Skip to content
CyberShieldMaple logo
Canada's accountability infrastructure · Built on the IPC handbookIPC May 2025 Framework · Now Operationalized

The Operating System for Demonstrable Accountability.

The system of record for healthcare governance and regulatory evidence.

  • Operationalize IPC’s May 2025 accountability framework
  • Generate insurer-ready audit packages in one click
  • Monitor PHIPA, HIA, PIPA, and Law 25 continuously
My entry point
Get Your Accountability Benchmark See the platform live
evidence-package.csm/clinic
PHIPA · HIA · PIPA · Law 25
Evidence collected
Privacy policyPENDING
Staff training logPENDING
Breach response planPENDING
Vendor BAAsPENDING
SRA reportPENDING
Sealing package…
Demonstrable accountability
CSM · CLINIC
Privacy policy
CERTIFIED
CSM · CLINIC
Staff training log
CERTIFIED
CSM · CLINIC
Breach response plan
CERTIFIED
CSM · CLINIC
Vendor BAAs
CERTIFIED
CSM · CLINIC
SRA report
CERTIFIED
Auto-assembled · 0/5PHIPA · HIA · PIPA · Law 25
Why now
30 days
to a documented program
$25M
max Law 25 fine · ON, QC active
72h
breach notice — SickKids ruling
The phrase
"Demonstrable accountability."
The IPC's own term in Decision 298 for what every regulated organization must now build. We made it accountability infrastructure.
Active Governance — Live System State

Compliance is not a snapshot. It's a living state.

CybershieldMaple continuously records every governance event — training completions, evidence seals, vendor reviews — so your organization's accountability posture is always current and defensible.

Real-timeGovernance event logging — no manual entries
TimestampedEvery action cryptographically recorded
ContinuousAccountability posture updated automatically
Governance Feed · Real-time
0/6 events
Annual Privacy Training Attested by 14 Staff
PHIPA2m ago
LOGGED
Evidence Package Cryptographically Signed & Sealed
IPC1h ago
LOGGED
Law 25 ÉFVP Assessment Completed
Law 253h ago
LOGGED
Vendor Risk Review Logged: Microsoft Azure
BAA1d ago
LOGGED
Privacy Policy v4.2 Approved & Timestamped
PHIPA2d ago
LOGGED
Incident Response Drill Logged — 72h Readiness Check
HIA4d ago
LOGGED
SYSTEM OF RECORDAll events immutable · Signed · Versioned
The Exposure Matrix

Clinical systems manage the data. Governance systems prove you managed it responsibly.

Your EMR is a clinical system — built for patient care. It cannot produce the governance layer the IPC, OIPC, and CAI require. That structural gap is what leads to adverse findings.

What your EMR covers
Oscar · TELUS PS Suite · OSCAR Pro
  • Encrypts patient records at rest and in transit
  • Manages access permissions per user role
  • Maintains an audit log of record access
  • Stores clinical notes and prescriptions
What your EMR can't produce
The documents regulators actually ask for
  • A documented Privacy Policy
  • An Incident Response Plan
  • Staff Training Logs with attestations
  • Vendor Business Associate Agreements
  • A Security Risk Assessment (SRA)
CSM fills the governance gap
IPC May 2025 Framework · System of Record
  • Written privacy policies & notices
  • Documented incident response plan
  • Staff training log with signed attestations
  • Vendor BAA register with renewal alerts
  • Security Risk Assessment (SRA)
CSMCSM — Accountability Infrastructure

In IPC Decision 298, the adjudicator did not ask the clinic about their EMR. They asked for the privacy policy, the incident response plan, and the staff training log. None of those live in any clinical system.

The core distinction

Security protects.
Compliance proves.

The IPC didn't ask the clinic in Decision 298 about their EMR. They asked for the privacy policy, the incident response plan, and the staff training log. None of those live in any security tool.

Security tools
Huntress · CrowdStrike · Defender
What it does
  • Block malware on endpoints
  • Detect intrusions in logs
  • Patch known CVEs
What it can't do
  • Show what controls exist
  • Produce evidence packages
  • Map to PHIPA / HIA / Law 25
  • Answer a mid-cycle insurer audit
THIS IS US
CybershieldMaple
The compliance layer
What it does
  • Document the policies regulators expect
  • Auto-collect and timestamp evidence
  • Map every control to the right law
  • Generate the audit packages they actually ask for
One platform · Every provincial framework

Built on Canadian law,
not retrofitted from US frameworks.

Vanta and Drata map SOC 2 and HIPAA. CSM maps the IPC’s own May 2025 handbook, the HIA, BC PIPA, and Law 25 — including the French-native documentation no US tool has built.

PHIPA · ACTIVE
YTNTNUBCABSKMBONQCNBNSPENL
Covered todayLive in 2026RoadmapFederal overlay · PIPEDA
Active framework
PHIPA
Decision 298 AMPs · Aug 2025
REGULATORIPC
PROVINCESON
CSM COVERAGE100% of handbook items automated
EVIDENCE OUTPUTSPolicies · IRP · BAAs · Training log · SRA
v3 brand rule
We never say "PHIPA" to an Alberta clinic. The platform — and our voice — adapts to your jurisdiction the moment you tell us where you operate.
Who We Serve

Built for every stakeholder in Canadian healthcare.

