Between MyoMesh Technologies Inc. and the Health Information Custodian — governing how MyoMesh collects, uses, and protects personal health information on the studio's behalf under Ontario's Personal Health Information Protection Act.
This Data Processing Agreement ("Agreement") is entered into between:
MyoMesh Technologies Inc. — an Ontario, Canada corporation operating the MyoMesh practice-management platform. Under Ontario's Personal Health Information Protection Act, 2004 ("PHIPA"), MyoMesh acts as an Electronic Service Provider (ESP) to the subscribing studio.
The Subscribing Studio — the clinic, practice, or practitioner holding the active MyoMesh subscription, identified in the account billing record. The Studio is the Health Information Custodian (HIC) under PHIPA for all client records created on the platform.
The purpose of this Agreement is to set out, in plain language, how MyoMesh collects, uses, stores, and protects personal health information on behalf of the Studio. Together with the Privacy Policy and the Terms of Service, this document forms the complete data-protection framework for the MyoMesh platform.
The following terms carry the meanings assigned to them below throughout this Agreement:
Personal Health Information (PHI) — identifying information about an individual in oral or recorded form that relates to their physical or mental health, the provision of health care, or payments for health care, as defined under PHIPA section 4.
Health Information Custodian (HIC) — the Studio and its practitioners, in their capacity as the persons having custody or control of PHI under PHIPA.
Electronic Service Provider (ESP) — a person or entity that supplies services to a Health Information Custodian for the purpose of enabling the custodian to use electronic means to collect, use, disclose, retain, or dispose of personal health information, as contemplated by PHIPA section 10(4). MyoMesh is the ESP under this Agreement.
Sub-processor — any third party that MyoMesh engages to help deliver the platform services (for example, cloud infrastructure, email delivery, SMS, AI processing). A current list is set out in Section 6.
MyoMind — MyoMesh's optional AI clinical decision-support feature, which uses third-party AI services to assist practitioners with documentation and analysis. MyoMind is governed by Section 7 and by the MyoMind sections of the Privacy Policy and Terms of Service.
MyoMesh acts as an Electronic Service Provider and agent of the Health Information Custodian under PHIPA. This means MyoMesh handles PHI only on the Studio's instructions and only for the purposes the Studio has authorised.
Specifically, MyoMesh:
MyoMesh processes the following categories of information on behalf of the Studio, solely to deliver the platform services:
Client names, contact information (email, phone, address), intake forms, session notes, body chart data, clinical assessments (SOAP fields, ROM, MMT grading, special tests, outcome measures), treatment plans, medical history, and payment records associated with that client.
Practitioner profiles, staff schedules, calendar integrations, studio settings, session types, pricing, and business reports. Where a practitioner has connected an external calendar (Google Calendar, Microsoft Outlook), session metadata may be synchronised to that calendar with the practitioner's explicit OAuth consent.
Authentication records, audit logs, session activity, and technical diagnostic data used to operate, secure, and support the platform.
All of this data is processed solely to deliver the MyoMesh platform services as contracted. It is not repurposed, combined, or analysed for any use beyond that.
MyoMesh implements administrative, technical, and physical safeguards that are reasonable and appropriate given the sensitivity of PHI:
Data at rest is encrypted with AES-256 by Google Cloud Firestore. Data in transit is encrypted with TLS 1.2 or higher. The platform is accessible only over HTTPS.
Only a small number of authorised MyoMesh personnel can access production data, and only when strictly required for support, maintenance, or incident response. Internal access is governed by role-based permissions, individual-user authentication, and a written least-privilege policy. Routine operations do not require access to PHI.
The MyoMesh backend runs on Google Firebase and Cloud Firestore, which maintain ISO 27001, SOC 2, and SOC 3 certifications. Production data is stored in the Canadian northamerica-northeast2 (Toronto) region.
