Securing Your Trust: Signority’s Compliance Journey

Securing Your Trust: Signority’s Compliance Journey

October 5th, 2023

Signority’s security & compliance principles guide how we deliver our products and services, enabling people to simply and securely access the digital world.

Secure Personnel

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Signority takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

  • All Signority contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
  • Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
  • We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.
 

Secure Development

  • All development projects at Signority, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
  • All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
  • All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
  • Software development is conducted in line with OWASP Top 10 recommendations for web application security.
 

Secure Testing

Signority deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

  • All new systems and services are scanned prior to being deployed to production.
  • We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
  • We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud Security

Signority Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

Signority Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

  • All customer cloud environments and data are isolated using Signority’s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
  • All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained Signority experts.
  • We separate each customer’s data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
  • Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
  • We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.

Compliance

Signority is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of Signority’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices Signority has in place.

Recommended Posts
Navigating Change Management In The Shift From Traditional To Digital Signing
Shifting Organizational Perspective on eSign
Embracing Customer Success: How Signority Puts Customers First
Cybersecurity Awareness Month

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

Signority Acquires SOC 2, CSA Level 2, and HIPAA Compliance

October 3rd, 2023

Ontario, Canada, September 27, 2023 – Today, Signority celebrates achieving the SOC 2 Type II compliance, in line with the standards set by the American Institute of Certified Public Accountants (AICPA), commonly referred to as SSAE 18. With an unqualified opinion supporting this achievement, Signority underscores its dedication to enterprise-level security, ensuring the safety of customer data within its system.

Furthermore, Signority has earned the CSA Star compliance, adhering to the Cloud Security Alliance’s Security, Trust, Assurance, and Risk Registry benchmarks.

With a global footprint, Signority provides a cloud-secured digital signature solution. Our platform’s security and compliance credentials were meticulously audited by the reputed Prescient Assurance, known for their expertise in B2B and SaaS sector assessments. We extend our gratitude to Secureframe for their pivotal support in this journey.

Our SOC 2 Type II and CSA Star audit certifications offer a solid reassurance to our existing and future clientele about Signority’s steadfast commitment to maintaining superior standards in security and compliance.

If you ‘d like to acquire Signority’s attestation letter, please reach out to compliance@signority.com.

About Signority

Catering to a worldwide user base, Signority champions in providing leading-edge digital signature workflow solutions. We pride ourselves on ensuring legal compliance, efficiency, cost savings, and enhancing overall productivity for our clients.

Media Relations

Jane He
1.833.222.1088
mediarequests@signority.com

Recommended Posts
Navigating Change Management In The Shift From Traditional To Digital Signing
Shifting Organizational Perspective on eSign
Embracing Customer Success: How Signority Puts Customers First
Cybersecurity Awareness Month

Digitizing Canadian Child & Family Services: Signority’s Impact

Canadian Child & Family Services:

A Digital Transformation

Canadian Child & Family Services:

A Digital Transformation

Digitizing Canadian Child & Family Services: Signority’s Impact

September 26th, 2023

Children represent the future, and families are the cornerstone of our society. In the heart of community resilience and strength lies Child & Family Services organizations. They play an indispensable role in ensuring the safety, health, and overall well-being of our most vulnerable members – our children. Yet, like many sectors with deeply embedded traditional processes, Child & Family Services have often been bound by paper-heavy methods, which can delay vital interventions and take crucial time away from direct service.

Signority: Transforming Child & Family Services with Digital Solutions

Child & Family Services encompass an array of responsibilities, from safeguarding children against harm to providing necessary support to families in crisis. Each interaction, whether it’s an initial intake, assessment, or even volunteer onboarding, requires multiple layers of documentation. Historically, this has meant paper forms, manual logging, and significant administrative overhead.

The Practical Benefits of Signority’s Digital Approach

Streamlined Consent Processes: Child & Family Services often require consent forms for various activities, including medical treatment, counseling, urgent response service plan (URS), and educational support. Signority’s digital signature solution simplifies the process of obtaining and managing these consents. Social workers can send consent forms electronically, and clients or guardians can sign them from anywhere, reducing delays and ensuring that necessary permissions are in place promptly.

