Privacy & Security for Canadian Clinics

Our Role

Rounds operates as a technology service provider to the clinic. The clinic remains the healthcare provider and health information custodian responsible for patient care, clinical decisions, and the clinical record.

Rounds processes personal health information only under the clinic’s direction and only to provide the contracted clinical workflow services, including AI-assisted medical history collection, AI scribe and documentation support, pre-visit and post-visit patient communication, provider-reviewed clinical summaries, and related administrative and operational support.

Rounds does not sell personal health information, use patient data for unrelated advertising, or disclose patient information for unrelated commercial purposes.

Limited Collection, Use, and Disclosure

Rounds applies data minimization principles. We collect and process only the information reasonably required to provide the service requested by the clinic.

Patient information is used only for authorized clinical workflow purposes, such as preparing documentation, summarizing patient-provided information, or supporting communication between the clinic and patient.

Rounds does not use personal health information for independent purposes outside the agreed clinical service unless expressly permitted by law or by the applicable agreement.

Administrative Safeguards

Rounds maintains administrative safeguards designed to protect personal health information and support accountable handling of sensitive clinical data.

These safeguards include internal privacy and security policies, workforce confidentiality obligations, role-based responsibilities for handling patient information, employee onboarding and security awareness practices, access approval and review processes, vendor and subprocessor review procedures, incident response and escalation procedures, data retention and deletion procedures, and customer support practices designed to limit unnecessary exposure to patient information.

Technical Safeguards

Rounds uses technical controls to protect personal health information from unauthorized access, use, disclosure, alteration, or loss.

These controls include encryption of data in transit and at rest, role-based access controls, least-privilege access, authentication controls, audit logging, monitoring of production systems, customer data segregation where applicable, secure cloud infrastructure, backups and availability safeguards, vulnerability management, and security review practices.

Access to production environments is restricted to authorized personnel with a legitimate operational need.

Access Controls and Auditability

Rounds limits access to personal health information based on role and operational necessity. Personnel access is granted only when required to provide, maintain, secure, or support the service.

Rounds maintains logging and monitoring practices to support accountability, investigation, and traceability. These controls are designed to help detect, investigate, and respond to unauthorized or inappropriate access.

Retention and Deletion

Rounds retains personal health information only as needed to provide the service, maintain clinical workflow continuity, comply with contractual requirements, and support security, audit, or legal obligations.

Retention and deletion requirements can be configured or documented in the agreement with the clinic. Upon termination, Rounds can support deletion or return of data in accordance with the applicable agreement and legal requirements.

Vendor and Subprocessor Management

Rounds may use carefully selected vendors and subprocessors to support hosting, infrastructure, communications, security, analytics, or AI-related functionality.

Rounds applies vendor management controls, including review of vendor security posture, contractual confidentiality obligations, contractual data protection obligations, access limitations, restrictions on unauthorized use of personal health information, and review of applicable security certifications or safeguards where relevant.

Subprocessors are permitted to access personal health information only where necessary to support the Rounds service.

AI Governance and Clinical Review

Rounds is designed as a clinical workflow support tool. AI-generated outputs are intended to assist healthcare providers and must be reviewed by the provider before being relied upon in clinical practice or incorporated into the clinical record.

Rounds does not replace the treating clinician’s professional judgment. The provider remains responsible for final review, approval, and use of clinical documentation.

Security Program and Certifications

Rounds maintains a formal information security program aligned with recognized security standards.

Rounds has ISO/IEC 27001 certification and SOC 2 compliance. These frameworks support controls related to security governance, risk management, access management, vendor management, monitoring, incident response, and continuous improvement.

Incident Response

Rounds maintains procedures for identifying, investigating, containing, and remediating security incidents.

If Rounds becomes aware of an incident involving personal health information, Rounds will notify the affected customer in accordance with applicable contractual obligations and legal requirements, so the clinic can assess and fulfill any notification obligations it may have under PHIPA.

Patient Communication and Consent Support

Rounds supports clinic-directed patient communication workflows. The clinic determines how patients are informed about the use of Rounds and how consent or notice is handled in accordance with the clinic’s policies and applicable law.

Rounds can support implementation flows that make clear to patients when they are interacting with an AI-enabled system for intake, documentation, or communication support.

Our Commitment

Rounds is built to help clinics adopt AI-assisted clinical workflows safely and responsibly. Our approach combines limited-purpose data processing, data minimization, technical safeguards, administrative controls, vendor oversight, auditability, retention controls, incident response procedures, and provider review of AI-generated outputs.