The platform writes a PHIPA-aligned audit log of access to and modification of client records. Logs capture who accessed what, when, and from where, and are retained for compliance purposes.
Security practices, code changes, dependency versions, and third-party integrations are reviewed on a regular cadence. Material changes that affect PHI handling are documented in the change log.
MyoMesh uses the following sub-processors to deliver the platform. Each is bound by a written agreement that restricts processing of data to the described purpose only.
| Provider | Location | Purpose | Safeguards |
|---|---|---|---|
| Google LLC (Vertex AI / Cloud Functions) | USA (us-east5, Columbus, Ohio) | MyoMind AI processing | De-identified data only (de-identification occurs in browser before transmission). Processing via Google Cloud Platform infrastructure. Google's Cloud Data Processing Addendum applies; inputs are not used to train AI models. Google Workspace HIPAA BAA signed May 7, 2026 (Customer ID: C02zuexro) covers Workspace services; Vertex AI is governed by Google Cloud Platform data processing terms which provide equivalent Zero Data Retention protections. See Section 7.4 for full disclosure. |
| Google LLC (Firebase / Firestore) | USA (corporate); Canada (data) | Database and hosting | Google Cloud SOC 2, ISO 27001; data stored in Canada (northamerica-northeast2). |
| Resend Inc. | USA | Transactional email delivery | SOC 2. |
| Twilio Inc. | USA | SMS notifications | SOC 2; HIPAA BAA available. |
| Stripe Inc. | USA | Payment processing | PCI-DSS Level 1; payment data only, not clinical data. |
| Microsoft Corporation | USA | Outlook Calendar integration | Microsoft 365 compliance; optional feature, practitioner-initiated only. |
| Google LLC (Calendar / Meet) | USA | Google Calendar and Meet integration | Google Workspace compliance; optional feature, practitioner-initiated only. |
| Sentry (Functional Software Inc.) | San Francisco, CA, USA | Error monitoring and performance tracking | SOC 2; PHI fields scrubbed before transmission via beforeSend hook; no PHI reaches Sentry servers. |
Changes to sub-processors: MyoMesh will notify Studios of any material change to this sub-processor list with at least 30 days' advance written notice by email to the account owner. Studios that object to a material change may terminate this Agreement under Section 12 during the notice period.
MyoMind is an optional AI-powered clinical decision-support feature. Because MyoMind involves transmission of de-identified clinical content to a third-party AI service located in the United States, it is governed by the additional controls described below. Full disclosure of the data-flow is set out in Section 16 of the Privacy Policy and Section 17 of the Terms of Service.
MyoMind is enabled for a client only after that client has provided explicit, informed, written consent through the Studio's intake waiver. The Studio is responsible for capturing, retaining, and honouring that consent. MyoMesh enforces the consent requirement technically — MyoMind features will not process a client's data without a recorded consent on file.
Before any data is transmitted to the AI service, MyoMesh automatically removes or replaces client names, email addresses, phone numbers, Ontario-format health card numbers, date-of-birth labels and values, and street addresses. De-identification happens in the browser, before the request leaves the device.
AI-generated content is a decision-support tool only. It must be reviewed and approved by a qualified practitioner before being saved to a client record. MyoMind is not a medical device, not a diagnostic tool, and not a substitute for professional clinical judgement. The practitioner is the author of record for every saved note, plan, or assessment regardless of whether MyoMind was used to draft it.
Current AI provider — Google Vertex AI (Claude model): Effective May 7, 2026, MyoMesh processes all MyoMind requests via Google Cloud Platform's Vertex AI service using Anthropic's Claude model. MyoMesh no longer uses Anthropic's direct commercial API. All AI inference occurs within Google's cloud infrastructure.
