Privacy Impact Assessment
Assessment of privacy risks and mitigation measures for RecordIQ Enterprise Edition.
PRIVACY IMPACT ASSESSMENT (PIA)
RecordIQ Enterprise Edition – Version 2.1 Assessment Date: March 31, 2026 (revised) Organization: RecordIQ Software LLC Prepared By: Ulises Rodriguez, Founder & CEO (Designated Privacy Officer, pursuant to Quebec Law 25, Article 3.1) RecordIQ Software LLC
Regulatory Frameworks:
Act respecting the protection of personal information in the private sector (Quebec Law 25 / Bill 64)
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applicable provincial legislation (PHIPA, PIPA BC, PIPA AB)
1. PROJECT OVERVIEW
1.1 Description of the Project
RecordIQ Enterprise Edition is a locally installed desktop application designed for law firms to process medical records using Optical Character Recognition (OCR). The Software extracts, classifies, indexes, and encrypts information contained in medical records.
All document processing occurs exclusively on the end-user’s local workstation. The Software is designed with an offline architecture: no document data, OCR results, or PHI is ever transmitted over any network. The Software connects to RecordIQ’s cloud servers (Microsoft Azure) only for: (a) license activation and periodic validation; (b) optional software update checks; and (c) support ticket processing when the user contacts support@recordiq.app. These connections transmit only the license key, a hardware-derived device identifier, and email address — never any document data or PHI.
1.2 Purpose of Processing
The Software enables legal professionals to efficiently review, organize, and analyze medical records for the purpose of legal representation, litigation support, and case preparation.
1.3 Roles and Responsibilities
Customers: Law firms and legal professionals using the Software
RecordIQ Software LLC Role:
Acts as a service provider/vendor
Acts as a service provider solely for limited licensing data (name, email)
Does NOT act as a processor or controller for any document-derived personal information
1.4 Critical Architectural Assertion
RecordIQ Enterprise Edition is architected such that:
No document-derived personal information leaves the user’s environment
No remote access to document data exists
No telemetry, analytics, or tracking mechanisms are present
RecordIQ Software LLC has no technical capability to access, view, collect, or transmit document-derived personal information. The only data transmitted to RecordIQ servers is Non-PHI licensing data (device identifier, license key) and support ticket metadata (email address, subject, message body with PHI automatically redacted).
2. PERSONAL INFORMATION INVENTORY
2.1 Document-Derived Personal Information (Processed Locally)
The Software may process the following categories of personal information contained within user-provided records:
Patient identifiers (name, date of birth)
Health information (diagnoses, treatments, medications, lab results, clinical notes)
Provider information (physician names, facility identifiers)
Contact information (addresses, phone numbers)
Insurance and billing data
Medical coding data (ICD, CPT codes)
Classification: Sensitive personal information / Personal Health Information (PHI)
Key Control: All such data remains exclusively on the local workstation.
2.2 Licensing and Administrative Data (Processed by RecordIQ)
Name
Email address
License key, purchase metadata, and hardware-derived device identifier (machine ID)
Payment Processing: Handled by a third-party payment processor; RecordIQ does not receive full payment card details.
Storage: Encrypted storage within managed cloud infrastructure with role-based access controls.
3. DATA FLOW ANALYSIS
3.1 Document Processing Data Flow
Input: Files imported from local storage
Processing: OCR and analysis performed locally
Storage: Encrypted at rest using AES-256-GCM
Output: Generated reports stored locally
Temporary Data: Decrypted only in controlled temporary memory/directory
Deletion: Upon job completion, all temporary plaintext files, intermediate extraction data, and processing metadata are permanently destroyed using multi-pass random overwrite. A startup sweep destroys any residual files from prior sessions. A retry mechanism handles Windows file locks. Audit log confirms each deletion. No residual document content or processing artifacts remain on disk — only the final AES-256-GCM encrypted output files persist.
Network Activity:
No outbound connections during document processing. HTTPS connection for license activation only (license key + device identifier). Optional user-initiated diagnostic uploads (PHI-scrubbed).
No APIs, sockets, or external services invoked for document processing. HTTPS connections to Azure are used solely for license validation and optional update checks.
3.2 Licensing Data Flow
Collected via external purchase workflow
Payment processed by certified third-party provider
Stored in encrypted cloud environment
License validation performed via secure HTTPS connection to Azure-hosted license server using Ed25519 cryptographic signatures, with a 30-day offline grace period
4. LEGAL BASIS AND COMPLIANCE
4.1 Legal Basis for Processing
Processing of document-derived personal information is conducted by the Customer (law firms) under:
Legal obligation
Administration of justice
Provision of legal services
RecordIQ does not determine the purposes or means of such processing.
4.2 Compliance Alignment
This PIA demonstrates alignment with PIPEDA Schedule 1 — the 10 Fair Information Principles:
Accountability: RecordIQ Software LLC is designated as the accountable organization for license data.
Identifying Purposes: Purposes for data collection (licensing, support) are identified at or before collection.
Consent: Explicit consent obtained at license purchase and EULA acceptance.
