Law 25 Compliance

Law 25 compliance, under control.

Law 25 applies to every Quebec business that handles personal information. Observantia gives you the structure, the tools, and the audit trail to manage compliance without a legal team or a $30K consulting project.

Create a free accountView pricing
The challenge

Law 25 is mandatory. Most organizations don't know where to start.

Quebec's privacy law requires every organization to protect personal information, respond to access requests within 30 days, report breaches, and conduct impact assessments before new projects. The obligations are real, the deadlines are tight, and the penalties are significant.

  • No dedicated legal team to interpret the requirements
  • Scattered spreadsheets and documents with no central tracking
  • No way to prove compliance when an auditor asks
Features

A command center for Law 25 compliance

Structured tools for each obligation in the law. Not a checklist; a system that tracks your work, meets your deadlines, and builds the evidence trail you need.

01

Compliance Assessments

Work through 100+ controls grouped by topic. Each one is rated Required, Recommended, or Optional. Mark your status, get a compliance score, and see exactly where the gaps are.

02

Incident Registry

When a breach happens, log it here. The tool assesses whether it poses a risk of serious injury and walks you through the legally required notification to the CAI.

03

Access Requests (DSR)

Someone asks for their data or wants it deleted? You have 30 days. Observantia tracks each request, calculates the deadline, and sends email reminders at 15 and 25 days.

04

Privacy Impact Assessments

Before launching any project that involves personal data, Law 25 requires a risk assessment. A guided 9-step form covers data flows, third parties, cross-border transfers, and mitigations.

05

Template Library

13 bilingual document templates: privacy policy, governance policy, incident response plan, consent forms, breach notification letter, and more. Customize them instead of starting from scratch.

06

Compliance Reports

Generate four types of PDF reports: Full Compliance, Executive Summary, Gap Analysis, and Audit-Ready. Data pulls directly from your assessments.

See all features
How it works

Three steps to compliance

Set up your organization, work through the assessments, and generate the reports and evidence you need.

1

Set up your organization

Create your account, identify your privacy officer, select your industry. Controls and recommendations adapt to your context.

2

Assess and document

Work through compliance controls, log incidents, track access requests, and attach evidence to everything. Save progress and come back anytime.

3

Report and prove it

Generate audit-ready reports with your compliance scores, gap analysis, and attached evidence. Board meeting or regulator audit: you're covered.

Who it's for

Built for the people managing compliance day-to-day

Privacy officers, HR directors, operations managers. If you're the one responsible for Law 25 in your organization, this is your tool.

Professional ServicesEducationFinancial ServicesRetailManufacturingHealthcareConstructionHome Services

Stop guessing. Start proving.

Create your account, complete your first assessment, and generate a compliance report today.

Start free

Frequently asked questions

What is Law 25?
Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) is a Quebec law that strengthens the obligations of organizations regarding the protection of personal information. It applies to any organization that collects, uses, or shares personal information in Quebec.
Is my organization subject to Law 25?
If your organization collects, holds, uses, or shares personal information in Quebec, you are subject to Law 25. This includes private businesses, public bodies, and professional orders.
Does Observantia replace legal counsel?
No. Observantia is a compliance management tool that helps you structure and document your process. For specific legal advice, consult a lawyer specializing in personal information protection.
How long does it take to get started?
Most organizations complete their initial assessment in a few hours and generate their first compliance report the same day. Full compliance is an ongoing process, but Observantia gives you a clear starting point and tracks your progress.
Is my data secure?
Yes. Your data is hosted in Canada, encrypted at rest and in transit, and accessible only by authorized members of your organization. We use Supabase with servers located in the Canada-Central region.