This Policy is intended to describe, in a formal and comprehensive manner, the safeguards, standards, restrictions, and operational controls adopted by LogicDental Ai in connection with the collection, receipt, storage, transmission, processing, use, disclosure, retention, backup, restoration, and deletion of clinic, patient, claims, insurance, financial, credential, and other operational data made available to LogicDental Ai in the course of providing services.
Definitions and Interpretation
For purposes of this Policy, “Clinic” means the dental practice, professional corporation, dental office, or affiliated entity that is onboarding, subscribing to, or otherwise using the services of LogicDental Ai. “LogicDental Ai,” “Company,” “we,” “us,” and “our” refer to the service provider and its authorized personnel, authorized contractors, approved subprocessors, and systems used in connection with delivery of the services. “Client Data” means all information, records, documents, credentials, data sets, files, extracts, reports, communications, configurations, and metadata supplied by, derived from, transmitted by, or generated for the Clinic through the use of the services.
“Protected Health Information” or “PHI” refers to individually identifiable health information and related patient information that is subject to applicable privacy and security obligations under healthcare privacy frameworks. “Personal Information” has the meaning generally understood under applicable Canadian privacy laws and includes information about an identifiable individual. “Financial Information” includes payments, insurance remittances, explanation of benefits data, reconciliation records, write-offs, adjustments, deposit information, bank-related operational references, and other information concerning accounts receivable, collections, or financial performance. “Credentials” includes usernames, passwords, one-time passwords, API keys, tokens, secret values, remote support credentials, practice management system credentials, email forwarding credentials, and any other access data made available to the Company for implementation or ongoing support.
References in this Policy to data being “encrypted,” “secured,” “restricted,” “limited,” “audited,” or “monitored” shall be interpreted in a commercially reasonable manner consistent with the design of the Company’s systems, service architecture, risk controls, and operating procedures then in effect. Nothing in this Policy shall be interpreted to mean that the Company guarantees absolute security or that no cyber incident, service interruption, misconfiguration, malicious act, or unauthorized attempt may ever occur. Rather, this Policy describes the controls and obligations adopted to reduce risk, limit exposure, and manage data responsibly.
Purpose, Scope, and Legal Character of this Policy
This Policy is established to set out the legal and operational standards by which LogicDental Ai receives and handles information belonging to or relating to the Clinic, its patients, its staff, and its operational workflows. The purpose of this Policy is to provide the Clinic with a clear written record of the Company’s privacy posture, security model, confidentiality obligations, backup commitments, retention approach, and handling of sensitive healthcare and financial information in connection with onboarding and ongoing service delivery.
This Policy applies to information processed through the Company’s applications, databases, integrations, support tools, storage environments, backup environments, secure file handling workflows, and controlled access infrastructure. This Policy also applies to the conduct of the Company’s workforce members, contractors, and subprocessors who are permitted to access Clinic Data strictly on a need-to-know basis for implementation, support, maintenance, troubleshooting, reconciliation, analytics, quality assurance, or security operations.
This Policy is intended to be read together with any applicable service agreement, confidentiality agreement, implementation schedule, onboarding document, and any other contract entered into between the Company and the Clinic. In the event of a direct conflict between a signed agreement and this Policy, the signed agreement shall prevail to the extent of that conflict; however, unless otherwise agreed in writing, this Policy accurately states the general security and privacy controls that the Company expects to apply in the ordinary course of service delivery.
Regulatory Alignment: HIPAA and PIPEDA Standards
LogicDental Ai recognizes that dental practices handle sensitive health and personal information and therefore structures its privacy and security program with reference to well-recognized healthcare and privacy standards, including the principles underlying the Health Insurance Portability and Accountability Act (“HIPAA”) and the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Where the Clinic is subject to Canadian privacy obligations, the Company’s controls are intended to support the Clinic’s lawful handling of personal information, including accountability, safeguarding, limiting use, restricting disclosure, appropriate retention, and secure destruction. Where PHI is involved, the Company’s controls are designed to support secure handling through administrative, technical, and physical safeguards.