From independent clinics to multi-tenant MSP consoles, from Series A diligence packs to insurer renewals — one platform adapts to your compliance reality.

Health Tech Startups
RPM · AI scribes · Telemedicine
Healthcare Clinics
Dental · Medical · Physio — ON, AB, BC, QC
MSPs
Multi-tenant · Pan-Canadian
Advisors & Lawyers
Brokers · Privacy counsel
Accountability infrastructure · Every control

The governance controls every Canadian healthcare organization needs to demonstrate.

Built on the IPC handbook, mapped to PHIPA, HIA, PIPA, and Law 25. Every control applies to clinics in Ontario, Alberta, BC, and Québec.

Security Risk Assessment
IPC chapter 4
Privacy Impact Assessments
PIA · Law 25 ÉFVP
Breach Response
72-hr IPC workflow
Vendor BAA Registry
PHI vendors · Renewal
Staff Training & Attestations
IPC chapter 5
Evidence Packages
Insurer · IPC · Hospital
Accountability Mapping
PHIPA · HIA · PIPA · Law 25
Evidence Integrity

Every record is timestamped, signed, and immutable.

Chain of Custody

Every governance action is linked to the prior event, creating an unbroken evidentiary chain from day one to the moment of audit.

Signed Attestations

Staff training, policy approvals, and vendor reviews produce signed records. No unsigned evidence enters the repository.

Versioned Governance History

Every policy iteration is retained. Regulators and auditors can inspect the full history of your governance program — not just its current state.

Auditor-Proof by Design

Because records are immutable and versioned, there is nothing to reconstruct under pressure. Your accountability state is continuously documented, not assembled after the fact.

Two product lines · One continuous compliance OS

From daily endpoint telemetry
to a sealed Quebec certification.

The Endpoint Intelligence Platform builds the evidence base every day. The BCH TGV Pipeline converts that evidence into formal certification with BC-MSSS. Together they replace the spreadsheet sprawl that locks healthcare technology out of the $35B Quebec market.

EIP · Always on

Endpoint Intelligence Platform

Continuous compliance monitoring and evidence generation. Delivered through MSPs. Maps daily telemetry into the policy automation regulators expect to see.

  • PHIPA / HIA / PIPA / Law 25 mapping
  • Policy authoring with handbook templates
  • Staff training log + attestations
  • Vendor BAA registry + renewal
  • 72-hour breach response workflow
  • Insurer & hospital evidence packs
BCH TGV · Certification

BCH TGV Pipeline Automation

End-to-end Quebec SSSS certification workflow. From first BC-MSSS contact through post-cert continuous monitoring. AU3 MFA, Secure Vault, 15-day pentest remediation gate.

  • Org profile + NEQ + probity intake
  • 200+ criteria · auto-tracked
  • PIA Assistant (Law 25)
  • Secure Vault — no SMTP attachments
  • Two-phase auditor remediation loops
  • Annual self-decl + biennial DR
How it works

From silence
to a sealed certificate.

Output · Sealed evidence pack
STEP 1 / 4
CSM · PHIPA
IPC OF ONTARIO
PHIPA Compliance Report
DEMONSTRABLE
ISSUED 2025 · v1.0
CSM · HIA
OIPC ALBERTA
HIA Privacy Program
READY
ISSUED 2026 · v2.0
CSM · LAW25
CAI · QUÉBEC
Programme Loi 25
FR-NATIF
ISSUED 2027 · v3.0
CSM · TGV
BC-MSSS · SANTÉ QUÉBEC
Attestation TGV
CERTIFIED
ISSUED 2028 · v4.0
The IPC handbook, automated

The May 2025 handbook
is the software spec.

We didn't write a generic GRC tool and adapt it for Canada. We took every chapter of the Privacy Management Handbook for Small Health Care Organizations and turned it into a control, a template, and a piece of evidence in our database.

HANDBOOK → CONTROLS100% mapped
Ch. 1Accountability framework12 controlsauto
Ch. 2Privacy policies & notices8 controlsauto
Ch. 3Consent & individual rights9 controlsauto
Ch. 4Security risk assessment (SRA)14 controlsguided
Ch. 5Staff training & attestations6 controlsauto
Ch. 6Vendor / BAA management11 controlsauto
Ch. 7Breach response (72h)7 controlsauto
Ch. 8Audit & continuous improvement9 controlsauto
Where CSM shows up
IPC Decision 298·OIPC Alberta·CAI · Law 25·BC-MSSS · Santé Québec·Sherweb · Pax8·IAPP Canada
Plans & Pricing

Flexible, Transparent Pricing for Canadian SMBs

Choose the AI-powered protection plan that best fits your business needs. All plans offer a 14-day free trial and can be canceled anytime.

Accountability Maturity Benchmark

See how your current program measures up
against the IPC's 2025
Accountability Framework.

We provide the benchmark; you decide the path forward. A 30-minute governance readiness assessment anchored to your jurisdiction, your regulatory exposure, and the specific evidence the IPC would ask for today.

What you walk away with
  • A governance gap map for your province
  • An evidence inventory: what you have and what's missing
  • What a sealed evidence package looks like for your next audit
  • A 30-day path to demonstrable accountability