Between MyoMesh Technologies Inc. and the Health Information Custodian — governing how MyoMesh collects, uses, and protects personal health information on the studio's behalf under Ontario's Personal Health Information Protection Act.
This Data Processing Agreement ("Agreement") is entered into between:
MyoMesh Technologies Inc. — an Ontario, Canada corporation operating the MyoMesh practice-management platform. Under Ontario's Personal Health Information Protection Act, 2004 ("PHIPA"), MyoMesh acts as an Electronic Service Provider (ESP) to the subscribing studio.
The Subscribing Studio — the clinic, practice, or practitioner holding the active MyoMesh subscription, identified in the account billing record. The Studio is the Health Information Custodian (HIC) under PHIPA for all client records created on the platform.
The purpose of this Agreement is to set out, in plain language, how MyoMesh collects, uses, stores, and protects personal health information on behalf of the Studio. Together with the Privacy Policy and the Terms of Service, this document forms the complete data-protection framework for the MyoMesh platform.
The following terms carry the meanings assigned to them below throughout this Agreement:
Personal Health Information (PHI) — identifying information about an individual in oral or recorded form that relates to their physical or mental health, the provision of health care, or payments for health care, as defined under PHIPA section 4.
Health Information Custodian (HIC) — the Studio and its practitioners, in their capacity as the persons having custody or control of PHI under PHIPA.
Electronic Service Provider (ESP) — a person or entity that supplies services to a Health Information Custodian for the purpose of enabling the custodian to use electronic means to collect, use, disclose, retain, or dispose of personal health information, as contemplated by PHIPA section 10(4). MyoMesh is the ESP under this Agreement.
Sub-processor — any third party that MyoMesh engages to help deliver the platform services (for example, cloud infrastructure, email delivery, SMS, AI processing). A current list is set out in Section 6.
MyoMind — MyoMesh's optional AI clinical decision-support feature, which uses third-party AI services to assist practitioners with documentation and analysis. MyoMind is governed by Section 7 and by the MyoMind sections of the Privacy Policy and Terms of Service.
MyoMesh acts as an Electronic Service Provider and agent of the Health Information Custodian under PHIPA. This means MyoMesh handles PHI only on the Studio's instructions and only for the purposes the Studio has authorised.
Specifically, MyoMesh:
MyoMesh processes the following categories of information on behalf of the Studio, solely to deliver the platform services:
Client names, contact information (email, phone, address), intake forms, session notes, body chart data, clinical assessments (SOAP fields, ROM, MMT grading, special tests, outcome measures), treatment plans, medical history, and payment records associated with that client.
Practitioner profiles, staff schedules, calendar integrations, studio settings, session types, pricing, and business reports. Where a practitioner has connected an external calendar (Google Calendar, Microsoft Outlook), session metadata may be synchronised to that calendar with the practitioner's explicit OAuth consent.
Authentication records, audit logs, session activity, and technical diagnostic data used to operate, secure, and support the platform.
All of this data is processed solely to deliver the MyoMesh platform services as contracted. It is not repurposed, combined, or analysed for any use beyond that.
MyoMesh implements administrative, technical, and physical safeguards that are reasonable and appropriate given the sensitivity of PHI:
Data at rest is encrypted with AES-256 by Google Cloud Firestore. Data in transit is encrypted with TLS 1.2 or higher. The platform is accessible only over HTTPS.
Only a small number of authorised MyoMesh personnel can access production data, and only when strictly required for support, maintenance, or incident response. Internal access is governed by role-based permissions, individual-user authentication, and a written least-privilege policy. Routine operations do not require access to PHI.
The MyoMesh backend runs on Google Firebase and Cloud Firestore, which maintain ISO 27001, SOC 2, and SOC 3 certifications. Production data is stored in the Canadian northamerica-northeast2 (Toronto) region.
The platform writes a PHIPA-aligned audit log of access to and modification of client records. Logs capture who accessed what, when, and from where, and are retained for compliance purposes.
Security practices, code changes, dependency versions, and third-party integrations are reviewed on a regular cadence. Material changes that affect PHI handling are documented in the change log.
MyoMesh uses the following sub-processors to deliver the platform. Each is bound by a written agreement that restricts processing of data to the described purpose only.
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Anthropic PBC | San Francisco, CA, USA | MyoMind AI processing | De-identified data only; Zero Data Retention Agreement (pending); no AI training on customer data. |
| Google LLC (Firebase / Firestore) | USA (corporate); Canada (data) | Database and hosting | Google Cloud SOC 2, ISO 27001; data stored in Canada (northamerica-northeast2). |
| Resend Inc. | USA | Transactional email delivery | SOC 2. |
| Twilio Inc. | USA | SMS notifications | SOC 2; HIPAA BAA available. |
| Stripe Inc. | USA | Payment processing | PCI-DSS Level 1; payment data only, not clinical data. |
| Microsoft Corporation | USA | Outlook Calendar integration | Microsoft 365 compliance; optional feature, practitioner-initiated only. |
| Google LLC (Calendar / Meet) | USA | Google Calendar and Meet integration | Google Workspace compliance; optional feature, practitioner-initiated only. |
| Sentry (Functional Software Inc.) | San Francisco, CA, USA | Error monitoring and performance tracking | SOC 2; PHI fields scrubbed before transmission via beforeSend hook; no PHI reaches Sentry servers. |
Changes to sub-processors: MyoMesh will notify Studios of any material change to this sub-processor list with at least 30 days' advance written notice by email to the account owner. Studios that object to a material change may terminate this Agreement under Section 12 during the notice period.