The Company’s statement that it follows standards aligned with HIPAA and PIPEDA means that the Company adopts policies and controls intended to reflect the core security and privacy expectations of those frameworks. It does not mean that the Company is representing a universal legal determination of compliance across every possible client configuration, deployment model, third-party system, or operational use case. Compliance outcomes depend in part on the Clinic’s own conduct, staff training, internal access controls, device security, patient consent processes, and the law applicable to the Clinic’s jurisdiction and activities.
The Company will, within the scope of its services, use commercially reasonable efforts to support the Clinic’s privacy and security objectives by limiting unnecessary access, protecting stored and transmitted data, preserving auditability, retaining data only as reasonably necessary, assisting with secure onboarding, and handling incidents according to documented escalation and response procedures. The Clinic remains responsible for its own legal obligations regarding patient disclosures, consents, authorized use of its practice management system, lawful instructions to the Company, and proper administration of users and permissions on Clinic-controlled systems.
Categories of Data Covered by this Policy
The Company may receive, process, store, or generate several categories of sensitive information in connection with the services. These categories may include patient demographic information, appointment or scheduling references where relevant to a workflow, insurance plan identifiers, carrier information, claim identifiers, procedure information, explanation of benefits information, remittance data, claim status details, payment posting inputs and outputs, transaction extracts, reconciliation outputs, write-off details, adjustment details, notes relevant to posting or exception handling, and practice-level operational or financial analytics.
The Company may also receive information concerning providers, clinic staff, locations, organization structures, billing entities, and practice management system configuration required for proper implementation and operational support. Where necessary for onboarding or support, the Company may receive usernames, passwords, tokens, one-time passcodes, remote support credentials, integration credentials, or email routing details provided by the Clinic. Such information is treated as highly sensitive and is subject to specific protections described in this Policy.
In addition to the above, the Company may generate derivative data, such as normalized data, audit records, operational logs, matching outputs, exception reports, reconciliation results, system metadata, and support records that contain references to Clinic Data. These derivative records are also treated as confidential to the extent they identify the Clinic, a patient, a claim, a user, or other operationally sensitive information.
Data Residency and Canadian Server Commitment
LogicDental Ai stores production Clinic Data in secure cloud infrastructure located in Canada. The Company’s general practice is to keep Clinic Data, including structured records and relevant supporting files, in Canadian-hosted environments so as to support Canadian data residency expectations and to reduce unnecessary cross-border movement of sensitive information. The Company selects infrastructure providers and service architecture with this requirement in mind and structures its deployments to maintain primary data storage within Canadian server regions.
Backups associated with Clinic Data are also intended to remain in Canadian-hosted environments unless the parties agree otherwise in writing. The Company does not intentionally move Clinic Data outside Canada for ordinary service delivery, analytics, storage, or backup operations unless such transfer is expressly required by an approved subprocessor arrangement, a legal requirement, or a client-approved exceptional workflow. Where any approved third-party tooling is used in support of the service, the Company evaluates the role of that tool and seeks to ensure that the use of such tool remains consistent with the Company’s privacy and security obligations.
The Clinic acknowledges that certain internet-based communications, content delivery services, or operational tooling may involve infrastructure that spans multiple regions. The Company’s commitment to Canadian data residency is focused on the storage and processing of identified Clinic Data and is not intended to mean that every network packet or operational support communication will exclusively traverse Canadian infrastructure.
Data Encryption in Transit
The Company requires encryption in transit for the transmission of sensitive data between systems, applications, integrations, and users. Encryption in transit is implemented using industry-standard protocols, such as TLS, to protect data as it moves between the Clinic’s environment, the Company’s systems, and any approved subprocessors. The Company expects that integrations, APIs, data feeds, and file transfer workflows used in connection with the services will operate over encrypted channels.