Efficient Document Signing: Whether it’s agreements, service contracts, or parental consent forms, Signority enables Child & Family Services to send, receive, and sign documents quickly and securely. This efficiency is vital in situations where time-sensitive decisions must be made to protect the well-being of children and families.

Data Security: Signority hosts Canadian customer data exclusively within Canada. Our platform employs advanced encryption and security measures to safeguard sensitive information. Given that Child & Family Services handle confidential data daily, Signority’s robust security features, including masked tags for data security, guarantee that personal identifiable information (PII) remains confidential and fully compliant with data protection regulations.

Environmental & Cost Savings: By shifting away from paper-based processes, agencies can reduce their reliance on physical documents, saving money on printing, storage, and transportation. Additionally, this eco-friendly approach aligns with the broader societal trend towards sustainability.

Access from Anywhere: Signority’s cloud-based platform allows social workers and professionals to access necessary documents from anywhere with an internet connection. This accessibility ensures seamless service delivery, even when working remotely or in the field.

Efficient Onboarding: For Child & Family Services that rely on volunteers or need to conduct background checks, Signority’s digital signature solution streamlines the onboarding process. Volunteer applications and criminal record checks can be seamlessly integrated, ensuring that the agency has the right people on board quickly and safely.

Audit Trails for Accountability: Signority provides audit trails for every signed document, enhancing accountability and transparency within the organization. This feature is particularly valuable in cases where document validity and compliance are essential.

Faster Response Times: Digital signatures expedite the signing process. Social workers can get the necessary approvals in place swiftly, reducing response times and ensuring that children and families receive the support they need without unnecessary delays.

These benefits underscore how Signority’s digital signature solution is uniquely positioned to meet the needs of Child & Family Services by simplifying administrative tasks, ensuring data security, and enhancing efficiency in a sector where time and accuracy are critical for protecting vulnerable children and families.

Ultimately, the mission is clear. It’s not just about digitization for the sake of modernity. It’s about providing Child & Family Services with the platform they need to do their job more efficiently, so more time and resources can be allocated where they matter most: directly with children and their families.

By leveraging the power of Signority, Child & Family Services organizations can ensure that every child’s story is not just heard but also acted upon with the efficiency, care, and urgency it deserves.

Signority is proud to be a part of this transformative journey, offering solutions that make a tangible difference in the lives of many.

Recommended Posts
Navigating Change Management In The Shift From Traditional To Digital Signing
Shifting Organizational Perspective on eSign
Embracing Customer Success: How Signority Puts Customers First
Cybersecurity Awareness Month

The Story Behind Signority’s AI Development

The Story Behind Signority's AI Development

A challenging Ecosystem

Ontario is home to a thriving innovation ecosystem with numerous start-ups and SME’s working on cutting-edge technologies and highly focused on innovation within the Canadian industry. However, many of these innovators face severe challenges when it comes to securing funding to develop and scale their projects. As a Canadian start-up Signority, a key player in the eSignature industry, was no stranger to these challenges in 2022, when our paths crossed with the NCFDC.

 

“We’ve had plans to adopt AI technology to enhance the ease of use of our platform for some time, but funding restrictions prevented us from implementing it.”

 

Jane He, CEO and founder of Signority.

An Innovation Ally

The Northumberland Community Futures Development Corporation (NCFDC) is an independent business development corporation dedicated to providing financing and strategy for entrepreneurs based in Ontario, Canada. The NCFDC is committed to supporting local innovators by providing them with the necessary funding to help bring their ideas to life. Through their programs and services, this organization is helping to drive innovation and economic growth in Ontario and in all of Canada, as this is one of its economic centers. They achieve their ultimate goal through a range of funding options, including grants, loans, and equity investments, to help innovators take their ideas to the next level.