MyoMind is an optional AI-powered clinical decision-support feature. Because MyoMind involves transmission of de-identified clinical content to a third-party AI service located in the United States, it is governed by the additional controls described below. Full disclosure of the data-flow is set out in Section 16 of the Privacy Policy and Section 17 of the Terms of Service.
MyoMind is enabled for a client only after that client has provided explicit, informed, written consent through the Studio's intake waiver. The Studio is responsible for capturing, retaining, and honouring that consent. MyoMesh enforces the consent requirement technically — MyoMind features will not process a client's data without a recorded consent on file.
Before any data is transmitted to the AI service, MyoMesh automatically removes or replaces client names, email addresses, phone numbers, Ontario-format health card numbers, date-of-birth labels and values, and street addresses. De-identification happens in the browser, before the request leaves the device.
AI-generated content is a decision-support tool only. It must be reviewed and approved by a qualified practitioner before being saved to a client record. MyoMind is not a medical device, not a diagnostic tool, and not a substitute for professional clinical judgement. The practitioner is the author of record for every saved note, plan, or assessment regardless of whether MyoMind was used to draft it.
BAA in progress: MyoMesh is in the process of executing a Business Associate Agreement with Anthropic covering HIPAA-ready services. Until the BAA is executed, Studios using MyoMind acknowledge this limitation and remain responsible for ensuring that their use of MyoMind complies with applicable health-privacy legislation and professional standards.
MyoMesh retains PHI only for as long as the Studio's subscription is active, plus a brief post-cancellation window to allow for data export.
Active subscription: PHI is retained on the platform for as long as the Studio's subscription remains active.
30-day export window: Upon cancellation, PHI is available for full export by the account owner for 30 days from the cancellation effective date. The Studio is responsible for retrieving any data it wishes to retain during this window.
Permanent deletion: After the 30-day window, all PHI associated with the Studio is permanently deleted from MyoMesh systems. Deletion is performed across primary storage, backups (as they are rotated out on the provider's schedule), and active sub-processor systems.
Sub-processor deletion: Sub-processors are instructed to delete or anonymise data in accordance with their own retention policies and applicable law. Transactional logs retained by sub-processors for fraud-prevention, billing, or regulatory purposes may persist on their own schedules.
MyoMesh will notify the Studio within 48 hours of becoming aware of any unauthorised access to, loss of, or disclosure of PHI associated with the Studio's account. Notice will be sent to the account owner's registered email address and will include, to the extent then known:
The Studio, as Health Information Custodian, remains responsible for any further notifications required under PHIPA — including notice to affected individuals and to the Information and Privacy Commissioner of Ontario pursuant to PHIPA section 12 and Ontario Regulation 329/04. MyoMesh will provide reasonable cooperation, technical detail, and timeline information to support those notifications.
The Studio, as Health Information Custodian, is responsible for:
As Electronic Service Provider under PHIPA, MyoMesh agrees to:
This Agreement takes effect on the date the Studio activates its MyoMesh subscription and remains in effect for as long as that subscription is active.
Either party may terminate this Agreement by giving the other party 30 days' written notice. Termination of this Agreement automatically terminates the Studio's access to the MyoMesh platform at the end of the notice period.
Sections that survive termination: Sections 5 (protection, to the extent data remains held), 8 (retention and deletion), 9 (breach notification for incidents occurring before deletion is complete), and 11 (ESP obligations relating to the above) survive termination and remain in effect until all residual PHI has been returned, deleted, or anonymised.
This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-law principles.
Any dispute arising out of or in connection with this Agreement is subject to the exclusive jurisdiction of the courts of Ontario.
Nothing in this Agreement limits either party's rights or obligations under PHIPA, or the authority of the Information and Privacy Commissioner of Ontario to investigate, order production of records, or issue directions in respect of the handling of PHI on this platform.
MyoMesh may update this Agreement from time to time. When an update materially affects how PHI is collected, used, disclosed, protected, or retained, MyoMesh will notify the account owner by email with at least 30 days' written notice before the change takes effect.
Continued use of the platform after the effective date of an updated Agreement constitutes acceptance of the updated terms. Material changes will be flagged clearly in the notification email and, where helpful, summarised in a short change log.
Non-material changes — for example, typographical corrections, formatting improvements, or clarifications that do not alter rights or obligations — may be made without prior notice. The "Last updated" date at the top of this document reflects the most recent revision.
Questions, concerns, requests, or complaints relating to this Agreement or the handling of PHI on the MyoMesh platform should be directed to:
Privacy inquiries & data subject requests:
privacy@myomesh.ca
Breach reports & security incidents:
security@myomesh.com
External oversight — Information and Privacy Commissioner of Ontario:
www.ipc.on.ca | 1-800-387-0073
Clients who believe their PHI has been handled contrary to PHIPA have the right to complain to the Information and Privacy Commissioner of Ontario at any time.
This Agreement is executed electronically. The Studio's acceptance is captured at the point of account activation and is recorded with the metadata shown below.
Studio name: [captured from account billing record]
Signatory name: [account owner at time of activation]
Date signed: [captured at account activation]
IP address recorded: [captured at account activation]