Encryption in transit is intended to reduce the risk of unauthorized interception, manipulation, or disclosure of Clinic Data as it travels across networks. The Company’s use of encryption in transit does not guarantee that every possible communication pathway will be encrypted under every circumstance, particularly where communications originate from third-party systems outside the Company’s control or where the Clinic uses communication channels not specified or approved by the Company.
Where the Clinic provides credentials, files, EOBs, claim records, remittance documents, or other sensitive material to the Company, the Company expects such materials to be transmitted through designated secure channels. The Company will not be responsible for the security of data transmitted by the Clinic or its agents through unapproved or insecure channels.
Data Encryption at Rest
The Company applies encryption at rest to stored Clinic Data in production databases, file storage environments, and backup repositories where the service architecture supports doing so. Encryption at rest uses industry-standard algorithms and key management practices appropriate to the sensitivity of the stored information and the infrastructure environment in use.
Encryption at rest applies not only to patient and claims data, but also to financial records, reconciliation files, credential stores, and operational records containing identifiable Clinic or patient information. In the case of credentials and secret values, the Company applies enhanced restrictions, as further described in this Policy, including storage in restricted secret-management or equivalent environments where feasible.
Although encryption materially reduces risk, the Company does not rely on encryption alone. Encryption at rest is one layer of a broader security program that also includes access control, monitoring, personnel obligations, and incident response. The effectiveness of encryption at rest depends in part on the integrity of key management practices and the security of the infrastructure environment in which data is stored.
Secure Handling of Passwords, User Details, and Clinic Credentials
The Company acknowledges that clinics may, in the course of onboarding and operational support, provide credentials such as usernames, passwords, one-time passcodes, remote access tokens, API keys, or other access data necessary for the Company to implement or support the services. The Company treats such credentials as highly sensitive and limits access to authorized personnel only. Credentials are not stored in plain text and are not shared internally beyond what is strictly necessary for the specific implementation or support task.
Where technically appropriate, secret values are stored in restricted secret-management or equivalent environments and are subject to access controls consistent with the principle of least privilege. The Company expects its personnel to treat any credentials received from the Clinic as strictly confidential and not to disclose, copy, or repurpose them beyond the authorized use for which they were provided.
User details relating to clinic operations, including names, job titles, usernames, work email addresses, and role-related information, are treated as internal operational data and are handled with appropriate confidentiality. The Company does not use such details for marketing, profiling, or purposes unrelated to the delivery of the services.
Role-Based Access Control, Least Privilege, and Limited Access
The Company applies role-based access control (“RBAC”) and the principle of least privilege as foundational elements of its access management program. Access to Clinic Data is granted only to authorized personnel who require such access for defined business purposes related to implementation, support, security, operations, or quality assurance. Permissions are scoped to the minimum level necessary for the relevant function and are not granted broadly or by default.
Administrative access is restricted to a limited subset of authorized personnel. Elevated privileges are not routinely granted and are subject to additional controls where feasible. The Company reviews access configurations as part of its ongoing security operations and takes steps to revoke or adjust access when personnel changes occur or when specific access is no longer required.
The Company also limits access at the data level where the service architecture permits doing so. Not all personnel with access to the Company’s systems will have access to all Clinic Data, and the Company seeks to ensure that access to particularly sensitive data, including credentials, PHI, and financial records, is subject to more restrictive controls than general operational data.
Handling of PHI and Sensitive Patient Information
The Company treats PHI and related patient information as highly sensitive data that requires careful handling, restricted access, and appropriate security controls throughout its lifecycle. The Company does not use patient information for purposes unrelated to the delivery of the services and does not disclose patient information to third parties except as required by law, expressly authorized by the Clinic, or required for an approved subprocessor function that supports the services.
The Company’s operational design seeks to minimize unnecessary exposure of PHI by limiting where it is stored, who can access it, how long it is retained, and how it flows through the Company’s systems. Where the service can be delivered with de-identified or aggregated data, the Company prefers that approach where reasonably practical. Where PHI must be processed to deliver the contracted service accurately, the Company seeks to do so under appropriate controls.