 

There are five ongoing programs currently run by a group of passionate and experienced staff. Their goal is to help promote economic development and job creation in the region by providing support to innovative and promising business ideas.

We support innovation and entrepreneurship as a pathway to future prosperity.”

NCFDC

 

ThriveForward_image

thriveFORWARD: The Program that Revolutionized Signority

Signority specializes in providing secure and easy-to-use eSignature solutions to businesses of all sizes. It was founded by a team of entrepreneurs who saw an opportunity to streamline the signing process and reduce paper waste. That was only the beginning. Using this type of technologies, other companies in countless industries have been able to adopt innovation as part of their day to day. 

 

After 10 years of being a key player in the eSignature ecosystem it is key to keep Signority at the forefront of its field. Technology is ever evolving and so are our customer needs. There is one concept that in recent years has become common and furthermore, a synonym of innovation, productivity, and efficacy in the SaaS world: Artificial Intelligence. 

 

AI is a rapidly growing field, and many companies are looking for ways to incorporate AI into their products and services. The goal is to use it to overcome challenges that traditional technologies are not equipped to achieve. Here at Signority, we were at this very stage. 

 

The biggest challenge for companies when adopting eSignature solutions is an ever evolving user with habits that are not easy to change related to document sending and signing processes. This could include team permission hierarchy, different tags and behavior of those tags, messages for senders, types of senders, types of documents or even a mistrust of technology. Every single one of those setups must comply with legal acts, bylaws and privacy policies depending on the document sensitivity. This can be different for each organization or team. Thanks to AI technology, Signority has approached this challenge through an innovative framework.

However, developing AI technology can be a costly and time-consuming endeavor. This is where funding from organizations like NCFDC can be a game-changer. With thriveFORWARD we were able to revolutionize eSignature usability by leveraging AI technology. This translates to more value for users and a user experience taken to the next level.

 

The thriveFORWARD fund was a key aspect of this journey, becoming the fuel to an engine that allowed us to implement fundamental AI components to our platform and revolutionize eSigning. 

 

This achievement represents a critical milestone in Signority’s history, and we’re proud to have created many highly skilled jobs in Canada. We’re grateful to the NCFDC team for helping us realize our vision of building a strong Canadian tech company.” Jane He, CEO and Founder of Signority. 

Our NCFDC Experience

We are extremely grateful for the support we received from the NCFDC. The experience we have had at Signority for applying to the thriveForward SME fund has been highly efficient and pleasant, from the very first touchpoint to receiving the grant. 

 

Entrepreneurship is a wonderful journey but not an easy one. It is filled with long hours, sleepless nights and a lot of unknowns. Frustration is the word of the day almost everyday, for the modern entrepreneur. When an organization like NCFDC truly understands your needs, it can make all the difference in the world.

 

As processes go, lengthy, and confusing explanations were expected, as with any grant request (cue frustration). This is something that would inevitably delay the application process as we got acquainted with all that was required. However, from the very first step, the online application guides were clear and provided enough detail for us to understand what was expected. 

 

Things were looking up, could this be a company that understood what we needed and had a team of people actively working towards helping us achieve our goal? We decided not to get ahead of ourselves and enjoy the clarity and easy journey they offered. 

 

Requirements, eligibility, terms, conditions, and measurement were clear and concise as well transparent and understandable. This translated to a great beginning to our customer journey with them. The site was easy to navigate and finding information was simple, which helped avoid jumping around different pages and losing track of readings. 

 

As with any grant application, as the process continued moving forward questions arose and the need for a human touch was clear. This was when NCFDC proved that they do not only provide services, they provide a whole experience for their users. The staff and consultants were great listeners, they clearly knew their craft but beyond that, they were actively focused on providing the support needed at each stage. They answered all our questions within hours and were ready and willing to provide help regarding all topics needed. Sometimes those topics were not only questions about filling up forms, but a friend who actively reminded us of where we were going. Someone who continuously provided emotional and technical support throughout a tiring journey. 

