Law 25
TIA
Template
March 2026
Model Transfer Impact Assessment Template for Law 25
By Joshua van Es, Founder of Upper Harbour
The Commission d'accès à l'information du Québec (CAI) has not published a standard TIA template. This is the first publicly available structured framework for completing Transfer Impact Assessments under Law 25 — designed specifically for SaaS and cross-border data transfers.
Why this template exists
Law 25 requires a Privacy Impact Assessment (commonly called a Transfer Impact Assessment or TIA) before personal information is communicated outside Quebec. This requirement has been in effect since September 22, 2023. The statute specifies what the assessment must evaluate, but provides no standard format or template for documenting the assessment.
The result: most organizations subject to Law 25 have no clear starting point for their TIA documentation. Many have not completed a single assessment, despite using dozens of cross-border SaaS tools. According to Upper Harbour's Canadian Technology Sovereignty Index, a typical organization using 15–20 SaaS tools will need 10–16 TIAs — each covering a different vendor's jurisdictional chain.
This template provides a structured, seven-section framework based on Law 25's statutory requirements, the CAI's published guidance, and Upper Harbour's research into SaaS jurisdictional exposure. It is designed to be completed once per vendor and updated annually or when material changes occur.
How to use this template
Complete one TIA per SaaS vendor that processes personal information outside Quebec. The template is organized into seven sections. Sections 1–3 establish the factual basis (what data, where it goes, what laws apply). Sections 4–5 evaluate protections. Sections 6–7 document your risk determination. HarbourScan automates sections 1–3 for your entire SaaS stack. Run a free assessment →
The template
1. Transfer Scope & Data Inventory
Establish what personal information is being transferred and why.
SaaS Vendor Name
[Vendor name as used in your organization]
Service Description
[Brief description of the service and its role in your operations]
Categories of Personal Information Transferred
☐ Employee data
☐ Client/customer data
☐ Health information
☐ Financial data
☐ Contact information
☐ Usage/behavioural data
Sensitivity Level
☐ Low
☐ Medium
☐ High
☐ Sensitive (Law 25 definition)
Under Law 25, sensitive information includes health, financial, biometric data, and information about minors under 14.
Purpose and Necessity of Transfer
[Why this data must be processed by this vendor — is there a less invasive alternative?]
Approximate Volume
[Number of Quebec residents whose personal information is processed]
2. Jurisdictional Chain Mapping
Identify every jurisdiction the data may be subject to through the vendor's corporate and operational structure.
Vendor Parent Company
[Ultimate parent company name]
Parent Company Country of Incorporation
[Country — this determines primary jurisdictional exposure]
CLOUD Act Exposure
☐ Yes — US-incorporated parent
☐ No — not US-incorporated
☐ Indirect — US subsidiary or operations
Data Storage Location(s)
[Physical locations of primary data storage, backup, and replication]
Canadian Data Residency Available?
☐ Yes — enabled
☐ Yes — not enabled
☐ No
Sub-Processors
[List all known sub-processors, their jurisdictions, and the nature of their data access]
Check the vendor's sub-processor list (usually published on their trust/privacy page). Note jurisdictions for each.
Personnel Access Locations
[Where are support staff, engineers, and other personnel with data access located?]
3. Receiving Jurisdiction Legal Framework
Assess whether the receiving jurisdiction provides adequate privacy protection.
Primary Receiving Jurisdiction
[The jurisdiction(s) whose laws govern the vendor's data handling]
Government Access Authorities
[For US jurisdiction: CLOUD Act, FISA Section 702, Executive Order 12333, National Security Letters. For other jurisdictions: identify equivalent authorities.]
Does the Jurisdiction Require Notice Before Disclosure?
☐ Yes
☐ No
☐ Conditional (gag orders possible)
Under the CLOUD Act, US courts can issue non-disclosure orders preventing the vendor from notifying you.
Adequacy Determination
[Does the receiving jurisdiction provide a level of protection equivalent to Quebec? Document your assessment rationale.]
Note: No jurisdiction has received a formal adequacy determination from the CAI. This assessment is your organization's responsibility.
4. Contractual Safeguards
Document the legal protections in place between your organization and the vendor.
Data Processing Agreement (DPA) Executed?
☐ Yes — executed
☐ Available — not yet executed
☐ Not available
DPA Covers Law 25 Requirements?
☐ Yes
☐ Partially
☐ No — generic/GDPR only
Vendor Commitment to Contest Government Access Requests
[Does the vendor's DPA or terms include commitments to challenge or contest government access requests? Document specific provisions.]
Breach Notification Provisions
[Timeline and process for vendor to notify you of security incidents]
Audit Rights
☐ Direct audit right
☐ Third-party audit (SOC 2/ISO)
☐ No audit provisions
5. Technical & Supplementary Measures
Evaluate technical safeguards that may mitigate jurisdictional risk.
Encryption at Rest
☐ Yes — vendor-managed keys
☐ Yes — customer-managed keys
☐ No/Unknown
Customer-managed encryption keys provide stronger protection because the vendor cannot decrypt data in response to government requests.
Encryption in Transit
☐ TLS 1.2+
☐ TLS 1.3
☐ Unknown
Access Controls
[Role-based access, MFA, SSO, minimum privilege — document what's in place]
Data Minimization Measures
[Can data be pseudonymized or anonymized before transfer? Can you limit what fields are shared?]
6. Residual Risk Assessment
Based on sections 1–5, determine the residual risk after all safeguards are applied.
Overall Residual Risk Level
☐ Low — adequate protections in place
☐ Medium — some gaps; supplementary measures recommended
☐ High — significant exposure; transfer should be reconsidered
☐ Unacceptable — transfer should not proceed
Risk Rationale
[Explain the basis for your risk determination. Reference specific findings from sections 1–5.]
Recommended Mitigations
[If risk is medium or high, what additional measures could reduce exposure?]
7. Transfer Determination
Document your organization's decision and maintain the assessment record.
Determination
☐ Transfer approved — adequate protection demonstrated
☐ Transfer approved with conditions — supplementary measures required
☐ Transfer suspended — pending additional safeguards
☐ Transfer prohibited — inadequate protection
Conditions (if applicable)
[Specific conditions that must be met for the transfer to proceed]
Assessed By
[Name and role of person completing the assessment]
Approved By (Privacy Officer)
[Name of designated Privacy Officer]
Date of Assessment
[Date]
Next Review Date
[Minimum: annually, or upon material change in vendor structure]
When to update a TIA
A completed TIA should be reviewed and updated when the vendor changes corporate structure (acquisition, merger, change of parent company), when the vendor changes data storage or processing locations, when the legal framework of the receiving jurisdiction changes, when the types of personal information processed through the vendor change, or at minimum once per calendar year.
Automate the jurisdictional research
HarbourScan maps your SaaS tools to their parent jurisdictions, flags CLOUD Act exposure, and identifies data residency availability — completing Sections 1–3 of this template for your entire stack in about 10 minutes. Run a free assessment →
For more context on the legal requirements this template addresses, see Upper Harbour's guides on Transfer Impact Assessments under Law 25, Law 25 and your SaaS stack, and the CLOUD Act and Canadian data.