Where support or implementation requires temporary review of patient-level records, the Company expects its personnel to access only what is necessary, to avoid unnecessary copying or retention of patient data, and to treat any patient information encountered in connection with a support task as strictly confidential.
Secure Handling of EOB Documents, Claims, and Claim-Related Information
The Company understands that explanation of benefits documents, claim-related files, remittance records, and related financial and clinical data are among the most sensitive categories of information processed through the services. EOB documents and claim data are received, processed, and stored in restricted environments, and made accessible only to authorized services and personnel with a defined operational need.
Where documents are parsed, normalized, or otherwise transformed for automation or reconciliation purposes, the Company seeks to ensure that the resulting outputs are handled with the same level of care as the source documents. Derived data from EOBs or claim files that contains identifiable patient, claim, or carrier information is treated as Clinic Data and is subject to the same protections described in this Policy.
The Company also seeks to preserve auditability in connection with EOB and claims processing. This means that the Company maintains records sufficient to understand what was received, how it was processed, and what outputs were generated, so that exceptions or discrepancies can be identified and reviewed. Audit records relating to EOB and claims processing are treated as confidential and are subject to appropriate access controls.
Monitoring, Logging, Auditability, and Security Oversight
The Company maintains logging and monitoring practices designed to support security oversight, operational integrity, and auditability of Clinic Data access and processing activities. Logs may capture information about system events, access activity, processing operations, errors, exceptions, and other operational signals that are relevant to security and service delivery. The Company uses these logs for internal security monitoring, incident detection, troubleshooting, and quality assurance.
Logs are themselves treated as sensitive where they contain references to Clinic Data, usernames, identifiers, or other operationally significant information. Access to logs is restricted to authorized personnel and is subject to the same access control principles described in this Policy. The Company retains logs for a period consistent with operational and security needs and in accordance with the Company’s retention practices.
Auditability is an important component of the Company’s security program because it enables the Company to identify unusual activity, investigate incidents, verify processing integrity, and demonstrate accountability. The Company designs its systems with auditability in mind and seeks to ensure that material actions affecting Clinic Data are recorded in a manner that supports investigation and accountability.
Data Backup, Restoration, and Business Continuity
The Company maintains data backup practices designed to support service resilience, recovery from data loss events, and continuity of the services in the event of infrastructure failure, accidental deletion, or other disruptive event. Backups of Clinic Data are performed on a schedule appropriate to the nature of the data and the service architecture. Backup copies are encrypted and, consistent with the Company’s data residency commitment, are intended to remain in Canadian-hosted environments.
The purpose of backups is to permit restoration in the event of infrastructure failure, accidental loss, corruption, or a qualifying incident affecting production data. The Company tests its backup and restoration capabilities on a periodic basis to confirm that recovery procedures function as expected. Backup retention periods are set in accordance with the Company’s data retention practices and the operational needs of the service.
The Clinic acknowledges that backup and restoration processes are designed for resilience and disaster recovery and are not intended as a substitute for the Clinic’s own data management practices or the Clinic’s own backups of its practice management system or other Clinic-controlled data sources. The Company’s backups cover data within the Company’s service environment and do not extend to the Clinic’s own systems, endpoints, or locally stored information.
Data Retention and Secure Deletion
The Company retains Clinic Data only for as long as reasonably necessary to provide the services, support operations, comply with legal or contractual obligations, maintain required audit or financial records, and support legitimate business continuity needs. Retention periods are informed by the type of data, the purpose for which it was collected or generated, applicable legal and regulatory requirements, and the Company’s contractual obligations to the Clinic.
When data is no longer reasonably required, the Company uses commercially reasonable efforts to securely delete or de-identify such data in a manner consistent with the sensitivity of the information. Secure deletion means that data is removed in a way that is intended to prevent recovery through ordinary means, with particular attention applied to the secure handling of PHI, credentials, and financial records.
