Trust & Security

People share their health with our agents. We protect it like a clinician would.

Effective Date: January 25, 2026

Workforce Wellness builds AI agents for some of the most sensitive conversations in healthcare. Protecting what people tell them isn’t a feature — it’s the foundation everything else is built on. Here’s exactly how we do it.

Our standing commitments
Data residency
Your information is stored and processed in Canada.

Recordings, transcripts, summaries, and account data are held within Canada on Amazon Web Services (AWS). Any cross-border processing is risk-assessed first, and we tell you where your data lives.

No model training
We do not train our AI on your data, and we never sell it.

Information you entrust to us is used to deliver your service — not for our own product development or advertising — unless you have specifically authorized it.

Human oversight
AI output is reviewable before it’s relied upon.

Transcripts and summaries are editable and can be checked by a responsible person before they enter a record or guide care. AI assists; it doesn’t decide on its own.

Consent first
People can say yes — or no.

Our platforms support capturing clear, express consent before an AI agent is used, and individuals can decline or withdraw at any time without affecting the care they receive.

Encryption
Encrypted in transit and at rest

Multi-factor authentication, role-based access, and audit logging on access to personal information.

What we hold ourselves to

Privacy decisions we’ve already made, so you don’t have to wonder.

Healthcare organizations are accountable for the information they collect, even when a vendor holds it. Our job is to make that accountability easy to meet. These are the choices baked into how the product works.

Sensitive by default

We treat voice recordings as highly sensitive biometric information — the pitch, cadence, and patterns in a voice can identify a person and are nearly impossible to anonymize. They get the strongest protections we have.

Only what’s needed

Features you don’t need can be turned off. We configure each deployment to collect the minimum information required for the purpose you’ve agreed to — nothing captured “just in case.”

No quiet expansion

If an update would change how an AI agent handles personal information, we tell you in advance. For material changes you get to review and accept or decline before it takes effect — no surprise “function creep.”

Kept briefly, then gone

We keep information only as long as it’s needed. Voice recordings aren’t retained after a transcript is produced unless there’s a clear reason, and we follow your retention and deletion instructions for data we hold for you.

Regulatory alignment

Designed around the laws that actually apply in British Columbia.

Compliance with U.S. HIPAA — or even Canada’s federal PIPEDA alone — doesn’t satisfy BC law. Where our services are used in BC, BC law applies to the information involved, even when data moves elsewhere. We build to that standard and describe what we actually do, rather than leaning on labels.

BC PIPAPrimary law
British Columbia’s Personal Information Protection Act governs how we collect, use, and disclose personal information, requires purposes a reasonable person would consider appropriate, and requires consent unless a narrow exception applies.
Federal PIPEDACross-border
Applies to personal information that crosses provincial or national borders in the course of commercial activity — relevant whenever data moves between jurisdictions.
BC FIPPAPublic-body customers
When we serve a public body such as a health authority, that body’s obligations — including assessments before sensitive information is stored outside Canada — flow to us by contract, and we support them.
OIPC AI guidanceHealthcare AI
The BC Information and Privacy Commissioner’s 2026 best-practice guidance on AI tools in clinical settings sets out what healthcare organizations should expect from a vendor. We’ve built our practices to answer that checklist directly.

How we secure it

Layered safeguards, sized to the sensitivity of the information.

Because our agents handle some of the most personal information there is, we apply multiple layers of physical, technical, and administrative protection — and we keep raising the bar.

Encryption everywhere

Personal information is encrypted in transit and at rest across the platform and its connections.

Access on a need-to-know basis

Multi-factor authentication, strong-password requirements, and role-based access controls so information is reachable only by those who need it.

Audit logging

Access to and changes in personal information are logged so activity can be reviewed, and controls help prevent inadvertent recording by an agent.

Monitored and tested

Continuous monitoring, a defined incident-response process, independent security assessments, and recurring privacy and security training for our people.

Independent Assurance: Workforce Wellness maintains a list of certifications and audits completed or underway, and we will share the outcomes of relevant assessments with customers under appropriate confidentiality terms.

AI & your data

Honest about how the AI works — including its limits.

Generative AI produces useful output, but it is probabilistic and not always correct. We’re straight about that, because pretending otherwise is how mistakes reach a patient record.

We name the limits

AI can mishear, omit, or invent — especially with background noise, accents, or complex conversations. We don’t present its output as inherently reliable, and we design for review.

Human in the loop

Output is meant to be checked and corrected by a responsible person before it’s relied on. Introducing AI doesn’t shift responsibility for what ends up in a record — and we help guard against over-reliance.

Not training fuel

We don’t use your information to train or improve AI models, and we don’t sell it, unless you’ve clearly authorized a specific use that the law permits.

Cautious on “de-identified”

Much of what gets called “de-identified” can still be traced back to a person — voice data especially. We treat such information as personal unless we’re satisfied it truly can’t identify anyone.

For the people we serve

Clear rights, and a real way to use them.

When we hold information on behalf of an organization, that organization is the one in control of it — and we help them respond. Individuals can always:

Access their information

Ask what we hold, how it’s been used, and who it’s been shared with.

Correct it

Request fixes to anything inaccurate or incomplete.

Decline or withdraw

Say no to an AI agent, or change their mind later, without affecting their care.

Raise a concern

Complain to us — or to the independent regulator, the OIPC for BC.

When things change or go wrong

Vendor oversight and incident response, in plain terms.

Vetted sub-processors

We use a small set of vetted providers (such as cloud hosting and AI model providers), each contractually bound to protect information, use it only as we direct, and report incidents to us.

Breach response

We maintain a documented process to detect, contain, and investigate incidents. If a breach affects information we hold for you, we notify you promptly so you can meet your own obligations, and we notify individuals and regulators where the law requires it.

Accountability

Privacy is owned, not assumed.

We remain responsible for personal information under our control, including data handled by our providers. Our privacy program includes a designated Privacy Officer, written policies reviewed on a regular cadence, privacy impact assessments before we adopt or materially change an AI capability, and mandatory training so the way our AI handles information is never a mystery to the people working with it.

Questions, documentation, or a security report?

We’re glad to walk procurement and privacy teams through our practices and share documentation under appropriate terms.

✉ privacy@workforcewellness.com 📄 Full Privacy Policy

Security & responsible disclosure: security@workforcewellness.com

Office of the Information and Privacy Commissioner for BC
PO Box 9038 Stn Prov Govt, Victoria BC V8W 9A4
Phone: 250-387-5629  |  Toll-free in BC: 1-800-663-7867
Email: info@oipc.bc.ca  |  Web: oipc.bc.ca

© 2026 Workforce Wellness Inc. · Vancouver, BC
This page describes our practices and is not a contract. Where a signed agreement differs, the agreement governs.