Google Workspace HIPAA BAA — signed May 7, 2026: MyoMesh Technologies Inc. has executed the Google Workspace HIPAA Business Associate Amendment with Google LLC (Customer ID: C02zuexro; accepted by hello@myomesh.ca on May 7, 2026). This BAA governs MyoMesh's use of Google Workspace Covered Services as defined in the BAA (including Gmail, Calendar, Drive, and other Workspace products listed at workspace.google.com/terms/2015/1/hipaa_functionality.html). The BAA is maintained on file and available to Studios upon written request to privacy@myomesh.ca.
Vertex AI and Cloud Functions — Google Cloud Platform Data Processing Addendum (accepted May 12, 2026): MyoMind AI processing occurs via Google Cloud Platform services (Cloud Functions and Vertex AI), which are governed by Google Cloud's Cloud Data Processing Addendum (CDPA), formally accepted by hello@myomesh.ca on May 12, 2026. The CDPA provides that: (a) Google will not process Customer Data for advertising purposes; (b) Google will not sell Customer Data; (c) Customer Data is not used to train or improve Google's AI models without explicit consent; and (d) Customer Data is deleted or returned upon termination. MyoMesh operates within a formal GCP Organization (myomesh.ca, Organization ID: 694098221825) established May 12, 2026, and both production and development projects are hosted within this organization under the full protection of the CDPA. The CDPA is maintained on file and available to Studios upon written request to privacy@myomesh.ca.
Zero Data Retention: Google Cloud Platform's data processing terms provide that de-identified inputs submitted to Vertex AI are not retained beyond the duration of the API call for model-serving purposes. This is equivalent in effect to a contractual Zero Data Retention provision. Combined with MyoMesh's browser-side de-identification, what Google receives and processes is de-identified content only — not PHI.
Cross-border data transfer: Vertex AI processing occurs in Google's us-east5 (Columbus, Ohio) region. Google LLC is a US-incorporated company and data processed via Vertex AI is subject to US law, including the CLOUD Act. MyoMesh's de-identification of all clinical content prior to transmission is the primary safeguard. Studios should assess this disclosure in the context of their own PHIPA obligations and professional standards.
Summary of compliance posture as of May 12, 2026: Prior to May 7, 2026, MyoMind operated on Anthropic's standard commercial API with no BAA and no data processing agreement in place. MyoMesh has since completed the following: migration to Google Vertex AI (all AI processing now occurs within Google's cloud infrastructure; no direct Anthropic API calls are made); execution of the Google Workspace HIPAA BAA (May 7, 2026); establishment of a formal GCP Organization under myomesh.ca (May 12, 2026); and formal acceptance of the Google Cloud Platform Data Processing Addendum (May 12, 2026). These steps collectively represent a material and complete improvement in MyoMesh's compliance posture for the handling of de-identified clinical content via AI services.
MyoMesh maintains a documented governance process for all material changes to MyoMind. The following controls apply:
This governance process is designed to meet the accountability principle set out in the Information and Privacy Commissioner of Ontario’s guidance on the responsible use of AI in health information contexts.
MyoMesh commits to completing a Privacy Impact Assessment (PIA) for MyoMind in accordance with the IPC’s January 2026 guidance on AI in health settings. The PIA will assess MyoMind’s data flows, de-identification approach, third-party sub-processor risks (including the cross-border transfer described in Section 7.4), consent model, and governance controls. The PIA will be completed no later than September 1, 2026. Results of the PIA will be available to Studios on written request and will be used to update this Agreement where material gaps are identified.
If MyoMesh discontinues MyoMind or migrates to a different AI provider, MyoMesh will provide Studios with no less than 90 days’ written notice before the change takes effect. During this notice period Studios may export all AI-generated content saved to client records. AI-generated content already saved to client records at the time of decommissioning remains in Firestore under the Studio’s account and is subject to the data retention and deletion terms in Section 8. Where the change involves a new AI provider, the new provider will be disclosed as a sub-processor update under Section 6, with the 30-day notice period described in that section running concurrently with the 90-day decommissioning notice where possible.