Upon termination of the relationship, the Company may, subject to contract and law, provide data export assistance to the Clinic within a commercially reasonable period, after which the Company will proceed with retention and deletion in accordance with this Policy and applicable agreements. Certain records, such as audit logs, financial transaction references, and legally required records, may be retained beyond the end of the service relationship for legitimate legal and compliance purposes.
Incident Response, Security Events, and Notification
The Company maintains incident response procedures designed to address suspected or confirmed security events affecting Clinic Data. These procedures include detection, containment, investigation, remediation, and documentation activities. The Company designates responsible personnel for incident response coordination and expects those personnel to treat security events with urgency and seriousness.
If the Company determines that a security incident materially affects Clinic Data, the Company will notify the Clinic without unreasonable delay in accordance with the circumstances and any applicable contractual or legal notification obligations. The Company’s notice may include, where available and appropriate, a description of the event, the categories of affected data, the known or reasonably suspected scope, and the mitigation measures underway or recommended.
The Clinic acknowledges that incident response is inherently fact-dependent and that certain notifications may evolve as additional information becomes available. The Company does not promise immediate omniscience in the early stages of an event; however, the Company does commit to handling incidents responsibly, documenting material findings, and communicating in good faith. The Clinic remains responsible for its own legal evaluation of whether regulator, patient, insurer, or third-party notifications are required under laws applicable to the Clinic.
Confidentiality Obligations of Personnel and Third Parties
All Company personnel and approved contractors with potential access to Clinic Data are expected to handle such data as confidential information. The Company requires confidentiality obligations as part of its workforce and contractor arrangements and expects personnel to understand that Clinic Data, patient information, claims information, payment data, credentials, and operational details are not to be disclosed, copied, or used outside authorized business purposes. Unauthorized use or disclosure may result in disciplinary action, revocation of access, contractual remedies, or other appropriate measures.
The Company may use carefully selected subprocessors or infrastructure providers to support the service, including hosting providers, storage services, monitoring tools, secure communication tools, or other operational vendors. Where such parties are used, the Company seeks to ensure that they are engaged under terms that require appropriate confidentiality and security protections consistent with the nature of the services they provide. The Company does not grant subprocessors broader rights to Clinic Data than are reasonably necessary for the relevant function.
Confidentiality obligations survive the termination of employment, engagement, or service relationship to the extent applicable. The Company’s expectation is that Clinic Data remains protected not only while a workforce member is active, but also after that person’s duties have ended. The same principle applies to any support artifacts or operational information derived from Clinic Data that remains in retained audit or support records.
Liability Limitations and Indemnification
The Company represents that it will use commercially reasonable efforts to maintain administrative, technical, and organizational safeguards designed to protect Clinic Data against unauthorized access, disclosure, alteration, or destruction within the Company’s service environment. The Clinic acknowledges, however, that no software system, cloud environment, integration architecture, network, or security program can guarantee absolute immunity from cyberattack, service outage, human error, malicious activity, misconfiguration, credential compromise, zero-day vulnerability, or other unforeseen event. Accordingly, the Company’s obligations under this Policy are obligations of reasonable security practice and responsible conduct, not a warranty of perfect or uninterrupted security.
To the maximum extent permitted by applicable law and except to the extent otherwise expressly provided in a signed agreement, the Company shall not be liable for any indirect, incidental, special, exemplary, punitive, or consequential damages, including loss of profit, loss of business opportunity, reputational harm, loss of goodwill, or loss resulting from delay, even if advised of the possibility of such damages. Nothing in this Policy is intended to exclude liability for matters that cannot lawfully be excluded, nor to excuse conduct amounting to gross negligence, willful misconduct, or intentional unauthorized disclosure by the Company where applicable law would impose liability notwithstanding contractual limitation.