 

Grants are not easy to apply for, anyone can tell you that. From lots of forms to a myriad of deep data is required to even fit the eligibility criteria. After writing for hours and staring blankly at documents with thousands of questions and spaces that need to be filled out, it can be refreshing to talk to someone who eases that path. There is not much anyone can do to avoid all those forms, but NCFDC proved to us that there is a lot an organization can do to make that journey lighter, calmer and even unique. 

 

The reporting stage was no different. Help was always easy to get, email reminders were constant but evenly spaced, allowing our team to work on the documents with enough time in hand. Not only that but by now we had built rapport with them, we felt we could talk freely and they would listen. By now we had a deeply ingrained belief that they cared about us and understood us. 

 

This made it clear to us this organization is run by highly trained professionals with a clear understanding of their brand vision and values, as well as their goal. As users, our entire experience felt unique, easy, and streamlined. NCFDC made us feel welcome and important. They are a customer centric organization that puts their customers at the center of everything they do. When you find a company that understands your needs more than any other, it’s natural to feel grateful. This feeling is a testament to the quality of their work which reverbated inside Signority. It is important to recognize the efforts of companies like NCFDC and appreciate them. With more companies like this we could all turn the world of business and tech into an even more nurturing and fulfilling experience than it already is. 

 

Our CEO and founder, Jane He, mentioned the following when talking about the experience:  

 

As a Canadian eSignature company competing in the global market, innovation is essential for us to remain a market leader. We’ve had plans to adopt AI technology to enhance the ease of use of our platform for some time, but funding restrictions prevented us from implementing it. Thanks to the thriveFORWARD fund, we were able to develop the fundamental components necessary to build interactive document preparation and improve our platform’s functionality before documents are sent for signatures. This achievement represents a critical milestone in Signority’s history, and we’re proud to have created many highly skilled jobs in Canada. We’re grateful to the NCFDC team for helping us realize our vision of building a strong Canadian tech company.

Privacy and Signority’s Data Localization Technology

Signority’s Data Localization Technology

Signority, Privacy, and Data Localization

For governments there has to be a balance between privacy protection and innovating technologies that provide the best accessibility to its citizens. As a global eSignature company, Signority makes every effort to comply with the laws of every jurisdiction globally. To comply with data sovereignty it is not just matter of where the data centre is located.

Signority eSignature Platform (SeSP) has the full competence to implement a data localization solution to isolate customer data within the enterprise’s designated geographic locations, anywhere globally. 

How Ensure Data Localization

Your Choice of Data Centre Locations:

Signority gives options to enterprise customers by offering a dedicated private cloud solution. SeSP is hosted in the state-of-art AWS data re  in Canada for the public cloud and can host on any customer designated geographic locations through AWS’s global zones. 

Your Choice of 3rd party integration vendors

Through Signority RestFul API integrations, customers can replace their qualified vendors to replace the SeSP out-of-box 3rd party vendors, such as email notification vendor, SMS vendor for 2-factor-authentication and digital certificate vendor for document encryption.

Your Choice of Backups and Retention Policy

Through integration, our customers can synchronize and store every signed document to their record management system or network devices. You can configure the retention period and delete signed documents from the Signority cloud after they are fully backed up to your own systems.   

Restricted IP Address Range for Access

Often corporate policy only permits certain access points to access highly sensitive documents. Signority’s enterprise customers can configure their user’s IP address ranges when they log in to their Signority accounts. This also offers a great protection for hacking incidents from unauthorized geographic areas.  

Legal Assurance

Signority has a Data Protection Agreement (DPA) along with an Enterprise Agreement that is based on the European General Data Protection Regulation (GDPR). Our Data Atlas details how the different types of data are processed and managed in SeSP.  

Empower Signority Employees with Processes and Training to Protect Your Privacy

Security training is a mandatory objective in every employee’s annual performance review. Customer Success staff must go through a rigid privacy training to what to ask and how to ask when confronted with sensitive data. Customer Service is important, and is not outsourced overseas. We believe people that represent Signority must share the same value and the same security and privacy awareness.  

