Information Management Service Provider Agreement (Saskatchewan HIPA)

Version 1.0.0·Effective 2026-05-26

Information Management Service Provider Agreement (Saskatchewan HIPA)

This agreement governs the electronic services that Phiusion Labs provides to you, the Saskatchewan health-information trustee, under The Health Information Protection Act (HIPA), SS 1999 c. H-0.021. It is specific to Saskatchewan; if you also practice in another province or country, the Privacy Notice for Practitioners covers your account information across all jurisdictions, and the Privacy Notice for Patients covers patient-facing terms.

You accept this agreement when you sign up as a Saskatchewan-based health professional. A new major version of this agreement requires your acceptance before you can continue using the application; see §12 of the Privacy Notice for Practitioners for the versioning rules.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this agreement should be read to suggest that the application performs a regulated clinical function; clinical judgment remains entirely yours under your professional licence.

1. Phiusion's role: Information Management Service Provider

Phiusion Labs acts as an information management service provider ("IMSP") to you under HIPA s.18. HIPA s.2 defines an IMSP, in substance, as a person or body that processes, stores, retrieves or disposes of personal health information for a trustee, or that strips, encodes or otherwise transforms personal health information to create non-identifying personal health information. Phiusion squarely fits because it processes, stores, and retrieves the personal health information ("PHI") you place into the application on your behalf as trustee.

For clarity:

  • Phiusion is not a trustee. HIPA s.2 defines "trustee" by reference to an enumerated list — government institutions, regional health authorities, health-care organizations, licensed health professionals, pharmacies, and similar bodies to whom HIPA assigns the primary custodial duties for PHI. Phiusion is none of these; you are the trustee of the PHI records you create inside the application.
  • Phiusion is not an agent or employee of the trustee. Although HIPA's definitions of trustee, agent, and employee are drafted with their usual breadth, HIPA distinguishes agents (who exercise the trustee's own functions inside the trustee's program, and for whose conduct the trustee is responsible under s.16(2)) from external service providers governed by an IMSP agreement under s.18; Phiusion is the latter, not the former.
  • HIPA s.18 applies. Section 18 requires a written agreement between trustee and IMSP before PHI is provided to the IMSP; the agreement must require the IMSP's compliance with HIPA and the regulations, and is the foundation for the safeguards in §4, the directives in §5, and the audit framework in §6. This agreement is the s.18 instrument between you and Phiusion.

This role applies only to PHI that you, as a Saskatchewan trustee, place into the application. Phiusion's own administrative records about you (account, billing, support) sit under the Privacy Notice for Practitioners; they are not PHI under HIPA, although they may be personal information under PIPEDA at the federal level.

Internal documents referenced in this agreement — the Retention Schedule, the Breach Notification Playbook, and the privacy-incident register — are available to regulators and to data subjects on request.

2. Services Phiusion provides

Phiusion supplies the following electronic services to you as a Saskatchewan trustee:

  • Application hosting. Web application access from the Phiusion domain, including authentication, session management, and user-interface delivery.
  • Patient-record storage. Storage of patient profiles, health-background fields, photo sessions, wellness-documentation sessions, and treatment selections that you enter or that the application generates on your behalf.
  • Photo storage and processing. Secure object storage for patient photos, including a background-removal preprocessing step performed before storage.
  • SkinXS API access. Routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to your workspace for your professional review and curation.
  • Telemetry and reliability monitoring. Error reporting, performance counters, and feature-usage signals that allow Phiusion to keep the application running and to investigate problems you report.
  • Breach detection. Monitoring for unauthorized access, abnormal query patterns, and credential compromise, plus the incident-response workflow described in the Breach Notification Playbook.
  • Backups and restoration. Encrypted database and storage backups, with restoration available on your written request.

Phiusion does not make autonomous clinical decisions, does not generate prescriptions, and does not produce patient-facing output without your curation step. SkinXS suggests; you decide.