The Clinic agrees to indemnify, defend, and hold harmless the Company and its affiliates, officers, directors, employees, and contractors from and against third-party claims, liabilities, damages, penalties, costs, and reasonable expenses arising out of or relating to: (a) the Clinic’s unlawful instructions or use of the services; (b) the Clinic’s failure to maintain adequate controls over its own systems, devices, accounts, or staff; (c) the Clinic’s failure to obtain required consents or provide required notices; (d) the Clinic’s unauthorized sharing of credentials with the Company or others; or (e) acts or omissions occurring within Clinic-controlled systems or user environments that are outside the Company’s reasonable control.
Clinic Responsibilities and Shared Security Duties
Security is a shared responsibility. While the Company is responsible for the safeguards within its service environment, the Clinic remains responsible for the security of its own devices, networks, internal staff permissions, endpoint protection, lawful credential sharing practices, and user administration within Clinic-controlled systems. The Clinic should provide only those credentials and access rights that are reasonably necessary for the Company to perform authorized services and should promptly revoke or rotate credentials that are no longer needed or that may have been exposed.
The Clinic is also responsible for ensuring that its personnel use the Company’s services appropriately, maintain confidentiality over patient information, and avoid transmitting highly sensitive data to the Company through insecure or unapproved channels. Where the Clinic directs the Company to use a specific workflow, communication channel, integration method, or support process that the Company has identified as higher risk, the Clinic understands that such direction may alter the risk allocation associated with that workflow.
The Company encourages the Clinic to maintain internal privacy policies, staff training, access reviews, password hygiene, and endpoint security measures consistent with the sensitivity of dental and financial information. The effectiveness of the Company’s safeguards is enhanced when the Clinic likewise implements sound practices on its side of the service relationship.
Data Ownership, Limited Use, and Non-Commercialization
All Clinic Data remains the property of the Clinic or the Clinic’s applicable licensors, patients, payors, or other lawful owners, as determined under applicable law and contract. Nothing in this Policy transfers ownership of Clinic Data to the Company. The Company receives limited rights to host, process, transmit, use, and retain Clinic Data solely as reasonably necessary to provide the contracted services, maintain system security, support operations, perform troubleshooting, preserve backups, and satisfy legal or contractual obligations.
The Company does not sell Clinic Data or patient data. The Company does not use PHI, claims information, remittance details, or Clinic credentials for unrelated commercial exploitation. Any internal use of data for support, quality assurance, security monitoring, or product reliability is limited to legitimate business purposes connected to the delivery, protection, and improvement of the services and is expected to respect confidentiality and minimization principles.
Where the Company generates aggregated or de-identified operational insights for internal performance review or service improvement, the Company expects such outputs to be used in a manner that does not disclose identifiable Clinic or patient information unless expressly authorized. The Company’s goal is to preserve the Clinic’s control over identifiable business and patient data while still permitting the Company to operate, secure, and improve its services responsibly.
Contact, Review, and Policy Updates
Questions concerning this Policy, security practices, confidentiality obligations, incident handling, data backup, or retention procedures may be directed to LogicDental Ai through its designated support or security contacts. The Company may review and update this Policy from time to time to reflect changes in law, service architecture, infrastructure, risk environment, or operational practice. Where material changes are made, the Company may provide an updated copy or otherwise make the revised version available during the course of the client relationship.
This Policy is intended to serve as a formal statement of the Company’s privacy and security posture at the time of onboarding and during the service relationship. It should be interpreted in a practical business manner consistent with the realities of modern cloud-based healthcare operations, while preserving the seriousness required for handling PHI, claims data, financial records, and clinic credentials.
Security and confidentiality are ongoing obligations. For that reason, the Company views this Policy as part of a living governance framework rather than a one-time statement. The Company’s commitment is to continue strengthening its controls, limiting unnecessary access, protecting data stored on Canadian servers, encrypting data at rest and in transit, safeguarding passwords and user details provided by the Clinic, securely handling EOBs and patient claim information, maintaining backups, enforcing retention and deletion practices, and acting responsibly when issues arise.
LogicDental Ai Team