The Signority Enterprise Solution allows for customized location, scale, and backup format. No matter where you are, Signority, as a global player, aims to provide an  efficient eSignature technology.

I encourage you to read two of our previous blogs about Signority’s security practice:

How Signority Secures Your Data 

Security Features You Need in An eSign Platform

Where do you “warehouse” your data?

If you were warehousing physical goods, you would want to know what laws apply to your goods. The data centre location question is equivalent: foreign location means foreign legislation.

Privacy Officers, Legal Counsel, or the Compliance Teams of your organization have an understanding of the risks factors associated with data residency requirements. Signority has the full capability of meeting your needs. If you’d like to learn more, contact us:

  • Phone:  833-222-1088
  • using the chat icon on the bottom right of your screen,
  • or through our contact form

Frequently Asked Questions

A company has a “.ca” domain name. Does it mean the data centre  is in Canada? 

Not at all. Having a  “.ca” website has nothing to do with data centre locations.  To get a “.ca” domain you must meet the Canadian Presence Requirements: https://www.cira.ca/policy/rules-and-procedures/canadian-presence-requirements-registrants 

Once you have the “.ca” domain name, the hosting servers can be anywhere in the world.

A company claims on the website that their data is located in Canada for Canadian customers but refused to sign our privacy act that has clear requirements for Canadian data residency. Why is this?

No matter what the marketing collateral statements, signing your privacy agreement is the actual commitment. If this ever occurs, please question their business integrity. Privacy has become a prominent risk factor. Do not compromise on that unless your Privacy Officer has completed a Privacy Impact Assessment (PIA) and agreed to it.  

Your Privacy, Not Sharing Is Caring

Your Privacy, Not Sharing is Caring

Your Privacy, Not Sharing Is Caring

Our Canadian business and enterprise customers often ask us: what does “Data Centre” in Canada mean? This sounds like a simple question, but actually it isn’t. Let’s dive into what data location means to you. 

Privacy is the main driving force for using data centres with a determined location.  For financial and medical records, for example, we would like governmental or legal protection of that data.  But inevitably, everybody uses multiple cloud applications for business and  personal purposes: Gmail, Office 365, iCloud, Facebook, etc…. Google Maps keeps the last 10 years of your travel itinerary. Google gives me a map of everywhere I have been in the last month. By data mining, shopping, and whatever other interests you and your family may have, are potentially exposed. My robot vacuum cleaner has my household floor plan.  Without governmental restrictions and law, the Cambridge Analytics scandal will happen over and over. 

Using cloud applications (also referred as (Software-as-a-Service), consumers, for the most part, interact with the service provider directly.  Major service providers leverage at least one or several infrastructure providers (also referred as (Infrastructure-as-a-Service) for data hosting, email notifications, or SMS messaging. Infrastructure companies are transparent to end-users: what server, where, and what type of infrastructure hosts the cloud application uses, is not visible to the end-user. 

"As an end- user, reading the “Term of Service” may be boring, but it's the responsible thing to do before you hit the “I Agree” button. "

"... reading the “Term of Service” may be boring, but it's the responsible thing to do..."

For privacy, a commitment from  the entire chain, from the application on your phone, to the cloud application, and the infrastructure is required.  While your service provider may not set out to violate your privacy, infrastructure companies  may not care so much about your data sovereignty. The end-user has no control over the complexity of the multiple layers involved in using that app.  

As an end- user, reading the “Term of Service” may be boring, but it’s the responsible thing to do before you hit the “I Agree” button. Personal information is at risk, and it’s good to know your exposures. The convenience of cloud applications is great, but reading the “Terms of Service” is a habit that must be adopted.

Signority seeks to protect the end-user. Our customers demand it. Signority has been offering  eSignature applications for over 10 years. We make a point of having the Canadian data handled by our Canadian customers stay in Canada.