3. Personal-health-information handling

Phiusion handles PHI strictly within the four corners of your trustee authority. HIPA s.23 limits the use of PHI to the purposes for which it was collected (or directly related purposes consistent with the Act), and HIPA ss.24–25 govern the disclosure of PHI to the cases the Act permits; as an IMSP, Phiusion's use and disclosure are both narrower still, confined to what you have authorized in this agreement and in any supplemental written instructions.

  • Collection. Phiusion collects only PHI that you, the trustee, choose to enter into the application (or that the application generates on your behalf — for example, SkinXS scores computed from photos you upload). Phiusion does not solicit PHI from any other source and does not purchase data about your patients.
  • Use. PHI is used only to deliver the services in §2 and to discharge Phiusion's IMSP duties under HIPA s.18. This includes operational uses such as error investigation, capacity planning, and security monitoring. PHI is not used for marketing, advertising, profiling, or model training without a separate written authorization grounded in patient consent (see the AI Improvement Consent and the Privacy Notice for Patients).
  • Disclosure. Phiusion does not disclose PHI to third parties except to the sub-processors disclosed at Sub-Processors (each acting on documented instructions, see §8) or where legally compelled by a valid Saskatchewan or Canadian instrument. If compelled, Phiusion will, where lawful, give you advance notice so that you may challenge the demand.
  • Retention. PHI is retained for the period you set as trustee. Phiusion's default retention windows for backups and operational logs are published in the Retention Schedule; if you require shorter retention for a specific dataset, write to privacy@phiusionlabs.app.
  • Destruction. When you direct destruction (account closure, a specific deletion request, or end of retention), Phiusion deletes the active record and isolates any backup copy that cannot be targeted-deleted, letting the backup age out under the schedule. A destruction confirmation is available on request.
  • No secondary use. Phiusion does not use PHI for any purpose outside the services in §2 and the s.18 duties described in this agreement. Any new use requires your prior written authorization, which you may give or withhold consistent with HIPA ss.23–25.

4. Safeguards

HIPA s.16 requires trustees to take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality, integrity, and availability of PHI. Phiusion, as your IMSP under s.18, contractually adopts equivalent safeguards so that your s.16 duty is supported end-to-end. The safeguards are commensurate with the sensitivity of the data and consistent with Office of the Saskatchewan Information and Privacy Commissioner ("IPC SK") guidance under HIPA. The categories are:

  • Technical. TLS 1.2 or higher in transit; AES-256 at rest; row-level security in the database so that each trustee sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; key management with rotation; segmented production environments.
  • Organizational. A named Privacy Officer at Phiusion (Jonathan Garbutt, privacy@phiusionlabs.app); a documented information-security programme; annual penetration testing; vulnerability-management with severity-keyed SLAs; mandatory privacy and security training for all personnel with production access.
  • Administrative. Background checks and confidentiality undertakings for engineering and support staff; role-based access control ("RBAC") with least-privilege defaults; access logging on every read and write of PHI; quarterly access reviews; written sub-processor agreements; written vendor agreements with Universkin SAS (BAA and DPA, available to you on request).

These safeguards are operationalized through the personnel directives in §5 and the Sub-Processors listing. Phiusion is prepared to respond in writing to any safeguard-related question you, or the IPC SK on your behalf, may pose under HIPA s.16 or s.18.

5. Directives to Phiusion's agents

HIPA s.16, read with The Health Information Protection Regulations and IPC SK guidance, requires trustees to establish and maintain administrative safeguards (including policies, training, and confidentiality undertakings) for their employees and agents. Although Phiusion is not itself a trustee or an agent in the s.2 sense, Phiusion adopts equivalent directives for its own personnel — including personnel of Universkin SAS, the French company that builds and operates the platform on Phiusion's behalf — so that the chain from you to the people who touch PHI is unbroken:

