PHIPA Audit Summary (Ontario)

Version 1.0.0·Effective 2026-06-01

PHIPA Audit Summary (Ontario)

Audit period covered: Calendar year 2026 (pre-launch baseline). Next scheduled audit: Calendar year 2027 (publication due 2027-06-01). Applies to: Phiusion Labs' role as a Health Information Network Provider ("HINP") to health information custodians in Ontario under the Personal Health Information Protection Act, 2004 ("PHIPA") and Ontario Regulation 329/04.

1. Purpose of this summary

Section 6(3) of PHIPA, read together with section 6 of O. Reg. 329/04, requires a person who provides electronic services to two or more health information custodians to enable them to use electronic means to disclose personal health information to one another — a Health Information Network Provider — to make available to the public a plain-language description of the services provided, the safeguards in place to protect the privacy and security of personal health information ("PHI"), and a written summary of the directives, guidelines and policies that apply to the services. This document is the fourth published artifact in that set: the annual audit summary.

The three companion artifacts are:

The HINP services description — see PHIPA HINP Services Agreement.
The safeguards summary — see PHIPA HINP Services Agreement.
The policies index — see PHIPA HINP Services Agreement and the cross-references throughout this document.

Together these four artifacts satisfy the Information and Privacy Commissioner of Ontario's ("IPC Ontario") expectations for HINP transparency. This summary is informational and does not require re-consent from custodians or patients.

2. Audit scope

This audit covers Phiusion Labs' processing of PHI on behalf of Ontario custodians using the platform between 2026-01-01 and 2026-12-31. Because commercial launch in Ontario is scheduled for mid-2026, the first audit period captures pre-production controls, the security review conducted before onboarding the first Ontario custodian, and the safeguards in place at go-live.

In-scope systems:

The Phiusion Labs web application (Next.js on Vercel) used by custodians to record patient information, photographs, skin-analysis results, treatment plans, and order history.
The Phiusion Labs Postgres database and object storage (Supabase) used to persist PHI.
The administrative and developer tooling that allows authorized Phiusion Labs personnel to operate the service.
Sub-processors enumerated in the published Sub-Processors list.

Out of scope: custodians' own systems, devices, and networks; third-party services that custodians integrate independently outside the platform; and any data that is not PHI.

3. Technical safeguards summary

Phiusion Labs implements layered technical safeguards consistent with industry practice and IPC Ontario guidance.

Encryption at rest. All PHI is stored in Supabase Postgres and Supabase Storage with AES-256 encryption at rest. Database backups inherit the same encryption. Encryption keys are managed by the storage provider; Phiusion Labs does not export raw keys.
Encryption in transit. All traffic to the platform — browser to application, application to database, application to sub-processors, and webhook traffic — is carried over TLS 1.2 or higher. HTTPS is enforced at the edge with HSTS; mixed-content is blocked by Content Security Policy.
Row-Level Security ("RLS"). Every PHI-bearing table in Postgres has RLS enabled. Policies bind each row to the owning custodian (practitioner) and prevent cross-tenant reads or writes at the database layer, independent of the application code path.
Authentication. Custodian and staff access is brokered through Supabase Auth. Multi-factor authentication is required for all custodian and Phiusion Labs personnel accounts. The platform is passkey-eligible, allowing custodians to register WebAuthn credentials in addition to TOTP.
Authorization. Application-layer authorization is enforced per request and re-checked at the database layer through RLS. Service-role keys are confined to server-side functions and never exposed to the browser.
Access logging. Every read and write of PHI is logged with actor identity, timestamp, action, and target record identifier. Logs are retained according to the internal Retention Schedule (available to regulators and to data subjects on request) and are available to custodians on written request.
Backup and integrity. Supabase managed backups are taken on a daily cadence with point-in-time recovery within the provider's retention window. Restore integrity tests are performed at least annually and are recorded in the operations runbook.
Vulnerability management. Dependencies are tracked through automated software-composition analysis; critical advisories trigger an out-of-cycle patch. Application errors and security signals are forwarded to a managed error-tracking sub-processor under written agreement.
Network controls. The application enforces a strict Content Security Policy, security headers (HSTS, X-Content-Type-Options, Referrer-Policy), and rate limiting on authentication-sensitive endpoints.

4. Organizational safeguards summary

Phiusion Labs maintains organizational safeguards that govern how people inside the company handle PHI.

Privacy leadership. A Phiusion Labs Privacy Officer is the primary point of contact for Ontario custodians on privacy and security matters. Universkin SAS, Phiusion Labs' platform operator and sub-processor, designates a Data Protection Officer ("DPO") for cross-jurisdictional matters. Both roles will be named individuals as part of the Phase 4 appointments programme; placeholder contact details appear in the frontmatter above and in §10 below.
Training. All engineering and operations staff with access to production systems complete annual privacy and security training. The curriculum covers PHIPA obligations for HINPs, breach handling, secure development practice, and the platform's specific data flows. Training completion is tracked and is auditable on custodian request.
Personnel screening. Personnel with production access undergo background checks proportionate to their role and sign confidentiality undertakings that survive termination. Access is revoked promptly on role change or departure.
Documented policies. Internal policies cover acceptable use, secure software development, change management, vendor management, incident response, and retention. Externally facing counterparts are published as the Business Associate Agreement and Data Processing Agreement, with the internal Retention Schedule and internal Breach Notification Playbook (both available to regulators and to data subjects on request), and the acceptable-use terms inside the PHIPA HINP Services Agreement.
Segregation of duties. Engineering, support, and operations roles are separated by least-privilege access. Production database access is gated, logged, and reviewed.