Canadian governmental organizations, not-for-profits, and private companies, enjoy using Signority services, from Canadian servers,  to serve  Canadian residents. Information such as insurance forms, finances, medical data, HR data such as employee social insurance numbers, pay rates, job offers, even a primary school’s field trip waivers with health card numbers, are all located in Canadian servers for Canadian residents. For Signority, the end customer is the owner of the data, and we protect that by data colocation. We do not allow 3rd parties to mine our customers’ data, nor do we allow “metadata” analysis. Signority avoids  the ramifications of cross-border storage of data by simply not crossing the border.       

When considering your eSignature provider, consider your customers privacy and security. This applies to both the public and private sector. Signority offers a private cloud with a complete data localization solution that alleviates the worry of where your customer data is anywhere complying with global legislations. For privacy, Signority is your technological partner. Read our blog about Signority’s data localization solution.

Your Privacy Is In The Details

Your Privacy is in the Details

Your Privacy is in the Details

A few years ago, we received a postal letter from one of the investment funds to which we subscribe: a privacy policy change notice with many pages, small font on paper,  thick legal jargon seemingly designed to discourage people from reading through them.  It was a bank letter designed by lawyers. 

There was a ‘deny’ form at the end: only mail the letter back if we disagreed with the financial institution moving the data centre outside of Canada. We read the entire document and strongly disagreed with the international data centre proposal. As Canadians, our data is not as protected on foreign soil as is in Canada. This was definitely not acceptable. This would change the Data Location, where our bank stores our personal information,  from Canada to outside of Canada.

“Data location” is also called “data residency”. In principle, everybody should have the ownership of their own personal data: we should have “Data Sovereignty”. But in practice, we are far from there. If you have accounts on Facebook, Google, or Microsoft, then you know your data is very likely in the United States (U.S.). 

But what about your financial, and medical data? Once upon a time, your records were on paper, locked up somewhere nearby. Turns out that the Internet is a more convenient place to store those records. 

Data Location can Affect Data Privacy

Here is another real life example from a friend. 

My friend had a recent encounter with an Ontario psychologist. The psychologist used a free Gmail account.  Right off, my friend was put off by the unprofessionalism. Their services were  $250/hour, the clinic should at least use a professional domain name.

I had a chance encounter with my friend. After some discussion, it turns out that more clinics use Gmail accounts. My friend decided to go with the flow and sign a contract, book appointments, get invoices to/from the Gmail account. But here is something that my friend, and the clinics, should know:

Fact: in Ontario, healthcare organizations must comply with the Ontario government’s Personal Health Information Protection Act, PHIPA. Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada.

The contract that my friend received had lots of legal jargon, she didn’t read it, but signed it anyway. Reviewing the contract, it does mention a couple of specialized apps that could be introduced to the patient. But there is no mention of Gmail, nor consent to Gmail.

Then the assessment reports started coming in. Medical information was now being sent via Gmail. Now clearly in violation of PHIPA rules, with medical information being sent. 

"Under the PHIPA, healthcare professionals must disclose and receive consent if they would store your medical information outside of Canada."

Personal Information (PI) is information that can identify you unequivocally as an individual. An email address by itself is not personal information, but when that email contains a name and street address, that is “Personal Information” as far as the PHIPA rules go. Furthermore, her  Personal Health Information (PHI) is being sent via Gmail.

Cybersecurity and privacy concerns simply did not exist in the past. Your doctor, for example, would simply lock away your records in the filing cabinet. But now, we must look out for our own privacy. You can make some assumptions: a big hospital in Ontario is very likely to be following PHIPA rules, but smaller clinics may not be. 

You can ask the clinic if they follow PHIPA rules, or maybe where they store their patient’s data. In the case of my friend’s psychologist, we have taken the time to inform him of the rules, the PHIPA rules specifically, that he should be following. Ultimately, that psychologist could have been reported to the College of Psychologists of Ontario, but that would have been an extreme measure.

Bottom line: vigilance is required every day for all interactions on the Internet. Your privacy is always at risk. The more private information you give, the more you have to think about your own cybersecurity. If the information is important to you, then you must consider the location of your information.