  • Need-to-know. No member of Phiusion or Universkin staff may access PHI except where the access is required to deliver a service listed in §2 or to respond to a written request from you.
  • Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. Privileges are reviewed quarterly and revoked on role change.
  • Training. Every individual with any path to PHI completes privacy and security training at onboarding and annually thereafter, in line with the training expectations under HIPA s.16, the HIPA Regulations, and IPC SK guidance. Records of completion are kept for the period set in the Retention Schedule.
  • Confidentiality. Every individual signs a confidentiality undertaking that survives termination. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
  • Logging and review. Access to PHI is logged so that you can discharge your s.16(1)(c) review duty. Logs are reviewed on a defined cadence and on demand following any incident, and are available to you under §6.
  • No secondary use. Personnel may not use PHI for any purpose outside the services described in §2, and may not export PHI from the production environment except where doing so is required to deliver a service you have requested.

These directives apply equally to Universkin SAS staff. The BAA and DPA between Phiusion Labs and Universkin SAS make the directives contractually binding on Universkin.

6. Audit and access logs

HIPA s.16(1)(c) requires trustees to review their safeguards on an ongoing (at least annual) basis to ensure they remain effective. HIPA s.18, and this agreement, give you the right to audit Phiusion's compliance with the safeguards in §4 and the directives in §5 so that you can extend that review to cover Phiusion as your IMSP.

  • Access logs. Phiusion captures access events on read and write of PHI in the application. The log fields include actor, timestamp, record identifier, and the operation performed. Logs are retained for the period set in the Retention Schedule and are available to you under the audit process below. Saskatchewan does not require a separate published audit-summary artifact under HIPA — the s.18 IMSP agreement itself, together with §4 and §5, is the audit surface, and Phiusion's responses to written information-requests are the first-line audit channel.
  • Trustee audits. You may, on reasonable notice (ordinarily 30 days), audit Phiusion's compliance with this agreement either through (i) Phiusion's responses to a written information-request, (ii) review of third-party assurance reports we hold (SOC 2 Type II, penetration-test summaries, vendor questionnaires), (iii) targeted log extracts for PHI in your workspace, or (iv) on-site or virtual interviews with named Phiusion staff. Audits must be scoped to HIPA-relevant controls, conducted during business hours, and subject to confidentiality protections.
  • Cost. Phiusion absorbs the cost of a routine annual audit at the information-request and assurance-report level. Out-of-scope or repeat audits within the same year may be invoiced at our reasonable cost.
  • IPC SK audit. Phiusion will cooperate with any IPC SK audit, review, or investigation under HIPA and will keep you informed in line with the breach-notification expectations in §7.

7. Breach notification

HIPA s.29.1 establishes the breach-notification framework for PHI. The chain runs from the IMSP to the trustee and from the trustee onward to affected individuals and, where the statutory threshold is met, the Saskatchewan Information and Privacy Commissioner. Phiusion's role in the chain is as follows:

  • IMSP → trustee. If Phiusion has reason to believe that PHI under your trusteeship has been the subject of unauthorized access, use, disclosure, or loss, Phiusion will notify you at the first reasonable opportunity. "First reasonable opportunity" means: as soon as Phiusion confirms the incident's scope sufficiently to inform you usefully, and in any event without undue delay. We do not wait for a full forensic report before notifying.
  • Information provided. The notification will identify, to the extent then known: what data was affected, how many records, the nature and timing of the incident, the steps Phiusion has taken in response, and a contact at Phiusion for follow-up.
  • Trustee → individuals and IPC SK. HIPA s.29.1 reserves to you, the trustee, the decision and obligation to notify affected individuals where the statutory threshold is met; trustee reporting to IPC SK follows HIPA, the HIPA Regulations, and IPC SK guidance. Saskatchewan's regulator pathway under HIPA is solely the IPC SK; there is no separate Minister-of-Health notification requirement equivalent to Alberta's. Phiusion does not notify the IPC SK directly except where Phiusion is contacted as a witness or evidence-holder. Phiusion will assist you in preparing your notification on request.
  • Playbook. The end-to-end workflow — internal triage, trustee notification, IPC SK support, individual notification templates, post-incident review — is documented in the Breach Notification Playbook.

