Data residency: All data is securely stored in Canadian data centres.
Data usage: Data is never used for secondary purposes like model training or commercialisation.
Certifications: Heidi is a leader in compliance, and has obtained certifications such as ISO27001, ISO9001, and SOC 2 Type II.
Privacy Impact Assessments (PIAs): Completed across multiple jurisdictions - we are able to share examples on request.
Trusted across Canadian healthcare: Heidi has been deployed in OHTS, PCNS, FHTS, Health authorities and hospitals across Canada.
Resources
In response to questions around local compliance, privacy, and security, we’ve pulled together the resources below to make it easier to share and explore our industry-leading standards. Whether you're just looking for a quick overview or want to dig into the details, everything you need is here.
While we often exceed domestic standards due to operating in regions with some of the world’s strictest regulations (e.g. Europe, UK), our compliance work in Canada is specifically anchored to the publicly listed requirements from OntarioMD. We hope this provides a clear and helpful foundation as you conduct your assessments and prioritize provider safety.
Reference documents
General Compliance Overview (Download) | Ontario AI Scribe Program Response 1-pager (Download) | Ontario AI Scribe Program Response deep dive (Download) |
|
| 
|
An easy-to-share one-pager covering how Heidi meets privacy, security, and legal requirements in Canada. | A concise, one-pager of how Heidi meets all vendor requirements set by Supply Ontario and project partners in the Ontario AI Scribe Program. | Detailed breakdown of how Heidi meets each of the requirements with respect to clinical functions, privacy and data security and other medico-legal considerations |
2. Compliance certifications
Visit our Trust Centre to download our compliance certifications (examples listed below) and learn more about controls, subprocessors and our latest compliance updates.
ISO27001:2022 Certification
SOC2 Type 2 Letter of Attestation
Common compliance FAQs
Below are answers to the most frequently asked compliance questions from clinicians, IT leads, privacy officers, and health system leaders across Canada.
Why wasn’t Heidi included in the OntarioMD / Canada Health Infoway vendor lists?
Why wasn’t Heidi included in the OntarioMD / Canada Health Infoway vendor lists?
Both lists prioritized vendors headquartered in Canada. Whilst we understand the intent to support local innovation, Heidi is an Australian-founded company and therefore does not meet these particular criteria, regardless of clinical quality, usage, or compliance.
While we are disappointed international AI scribes were not included for the time being, we want to be clear: Heidi is safe, legal, secure, and already supports over 1.5 million Canadian consults every month.
We are and always have been a compliance-first company and few vendors can match our global track record on security and privacy. We’ll continue to lead and proactively work with OntarioMD and Canada Health Infoway to support inclusion as these programs evolve.
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Can I still purchase or continue to use Heidi Health if it's not on the VOR list?
Yes. OntarioMD has confirmed that the Vendor of Record (VOR) list is optional:
“Purchasing an AI scribe using the VOR list is optional. You can still purchase solutions that are not on the VOR list.”
Source: Ontario MD Practice Hub
Thousands of clinicians across Canada continue to use Heidi with confidence. From OHTs and PCNs in Ontario, to emergency departments in Montreal, to rural teams in the Yukon, Heidi is there wherever care is delivered.
Does Heidi Health comply with Canadian privacy laws?
Does Heidi Health comply with Canadian privacy laws?
Does Heidi use clinician or patient data to train its AI models?
Does Heidi use clinician or patient data to train its AI models?
No. Heidi Health does not use any patient data, including de-identified data, for model training, secondary use, or improving its AI.
Is Heidi Health’s data stored and processed in Canada?
Is Heidi Health’s data stored and processed in Canada?
Yes. Heidi Health ensures that all data is stored and processed within Canada for our Canadian users.
What happens if Heidi is discontinued or a clinician stops using it?
What happens if Heidi is discontinued or a clinician stops using it?
If you ever decide to stop using Heidi or if we were to discontinue the product, you won’t be left stranded.
Clinicians can export their data at any time, and we’ll work with you to make sure there’s a smooth transition to another tool if needed. Your data stays accessible and under your control throughout. We also have a full Business Continuity and Disaster Recovery Plan in place to cover any unexpected disruptions, whether it's a service outage or a broader issue.
There’s no lock-in, and no impact on your clinical workflow if you move on from Heidi.
Does Heidi delete notes securely?
Does Heidi delete notes securely?
Yes. Data retention periods are determined by clinicians, with options for automatic deletion if preferred over manual deletion. When data is deleted, it is securely destroyed using secure erasure methods and is unrecoverable from our servers.
What security measures does Heidi Health have in place?
What security measures does Heidi Health have in place?
Heidi is built with security at its core. We use a range of modern tools and practices to keep your data safe, including:
Intrusion Detection and Prevention (IDS/IPS)
Security Information and Event Management (SIEM)
Endpoint Detection and Response (EDR)
Data Loss Prevention (DLP)
Secure network configuration
Audit logs that are stored for forensic and accountability purposes
We also follow a "security by design" approach, meaning security isn’t something we bolt on later. It’s built into the way we design, develop and run Heidi every day.
Does Heidi undergo regular security assessments?
Does Heidi undergo regular security assessments?
Yes. We run regular security and privacy assessments to make sure everything’s working the way it should and that we’re keeping your data safe.
That includes annual penetration tests conducted by independent security firms, as well as ongoing internal reviews of our infrastructure and processes. We also complete Privacy Impact Assessments and Threat Risk Assessments, especially when anything significant changes in the system.
Our compliance and security team uses real-time monitoring tools and runs regular audits to catch issues early and reduce risk. It’s all part of how we stay proactive and make sure Heidi remains safe to use in clinical settings.
Does Heidi have recognised security certifications?
Does Heidi have recognised security certifications?
Yes, we do. Heidi is certified to several well-known and respected standards, including:
ISO 27001 - for how we manage information security
SOC 2 Type II - which confirms we meet high standards for security, availability and confidentiality
ISO 9001 - focused on quality management and continuous improvement
These certifications aren’t just for show, they reflect how we actually run the platform from product development to data handling and incident response.
We’ve also been approved for use by major hospitals and health networks across the country, including in Ontario, British Columbia, Quebec and the Yukon.
Does Heidi back up data and support disaster recovery?
Does Heidi back up data and support disaster recovery?
Absolutely. Heidi’s infrastructure is built with resilience and data integrity in mind. All clinical data is automatically and continuously backed up to secure, encrypted storage within Canadian data centres. Our Disaster Recovery and Business Continuity Plan, covers everything from hardware failures to broader service disruptions as well as:
Encrypted, automatic data backups
Systems to ensure minimal service disruption in the event of a failure or outage
Will Heidi warn clinicians if something goes wrong?
Will Heidi warn clinicians if something goes wrong?
Yes. Heidi has built-in safeguards that notify users if any part of the conversation is not fully processed or transcribed, ensuring clinicians are aware of missing or incomplete data before relying on the output.