change notification (two-tier). Routine sub-processor changes affecting [ATLANTIC_PI_TERM] — adding a new sub-processor or materially changing the scope of an existing sub-processor's [ATLANTIC_PI_TERM] access — are notified at least 15 days in advance by in-app banner and email to the address on your account. Emergency or risk-driven changes (vendor outage, vendor security incident, regulator order, vendor insolvency, or similar) are notified as soon as practicable (typically within 24 hours) and may take effect before notice. If you object on reasonable [ATLANTIC_STATUTE_NAME] grounds — during the routine notice window or after an emergency change — write to privacy@phiusionlabs.app; if the objection cannot be resolved, you may terminate this agreement under §9 without penalty.
  • Platform-operator sub-processor. Universkin SAS (France) operates the application on Phiusion's behalf and is the most significant sub-processor. The BAA and DPA between Phiusion and Universkin are available on request to you, the [ATLANTIC_PROVINCE] privacy regulator, or the Office of the Privacy Commissioner of Canada ("OPC") for federal-stream review.
  • Cross-border transfers. Where [ATLANTIC_PI_TERM] is transferred to a sub-processor outside Canada, the contractual flowdowns required by PIPEDA Schedule 1 Principle 4.1.3 are in place. [ATLANTIC_PROVINCE] imposes no provincial cross-border restriction beyond PIPEDA's Schedule 1 flow-down, and the [ATLANTIC_STATUTE_NAME] does not prohibit cross-border processing where this information-manager agreement and the [ATLANTIC_STATUTE_NAME]'s safeguard duty are met. Transfer details are part of the safeguard package in §4.

9. Termination and data return

You may terminate this agreement at any time by closing your account in the application or by writing to privacy@phiusionlabs.app. Phiusion may terminate on 90 days' written notice, or sooner where you materially breach this agreement and fail to cure within 30 days.

On termination:

  • Return or destruction. You direct whether the [ATLANTIC_PI_TERM] in your workspace is returned to you (export in a structured, machine-readable format) or destroyed. The default, absent your direction within 60 days of termination, is destruction.
  • Backups. Backup copies that cannot be targeted-deleted are isolated, access-restricted, and aged out on the backup schedule published in the Retention Schedule.
  • Confirmation. A written destruction or export confirmation is provided on request.
  • Survival. The breach-notification, audit-cooperation, and confidentiality provisions of this agreement survive termination to the extent necessary to address pre-termination conduct.

10. Governing law and dispute resolution

This agreement is governed by the laws of the Province of [ATLANTIC_PROVINCE] and the federal laws of Canada applicable therein. The Superior Court of [ATLANTIC_PROVINCE] has non-exclusive jurisdiction over any dispute that cannot be resolved informally or through the dispute-resolution provisions of the Terms of Service §13.

Nothing in this agreement limits the statutory jurisdiction of the [ATLANTIC_PROVINCE] privacy regulator or your statutory rights under the [ATLANTIC_STATUTE_NAME].

11. Contact and supervisory authorities

  • Phiusion Labs Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
  • Universkin SAS Data Protection Officer (sub-processor leg): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If you are not satisfied with Phiusion's response, you may contact a supervisory authority:

  • The [ATLANTIC_PROVINCE] privacy regulator — primary. The privacy regulator with jurisdiction in [ATLANTIC_PROVINCE] is the supervisory authority for [ATLANTIC_STATUTE_NAME] matters and is the body to which you, as [ATLANTIC_CUSTODIAN_TERM], would direct any reportable-breach notification where the statutory threshold is met. The current contact details for the [ATLANTIC_PROVINCE] privacy regulator are published in the [ATLANTIC_PROVINCE] section of Provincial Disclosures (D23).
  • Office of the Privacy Commissioner of Canada (OPC) — federal backup. https://www.priv.gc.ca/. The OPC has jurisdiction over PIPEDA-stream matters, which may apply to Phiusion's administrative records about you (the account-level data covered by the Privacy Notice for Practitioners) even though [ATLANTIC_PI_TERM] itself flows under the [ATLANTIC_STATUTE_NAME].

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Sub-Processors page, the HIPAA Business Associate Agreement, and the Terms of Service.