HarbourScan maps your SaaS tools to parent jurisdictions, flags CLOUD Act exposure, and shows you exactly which tools trigger Law 25 documentation obligations.
If your organization uses tools like Microsoft 365, Google Workspace, Slack, or Salesforce to handle Quebec personal information — Law 25 applies to you.
Map your stack in your browser. Select your tools, see your jurisdictional exposure map. No account required.
Map Your Stack — free →Free for any Canadian organization. No credit card. No spam.
Law 25 applies to any organization handling personal information of Quebec residents — regardless of where you're headquartered. It's in full force. Enforcement has begun.
Any organization operating in Quebec or handling data of Quebec residents — including businesses headquartered elsewhere in Canada. If you have Quebec customers, employees, or users, you're subject.
Organizations must demonstrate where personal data is held, who can access it, and whether it crosses jurisdictions — including to the U.S. via your SaaS tools' parent companies or integrations.
Most compliance teams focus on their own systems. But your SaaS stack and its integrations silently move data across borders. That's where your Law 25 exposure actually lives.
Law 25 gives individuals the right to know where their data is held. If you can't answer that about your SaaS tools, you're not compliant — and you're not ready for a CAI audit.
Select your tools and see your jurisdictional exposure map in minutes. Free, in your browser, nothing stored.
HarbourScan flags every tool under foreign jurisdiction, counts your compliance gaps, and identifies which transfers require a TIA.
Choose the level of documentation you need — from a professional Sovereignty Snapshot ($350) to full compliance documentation with TIA guidance ($2,000).
Get prioritized remediation guidance. Know exactly which tools to replace, reconfigure, or renegotiate — and in what order.
Or 4% of worldwide turnover — whichever is greater. Administrative penalties apply even for non-intentional violations. The time to act is before the audit.
"U.S. law requires providers to disclose data regardless of where it is stored. Data stored in Canada is still reachable via U.S. subpoena."
HarbourScan addresses each of these directly — and generates documentation for all of them.
Know what personal data you hold and where it lives — including across all third-party SaaS tools.
HarbourScan maps thisIdentify when data crosses into foreign jurisdictions — including silent data flows via SaaS integrations.
HarbourScan flags thisEvaluate third-party providers' compliance posture before onboarding — and continuously afterward.
HarbourScan scores thisRespond to individual requests about where their data is held and how it's used — within required timelines.
HarbourScan enables thisAssess the privacy impact of any new technology or process involving personal information.
HarbourScan supports thisMaintain records of all compliance activities — and produce them on demand for the CAI.
HarbourScan generates thisMost organizations complete the scan in under 10 minutes. No account required. Choose the level of documentation you need after you see your results.
Free scan for any Canadian organization. Professional documentation from $350.