5. Administrative safeguards summary

Administrative safeguards focus on the contractual and procedural infrastructure that wraps the platform.

Vendor and sub-processor chain. Phiusion Labs maintains a current list of sub-processors at Sub-Processors and contracts with each under a written agreement that imposes confidentiality, security, and breach-notification obligations consistent with the Business Associate Agreement and Data Processing Agreement. Custodians are notified before a new sub-processor is added.
Vendor agreements with Universkin SAS. Phiusion Labs and Universkin SAS operate under a written BAA and DPA that bind Universkin's data-processing activities to the same standards required of other sub-processors. These instruments are referenced by name only and are not posted publicly.
Breach response. The internal Breach Notification Playbook (available to regulators and to data subjects on request) defines triage, containment, custodian notification, and reporting service-level commitments to IPC Ontario, custodians, and affected individuals consistent with PHIPA s.12(2) and the IPC's expectations.
Retention enforcement. PHI is retained only for the periods documented in the internal Retention Schedule (available to regulators and to data subjects on request). Deletion and de-identification jobs run on the cadence stated there and are observable in operational logs.
Data-subject and access requests. Custodians remain responsible for responding to access and correction requests from their patients. Phiusion Labs supports custodians through the process described in Privacy Notice for Practitioners section 6 and in section 11 of the Privacy Notice for Patients.
Change management. Material changes to safeguards, policies, or sub-processors are recorded in document version history and surfaced to custodians on the next sign-in following publication.

6. Audit findings

Findings for the current period: none.

The platform is in a pre-launch posture for Ontario. No PHI from Ontario custodians has been processed in production during the period covered by this summary, and therefore no findings of non-conformance, control gap, or privacy incident are reported.

Starting with the 2027 audit cycle, findings will be presented in a table with the following columns:

Finding	Impact rating	Remediation	Status	Target close date

Impact ratings are one of: Low, Moderate, High, Critical. Status values are one of: Open, In progress, Mitigated, Closed.

7. Remediation tracking

Phiusion Labs maintains a remediation tracker that is reviewed by the Privacy Officer on at least a quarterly cadence. Material findings — anything rated Moderate or higher — are reviewed monthly until closed. The tracker captures the original finding, the root cause, the corrective action, the responsible owner, and evidence of closure. A summarised view will appear in each annual audit summary beginning with the 2027 publication.

8. Custodian audit rights

Under PHIPA s.6(3) and the agreements custodians sign at onboarding, a custodian (or the custodian's qualified representative) has the right to request reasonable information about Phiusion Labs' HINP practices, including an audit of the safeguards described in this summary. To exercise this right, a custodian should:

Send a written request to the Phiusion Labs Privacy Officer (see §10) identifying the scope of the audit and the requested information.
Allow Phiusion Labs a reasonable period — typically thirty (30) business days — to respond, propose a method (e.g., documentary review, written attestations, or, where warranted, an on-site or remote technical review), and schedule the work.
Cooperate on confidentiality and scoping, including signing a non-disclosure undertaking where the audit will touch information that relates to other custodians or to Phiusion Labs' security configuration.

Phiusion Labs will not unreasonably refuse a custodian audit and will bear the costs of its own personnel time. Costs of third-party auditors retained by the custodian are the custodian's responsibility unless otherwise agreed in writing.

9. IPC Ontario notification

Phiusion Labs maintains a standing channel for inquiries from IPC Ontario. The Privacy Officer is the named point of contact and undertakes to:

Acknowledge IPC correspondence within two (2) business days.
Cooperate fully with any review, investigation, or order under PHIPA.
Notify IPC Ontario of reportable privacy breaches in accordance with PHIPA s.12(3) and the timelines in the internal Breach Notification Playbook (available to regulators and to data subjects on request).
Make this audit summary, the PHIPA HINP Services Agreement, and the related artifacts available on request in the form preferred by the IPC.

This commitment is offered without prejudice to any specific rights or remedies available to the IPC under PHIPA.

10. Contact

Phiusion Labs Privacy Officer Jonathan Garbutt privacy@phiusionlabs.app

Universkin SAS Data Protection Officer (platform operator and sub-processor) Maître Eric ELABD +33 (4) 93.00.11.96 dpo@universkin.com

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Telephone: 1-800-387-0073 Web: https://www.ipc.on.ca/

This summary will be republished on or before 2027-06-01 covering the calendar-year 2026 audit cycle and any controls in operation through that period.