Limiting Collection: Only name, email, license key, and device identifier are collected.
Limiting Use, Disclosure, and Retention: Data used solely for licensing and support; retained for license term plus three years.
For licensees subject to provincial health privacy legislation (e.g., Ontario PHIPA), licensing records may be retained for up to seven (7) years for tax and audit purposes as required by applicable law.
Accuracy: Licensees may request correction of personal information at any time.
Safeguards: AES-256-GCM local encryption; AES-256 at rest in Azure; Ed25519 signatures; DPAPI key protection.
Openness: Privacy Policy and PIA are publicly available.
Individual Access: Licensees may request access to personal information held by RecordIQ.
Challenging Compliance: Complaints may be directed to legal@recordiq.app or the Office of the Privacy Commissioner of Canada.
Mailing Address: 30 N Gould St Ste N, Sheridan, WY 82801, United States
5. SAFEGUARDS AND SECURITY CONTROLS
5.1 Technical Safeguards
AES-256-GCM encryption at rest
PBKDF2-based authentication
Ed25519 license validation with machine binding
DPAPI-protected key storage bound to user profile and machine identity (no centralized key storage)
In-memory processing where feasible
Automatic session timeout
Immutable audit logging
5.2 Organizational Safeguards
Role-based access control for administrative systems
Restricted access to licensing data
Documented incident response procedures
Periodic security reviews
5.3 Infrastructure Safeguards (Licensing Data Only)
Encrypted storage (AES-256 server-side encryption)
Industry-standard cloud certifications (e.g., SOC 2 (not yet certified), ISO 27001 alignment)
Access logging and monitoring
6. RISK ASSESSMENT
Risk Assessment Methodology: Likelihood and impact ratings are assessed using a qualitative scale (Very Low, Low, Medium, High) based on the system architecture, data flow analysis, and industry benchmarks. Inherent risk is evaluated before mitigations; residual risk reflects the risk level after implementing the documented controls. This methodology is aligned with the principles of ISO 27005 and NIST SP 800-30.
7. CROSS-BORDER DATA TRANSFERS
Document Data: No transfer occurs
Licensing Data: Stored in Microsoft Azure Table Storage (US East 2 and Canada East regions). Support ticket data stored in the same Azure regions.
No sensitive health data is transferred or stored outside the user’s environment.
8. ASSUMPTIONS AND DEPENDENCIES
This assessment is based on the following assumptions:
The user organization maintains adequate endpoint security
Access to the workstation is properly controlled
Users operate within a secure IT environment
RecordIQ does not mitigate risks arising from compromised endpoints or improper user access controls.
9. INDIVIDUAL RIGHTS AND TRANSPARENCY
Individuals may request access or correction via the customer
Response timelines: thirty (30) calendar days for access and correction requests, with a possible extension to sixty (60) days with prior notice to the requester (Quebec Law 25 art. 35). Contact: legal@recordiq.app (Designated Privacy Officer).
RecordIQ provides transparency through publicly available documentation
Privacy inquiries handled via designated contact channel
10. INCIDENT MANAGEMENT
RecordIQ maintains procedures to:
Detect and assess confidentiality incidents
Notify relevant authorities where required
Notification timelines: as soon as feasible under PIPEDA (s. 10.1); with diligence under Quebec Law 25; within sixty (60) calendar days under HIPAA (45 CFR 164.410). See the RecordIQ Breach Notification Policy for detailed procedures.
Support affected organizations in breach response
11. LAW 25 SPECIFIC COMPLIANCE
Privacy by default enforced (maximum confidentiality settings)
No profiling, tracking, or automated decision-making
PIA completed prior to system deployment
De-identification tools available within the Software
French-language documentation is available at recordiq.app/politique-confidentialite. Interface localization for Quebec Law 25 compliance is in development.
Consent: Express consent is obtained for any sensitive personal information processing, as required by Law 25’s reformed consent provisions.
Incident register: RecordIQ maintains a register of confidentiality incidents as required by Law 25.
Data portability: Individuals have a right to data portability under Law 25 art. 27 (effective September 22, 2024). License-related data may be provided in a commonly used format upon request.
Transparency: RecordIQ publishes its privacy governance policies on its website at recordiq.app/privacy.
12. CONCLUSION AND RECOMMENDATIONS
12.1 Overall Risk Determination
The Software presents a low overall privacy risk, primarily due to its offline, non-networked architecture.
12.2 Key Strengths
Complete elimination of network-based exposure for sensitive data
Strong encryption and local processing controls
Minimal collection of administrative data
12.3 Recommendations
Maintain offline architecture
Continue periodic security and compliance audits
Expand localization support for Quebec regulatory alignment
13. REVIEW AND MAINTENANCE
This PIA shall be:
Reviewed annually
Updated upon any material change to data handling practices
Reassessed prior to introducing network-enabled features
CONTACT
Ulises Rodriguez, Founder & CEO (Designated Privacy Officer) RecordIQ Software LLC legal@recordiq.app
© 2026 RecordIQ Software LLC. All rights reserved.
For questions about this document, contact support@recordiq.app.