Phiusion logs confirmed and suspected privacy incidents in an internal register and retains the register for the period set in the Retention Schedule.

8. Sub-processors and pass-through obligations

Phiusion uses the sub-processors listed at Sub-Processors to deliver the services. Each sub-processor is bound by a written agreement that flows down, in substance, the same restrictions Phiusion accepts under this agreement — confidentiality, security safeguards, breach notification, restrictions on secondary use, and audit cooperation.

  • Material-change notification (two-tier). Routine sub-processor changes affecting PHI — adding a new sub-processor or materially changing the scope of an existing sub-processor's PHI access — are notified at least 15 days in advance by in-app banner and email to the address on your account. Emergency or risk-driven changes (vendor outage, vendor security incident, regulator order, vendor insolvency, or similar) are notified as soon as practicable (typically within 24 hours) and may take effect before notice. If you object on reasonable HIPA grounds — during the routine notice window or after an emergency change — write to privacy@phiusionlabs.app; if the objection cannot be resolved, you may terminate this agreement under §9 without penalty.
  • Platform-operator sub-processor. Universkin SAS (France) operates the application on Phiusion's behalf and is the most significant sub-processor. The BAA and DPA between Phiusion and Universkin are available on request to you, the IPC SK, or the Office of the Privacy Commissioner of Canada ("OPC") for federal-stream review.
  • Cross-border transfers. Where PHI is transferred to a sub-processor outside Canada, the contractual flowdowns required by PIPEDA Schedule 1 Principle 4.1.3 are in place. Saskatchewan imposes no provincial cross-border restriction beyond PIPEDA's Schedule 1 flow-down, and HIPA does not prohibit cross-border processing where the s.18 agreement and s.16 safeguards are in place. Transfer details are part of the safeguard package in §4.

9. Termination and data return

You may terminate this agreement at any time by closing your account in the application or by writing to privacy@phiusionlabs.app. Phiusion may terminate on 90 days' written notice, or sooner where you materially breach this agreement and fail to cure within 30 days.

On termination:

  • Return or destruction. You direct whether the PHI in your workspace is returned to you (export in a structured, machine-readable format) or destroyed. The default, absent your direction within 60 days of termination, is destruction.
  • Backups. Backup copies that cannot be targeted-deleted are isolated, access-restricted, and aged out on the backup schedule published in the Retention Schedule.
  • Confirmation. A written destruction or export confirmation is provided on request.
  • Survival. The breach-notification, audit-cooperation, and confidentiality provisions of this agreement survive termination to the extent necessary to address pre-termination conduct.

10. Governing law and dispute resolution

This agreement is governed by the laws of the Province of Saskatchewan and the federal laws of Canada applicable therein. The Court of King's Bench of Saskatchewan has non-exclusive jurisdiction over any dispute that cannot be resolved informally or through the dispute-resolution provisions of the Terms of Service §13.

Nothing in this agreement limits the IPC SK's statutory jurisdiction or your statutory rights under HIPA.

11. Contact and supervisory authorities

  • Phiusion Labs Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
  • Universkin SAS Data Protection Officer (sub-processor leg): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If you are not satisfied with Phiusion's response, you may contact a supervisory authority:

  • Office of the Saskatchewan Information and Privacy Commissioner (IPC SK) — primary. https://oipc.sk.ca/. The IPC SK is the regulator for HIPA matters and is the body to whom you, as trustee, would notify a reportable breach under HIPA s.29.1 where the statutory threshold is met.
  • Office of the Privacy Commissioner of Canada (OPC) — federal backup. https://www.priv.gc.ca/. The OPC has jurisdiction over PIPEDA-stream matters, which may apply to Phiusion's administrative records about you (the account-level data covered by the Privacy Notice for Practitioners) even though PHI itself flows under HIPA.

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the Sub-Processors page, the HIPAA Business Associate Agreement, and the Terms of Service.