MyoMesh has assessed MyoMind against the six responsible AI principles published by the Information and Privacy Commissioner of Ontario. The following table describes how each principle is addressed in the current version of the platform.
MyoMesh retains PHI only for as long as the Studio's subscription is active, plus a brief post-cancellation window to allow for data export.
Active subscription: PHI is retained on the platform for as long as the Studio's subscription remains active.
30-day export window: Upon cancellation, PHI is available for full export by the account owner for 30 days from the cancellation effective date. The Studio is responsible for retrieving any data it wishes to retain during this window.
Permanent deletion: After the 30-day window, all PHI associated with the Studio is permanently deleted from MyoMesh systems. Deletion is performed across primary storage, backups (as they are rotated out on the provider's schedule), and active sub-processor systems.
Sub-processor deletion: Sub-processors are instructed to delete or anonymise data in accordance with their own retention policies and applicable law. Transactional logs retained by sub-processors for fraud-prevention, billing, or regulatory purposes may persist on their own schedules.
MyoMesh will notify the Studio within 48 hours of becoming aware of any unauthorised access to, loss of, or disclosure of PHI associated with the Studio's account. Notice will be sent to the account owner's registered email address and will include, to the extent then known:
The Studio, as Health Information Custodian, remains responsible for any further notifications required under PHIPA — including notice to affected individuals and to the Information and Privacy Commissioner of Ontario pursuant to PHIPA section 12 and Ontario Regulation 329/04. MyoMesh will provide reasonable cooperation, technical detail, and timeline information to support those notifications.
The Studio, as Health Information Custodian, is responsible for:
As Electronic Service Provider under PHIPA, MyoMesh agrees to:
This Agreement takes effect on the date the Studio activates its MyoMesh subscription and remains in effect for as long as that subscription is active.
Either party may terminate this Agreement by giving the other party 30 days' written notice. Termination of this Agreement automatically terminates the Studio's access to the MyoMesh platform at the end of the notice period.
Sections that survive termination: Sections 5 (protection, to the extent data remains held), 8 (retention and deletion), 9 (breach notification for incidents occurring before deletion is complete), and 11 (ESP obligations relating to the above) survive termination and remain in effect until all residual PHI has been returned, deleted, or anonymised.
This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-law principles.
Any dispute arising out of or in connection with this Agreement is subject to the exclusive jurisdiction of the courts of Ontario.
Nothing in this Agreement limits either party's rights or obligations under PHIPA, or the authority of the Information and Privacy Commissioner of Ontario to investigate, order production of records, or issue directions in respect of the handling of PHI on this platform.
MyoMesh may update this Agreement from time to time. When an update materially affects how PHI is collected, used, disclosed, protected, or retained, MyoMesh will notify the account owner by email with at least 30 days' written notice before the change takes effect.
Continued use of the platform after the effective date of an updated Agreement constitutes acceptance of the updated terms. Material changes will be flagged clearly in the notification email and, where helpful, summarised in a short change log.
Non-material changes — for example, typographical corrections, formatting improvements, or clarifications that do not alter rights or obligations — may be made without prior notice. The "Last updated" date at the top of this document reflects the most recent revision.
Questions, concerns, requests, or complaints relating to this Agreement or the handling of PHI on the MyoMesh platform should be directed to:
Privacy inquiries & data subject requests:
privacy@myomesh.ca
Breach reports & security incidents:
security@myomesh.com
External oversight — Information and Privacy Commissioner of Ontario:
www.ipc.on.ca | 1-800-387-0073
Clients who believe their PHI has been handled contrary to PHIPA have the right to complain to the Information and Privacy Commissioner of Ontario at any time.
This Agreement is executed electronically. The Studio's acceptance is captured at the point of account activation and is recorded with the metadata shown below.
Studio name: [captured from account billing record]
Signatory name: [account owner at time of activation]
Date signed: [captured at account activation]
IP address recorded: [captured at account activation]