ChiroUp takes all subscribers' data privacy and security seriously. This includes compliance with Canada's Personal Information Protection and Electronic Document Act (PIPEDA), which governs how private-sector organizations collect, use, and disclose personal information.

In order to meet PIPEDA compliance, an organization must abide by the Ten Fair Information Principles. Below explains how ChiroUp adheres to each of the principles.

1. Accountability: An organization is responsible for the personal information under its control and shall designate an individual who is accountable for the organization's compliance with the principles.
   1. ChiroUp has designated an Assigned Privacy & Security Official who is tasked with ensuring ongoing compliance with relevant laws and regulations. You can contact the Assigned Privacy & Security Official at emily@chiroup.com with further questions.
   2. ChiroUp protects the data it holds by restricting employee access to the minimum necessary to complete their jobs. ChiroUp requires Business Associate Agreements and Confidentiality Agreements to be signed by any third-party vendors or subcontractors. ChiroUp also requires its employees to sign a Confidentiality and Non-Disclosure Agreement.
   3. ChiroUp has implemented appropriate privacy & security policies, from Breach Notification to Workstation Security, that are regularly reviewed along with an ongoing Security Awareness Training Program. Employees are required to complete a privacy and security training campaign on a monthly basis, and are consistently tested with challenging simulated phishing tests.
   4. ChiroUp conducts a yearly Security Risk Assessment and Analysis, and actively works to remediate and mitigate any risks identified.
2. Identifying Purpose: The purpose for which personal information is collected shall be identified by the organization at or before the time the information is collected.
   1. ChiroUp explains why we collect data, the subscriber or prospect data we collect, and how we use your data within our Privacy Policy.
   2. ChiroUp will never sell or trade patient data that you store with us.
3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except when appropriate.
   1. ChiroUp gains consent before we use any personal information that subscribers or prospects share with us. You provide ChiroUp consent to collect your information when you visit our site or submit information about yourself to us. Individuals can withdraw consent at any time by contacting support@chiroup.com. However, it is the responsibility of the subscriber to gain patient consent.
4. Limiting Control: The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
   1. ChiroUp only collects the subscriber and prospect information needed to conduct business. ChiroUp explains the personal information it collects from its prospects and subscribers within our Privacy Policy. However, it is the responsibility of the subscriber to limit the collection for patients. The subscriber should only be collecting information for the sole purposes of their treatment. ChiroUp helps our subscribers adhere to this principle by limiting the number of patient demographic fields that are required for the record to be created.
5. Limiting Use, Disclosure, and Retention: Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
   1. ChiroUp restricts the access to subscriber and prospect data to only those who are required access to complete their job. ChiroUp regularly reviews audit logs and updates access to its systems to ensure only the necessary people have access.
   2. ChiroUp will retain your Personal Data only for as long as is necessary for the purposes set out in our Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations, resolve disputes, and enforce our legal agreements and policies. We will destroy, erase, or anonymize any personal information that is no longer required to fulfill its purposes. Subscribers and prospects can request at any time for their data to be deleted by contacting support@chiroup.com.
   3. Subscribers are required to ensure they are limiting the use, disclosure, and retention of the patient information they collect. ChiroUp helps subscribers adhere to this principle by offering user roles that limit access to the app.
6. Accuracy: Personal information shall be as accurate, complete, and up-to-date as is necessary for the purpose for which it is to be used.
   1. ChiroUp ensures that prospect and subscriber personal information that is used on an ongoing basis is accurate, complete, and up-to-date. Prospects and Subscribers can request ChiroUp to update their information on their behalf by contacting support@chiroup.com. In addition, subscribers have the ability to update the accuracy of their personal information within the app's settings. However, it is the responsibility of the subscriber to ensure its patients' information is accurate and up-to-date.
7. Safeguards: Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
   1. ChiroUp encrypts data at-rest with AES-256 encryption, which is the strongest and most robust encryption standard that is commercially available today. Data in-transit is protected with TLS1.3. ChiroUp ensures that any third-party vendors that we conduct business with are held to our same standards.
   2. ChiroUp has implemented a strict Password Management Policy and requires users to utilize a password manager. MFA is required on any account that holds personal information. ChiroUp helps its subscribers adhere to this principle by offering a unique login for all clinic users and an MFA feature, meaning users can turn MFA on for their ChiroUp account.
   3. ChiroUp restricts employee access to its systems and accounts. Employees are only granted access to information on a need-to-know basis, and audit logs are regularly reviewed. ChiroUp helps its subscribers adhere to this principle by offering an array of user roles as well as a patient access log to audit when and who is accessing patient records.
   4. ChiroUp tracks all work devices used by employees and requires all devices to have an End Point Detection and Response sensor downloaded, a 24/7 threat-hunting service. Employees are also required to be connected to a VPN, or Virtual Private Network, in order to encrypt their data and mask their IP address, when logging into work systems.
   5. ChiroUp employees are regularly trained on the importance of maintaining the confidentiality and security of personal information. Employees are also required to sign a Confidentiality & Non-Disclosure Agreement at the time of hiring.
   6. ChiroUp holds all its third-party vendors to the same security standards. ChiroUp requires any third-party vendor who receives or has access to personal information to sign a Confidentiality Agreement, and in some cases, a Business Associate Agreement too.
8. Openness: An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
   1. ChiroUp is willing to share its internal privacy & security policies and procedures with its subscribers or prospects, at request. Please reach out to support@chiroup.com to receive a copy of our policies and procedures in your requested format.
   2. ChiroUp explains the personal information we collect from our prospects and subscribers, how we use it, and how we protect it within our Privacy Policy. Prospects and Subscribers may request the deletion of their information at any time by contacting support@chiroup.com.
9. Individual Access: Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to the information.
   1. Individuals can submit requests to support@chiroup.com. ChiroUp will respond no later than 30 days after a request has been received and will provide the information at no cost. ChiroUp will amend any data the individual deems inaccurate or incomplete.
10. Challenging Compliance: An individual shall be able to challenge compliance with the above principles to the designated individual responsible for compliance.
    1. Individuals may contact ChiroUp's Assigned Privacy & Security Official at emily@chiroup.com with any complaints. The Assigned Privacy & Security Official will respond in a reasonable time and investigate and address all complaints reported.