Data Processing Agreement

When professionals use Rilev, Rilev acts as their data processor. This DPA outlines data processing obligations, safeguards, breach notification, and subprocessor disclosure.

Version 1.0 · Last updated: May 15, 2026

Jurisdiction-Aware

The DPA presented during professional account setup is tailored to the professional's declared practice jurisdiction. Each variant references the specific privacy legislation that applies.

Jurisdiction	Applicable Laws	Notes
Ontario	PIPEDA + PHIPA	References Health Information Custodian (HIC) obligations and professional college requirements (CRPO, OCSWSSW)
Quebec	PIPEDA + Law 25	Includes PIA requirement and designated privacy person obligations
Alberta	PIPEDA + HIA	References custodian role under HIA
British Columbia	PIPEDA + PIPA	References PIPA obligations
Other Canadian	PIPEDA	Standard federal privacy law coverage
United States	HIPAA (pending)	BAA not yet available — contact privacy@rilev.com
Other	General DPA	Standard data processing terms

Roles & Responsibilities

You (the Professional) are the Health Information Custodian or data controller responsible for your clients' personal health information.
Rilev acts as your electronic service provider or data processor.
Rilev processes client data only as necessary to provide the assessment and reporting services you request.
The DPA shown during account setup is tailored to your practice jurisdiction (e.g., PIPEDA + PHIPA for Ontario, PIPEDA + Law 25 for Quebec).

Data Processing

Assessment responses are processed on the client's device; only derived outcome scores are transmitted to Rilev servers.
Client data is stored under anonymous, randomly generated identifiers — not linked to client names or contact information.
AI-generated reports are produced using de-identified scores.
Rilev does not have access to your clients' real identities.

Safeguards

All data encrypted in transit (TLS 1.3) and at rest (AES-256).
Zero-Knowledge Architecture: identity and assessment data stored in separate, non-linkable systems.
PII Screening: client-authored text is automatically screened for personally identifying information before AI processing.
Fail-closed design: if PII screening is unavailable, submissions are blocked rather than allowed through.

Subprocessors & Cross-Border

Cloud Infrastructure: Google Cloud Platform / Firebase.
Web Hosting: Vercel.
AI Processing: Google Vertex AI, Anthropic, xAI, MiniMax (de-identified data only).
Security: Sentry (no health data), Upstash (rate limiting).
Payments: Stripe.
All subprocessors handling identifiable data operate under DPAs. AI providers receive only de-identified data.
Data may be processed in Canada, the United States, and other jurisdictions where providers operate.

Breach Notification

Rilev will assess the nature and sensitivity of affected data upon discovering an incident.
Where an incident creates a real risk of significant harm, Rilev will notify the professional as soon as feasible.
Rilev will cooperate with your obligations to notify affected individuals, regulators, or privacy commissioners.

Data Retention & Deletion

Client assessment data is retained for as long as the client's account is active.
Clients can delete their data at any time using the in-app deletion feature.
When you terminate your professional account, links between your account and client data are severed.
Limited legal and safety records (consent logs, crisis safety events) are retained as disclosed in the Privacy Policy.

Your Obligations

As the data controller or health information custodian, you are responsible for:

Obtain appropriate consent from your clients before directing them to use Rilev.

Inform clients that their assessment data will be processed by Rilev as your service provider.

Comply with applicable healthcare privacy laws in your jurisdiction.

Maintain your own privacy practices and policies as required by your professional college or regulatory body.

Questions?

For questions about this DPA, data processing, or compliance, contact the Privacy Officer at privacy@rilev.com.

Privacy Impact Assessment Security Model Privacy Policy