Your patients' data is protected at every step.
CadCan applies multiple independent layers of security to every case file, patient record, and clinical note that passes through our lab management platform. This document outlines how that protection works.
From your practice to secure storage
Every upload follows a consistent path. Encryption is applied automatically before a file reaches long-term storage - your practice never has to think about it.
Who can see what - and why it matters
Encryption protects data at rest. Access control protects it in use. CadCan enforces strict role-based access so patient information is only visible to the parties who need it.
- Sees only your own patients - never another practice's data
- All files accessible through your authenticated portal account
- Emailed download links expire automatically after 72 hours
- Full download history available on request
- Case views show case IDs and appliance details - patient names are not included in designer-facing responses
- Can download input files for a case; source files may contain identifiers depending on how the submitting office exported them
- Every file download is logged with timestamp and identity
- Cannot access billing, office details, or patient records
- Require two-factor authentication (2FA) to log in
- Access restricted to platform management functions
- Cannot export or bulk-download patient data
- All admin actions recorded in the audit log - append-only at the application level
- Every login, upload, download, and case update is logged
- Records include date, time, user identity, and IP address
- Logs are append-only at the application level and not editable through the CadCan interface
- Available to authorized parties for compliance review
Data protected under this framework
The following categories of patient-related information are encrypted at rest inside the CadCan platform.
CadCan operates as a technology platform for dental laboratory case management. The security measures described in this document reflect the technical controls applied by CadCan to data processed through its platform. These controls are designed to support compliance with applicable Canadian privacy legislation, including the Personal Health Information Protection Act (PHIPA), where CadCan functions as a service provider to regulated health information custodians.
Dental offices submitting patient data to CadCan remain the health information custodian under PHIPA and retain responsibility for ensuring that the disclosure of patient information to CadCan is authorized under their applicable regulatory framework. CadCan does not independently verify the legal basis for any data submission. Offices are encouraged to maintain their own data processing agreements and privacy policies consistent with their regulatory obligations.
Encryption and access control measures described here apply to data stored and processed within the CadCan platform. CadCan cannot be responsible for data security practices outside its platform boundary, including how downloaded files are handled, stored, or transmitted by the receiving party after delivery.
This document is provided for informational purposes. It does not constitute legal advice and does not create or modify any contractual relationship. For technical verification, compliance documentation, or a data processing agreement, please contact work@cadcan.ca.