Skip to main content
Nurvivo
Infrastructure & compliance

AWS Toronto and Dental Data Residency — What PHIPA Actually Requires

PHIPA doesn't say 'host in Canada.' It says you're accountable if data leaves. Hosting in AWS Toronto removes the analysis entirely and keeps the IPC off your file.

Published May 30, 20267 min readBy the Nurvivo team

What PHIPA says about cross-border data

PHIPA does not explicitly prohibit a Health Information Custodian from allowing personal health information to be stored or processed outside Canada. What it does is shift the burden of proof onto the custodian. Section 12 of the Act requires reasonable steps to protect PHI against theft, loss, and unauthorized use. The IPC of Ontario has consistently interpreted this to mean that if PHI leaves Canada, the custodian must show: (a) the safeguards are equivalent to what would apply in Canada, (b) the custodian has notified patients of the disclosure, and (c) the disclosure is necessary for the stated purpose.

In practice, this is a tall order for a dental practice. Demonstrating equivalence requires legal opinion on the destination country's data-access laws — most relevantly the US CLOUD Act and FISA 702, both of which give US authorities lawful means to compel data from US-resident providers regardless of where the customer is located. The notification-to-patients requirement means updating intake consent and explaining cross-border processing in plain language. Most practices look at that workload and choose Canadian residency to avoid the analysis entirely.

What "Canadian residency" should mean

Three things, in order of importance:

  • Primary storage in Canada — the production database, the file storage for radiographs, the audio recordings.
  • Processing in Canada — the AI inference, the transcription, the indexing.
  • Backups in Canada — disaster-recovery snapshots and long-term archives.

Vendors sometimes describe themselves as "Canadian-hosted" when only one of these three is true. The IPC has been clear that all three need to be in Canada for the strongest PHIPA position. A backup in us-east-1 "just for redundancy" still constitutes a cross-border disclosure.

Why AWS Canada (Toronto) specifically

AWS Canada (Central) is AWS's Toronto region, identifier ca-central-1. It opened in 2016 and is now AWS's primary Canadian region with multiple availability zones, full coverage of the AWS services most healthcare platforms need (S3, RDS, Lambda, Bedrock for AI inference), and AWS's standard compliance certifications including SOC 1/2/3, ISO 27001/17/18, and PCI DSS.

Critically for Canadian healthcare, AWS publishes a Canadian Data Residency Service Terms document that contractually commits AWS to keep customer data in the requested region. That's the document a Canadian vendor builds on top of, and it's the document the IPC will reference if a custodian is ever asked to defend the residency claim.

There are other Canadian-region cloud options — Microsoft Azure has Canada Central in Toronto, Google Cloud has northamerica-northeast2 in Toronto. The choice between them is largely about which services the vendor needs; for PHIPA purposes the residency commitment is what matters, and all three majors offer it. Nurvivo runs on AWS Canada (ca-central-1) end to end — primary storage, AI inference, and backups all stay in Toronto.

Encryption and access — the layer above residency

Residency alone is not enough. The IPC's guidance on PHI in cloud environments expects encryption at rest with current standards (AES-256), encryption in transit (TLS 1.2 or higher), and role-based access with MFA. Nurvivo Dental uses AES-256 for all data at rest, TLS 1.2+ for all data in transit, per-practice encryption keys managed in AWS KMS in the Toronto region, and SSO/MFA on every staff account.

Access logging closes the loop. Every access to a chart is logged with user, timestamp, action, and source. Logs are retained alongside the chart for medico-legal traceability and are exportable per practice on request.

The contract is where it gets real

Marketing claims are easy. The PHIPA test is whether the vendor's contract commits to the residency, the encryption, the zero-training policy, and the breach notification timeline in writing. When evaluating a vendor, ask for the data processing agreement (DPA) and read for these specific clauses:

  • Named AWS region (or equivalent) where data is stored.
  • Named region(s) where processing happens — including AI inference.
  • Named region(s) where backups are retained.
  • Sub-processor list with Canadian residency commitments where they touch PHI.
  • Zero-training clause covering all customer clinical data.
  • Breach notification timeline (24–72 hours is the modern standard).
  • Right to delete on contract termination, with timeline and method.

Nurvivo Dental's DPA covers all of the above and is available on request before signup. The infrastructure is designed so that the answer to every PHIPA cross-border question is "no, it stays in Canada" — which keeps the IPC off the file and the practice's residual work focused on consent and process rather than legal opinion.

Frequently asked questions

Does PHIPA legally require dental data to be stored in Canada?+

Not explicitly. PHIPA allows cross-border storage but places the burden of demonstrating equivalent safeguards, patient notification, and necessity on the custodian (the dentist). In practice, Canadian residency is the clean path that removes the analysis entirely.

What is AWS Canada (Central)?+

AWS's Toronto region, identifier ca-central-1. It opened in 2016 and is AWS's primary Canadian region with multiple availability zones, full service coverage for healthcare workloads, and contractual commitments to keep customer data in the requested region.

Do US-hosted dental AI scribes violate PHIPA?+

Not automatically — PHIPA allows cross-border with appropriate safeguards and notification. But US hosting brings the CLOUD Act and FISA 702 into scope, which most Canadian practices and their privacy advisors would rather avoid. The practical answer for a Canadian practice is to choose Canadian-resident vendors.

Where does Nurvivo Dental store patient data?+

Entirely in AWS Canada (ca-central-1), the Toronto region. Primary storage, AI inference, and backups all stay in Toronto. Encryption is AES-256 at rest, TLS 1.2+ in transit, with per-practice key management in AWS KMS.

What about backups — do those leave Canada too?+

Not for Nurvivo Dental. Backups are taken to a separate availability zone within the same Toronto region for redundancy, and never replicated outside Canada. Other vendors sometimes back up to a US region "for redundancy" — that still constitutes a cross-border disclosure under PHIPA and should be questioned.

See Nurvivo Dental in your practice

Founding-member pricing — CAD 29/month, locked for life. Limited to the first 100 Canadian practices.

Join the waitlist →