Do I need a Transfer Impact Assessment for every US SaaS tool?

If your organization is subject to Law 25 and the tool processes personal information of Quebec residents, yes. Every cross-border transfer of personal information requires an assessment. Most Canadian organizations use 20-50 SaaS tools and the majority are US-operated, meaning most organizations need dozens of TIAs.

How long does a Transfer Impact Assessment take?

A single TIA typically takes 2-8 hours depending on the complexity of the tool and the data it processes. The most time-consuming part is researching the vendor's jurisdictional profile, subprocessor chain, and data handling practices. Upper Harbour's database provides this jurisdictional research for 743 tools, significantly reducing the per-tool effort.

Can I use a template for Law 25 Transfer Impact Assessments?

Yes. The CAI has not published an official template, but organizations can use a structured template. Upper Harbour provides a free bilingual model TIA template designed specifically for SaaS vendor assessments under Law 25.

What happens if I don't complete TIAs for my SaaS tools?

Failure to conduct required privacy impact assessments is a violation of Law 25 that can result in administrative monetary penalties of up to $25 million or 4% of worldwide turnover. The absence of TIA documentation also leaves your organization unable to demonstrate compliance during a CAI investigation or audit.

Transfer Impact Assessments Under Law 25: A Guide

When is a TIA required?

Under Law 25, a privacy impact assessment (which includes what's commonly called a Transfer Impact Assessment) is required before personal information is communicated outside Quebec. This applies whether the transfer is to another Canadian province or to a foreign country.

In the SaaS context, this is triggered every time personal information is processed by a vendor whose servers or parent company are outside Quebec. If your Montreal law firm uses Google Workspace, personal information in emails, documents, and calendar entries is being processed by a US-headquartered company on infrastructure that may be located anywhere globally. That triggers the TIA requirement.

The critical point: this requirement has been in effect since September 22, 2023. Organizations that have been using cross-border SaaS tools without completing TIAs have been technically non-compliant for over two years.

Common misconception

A TIA is not required only when you "send" data somewhere. It's required whenever personal information is accessible from outside Quebec. If your SaaS vendor's employees in the US can access your data for support purposes, that counts as a transfer — even if the data is stored on Canadian servers.

What a TIA must evaluate

Law 25 specifies that the assessment must consider several factors before personal information can be communicated outside Quebec. While the law doesn't prescribe an exact template, the Commission d'accès à l'information (CAI) has provided guidance on what the assessment should address.

The sensitivity of the information

Not all personal information carries the same risk. Employee social insurance numbers, client medical records, and financial account data are significantly more sensitive than business email addresses or job titles. Your TIA should classify the types of personal information being transferred and assess the potential harm if that information were disclosed, altered, or accessed without authorization.

The purposes of the transfer

Why is the information being communicated outside Quebec? The TIA should document whether the transfer is necessary for the purposes for which the information was collected, and whether those purposes could be achieved without the cross-border transfer.

The legal framework of the receiving jurisdiction

This is the most complex and consequential element. The assessment must evaluate whether the jurisdiction where the data will be processed provides an adequate level of protection — meaning privacy protections that are substantially equivalent to what Quebec law provides.

For US-bound transfers, this evaluation must account for the CLOUD Act, FISA Section 702, Executive Order 12333, and other US government surveillance authorities. It must also consider whether the US vendor is subject to sector-specific regulations (like HIPAA for health data) that may provide additional protections.

The protection measures and contractual safeguards

Even if the receiving jurisdiction doesn't provide fully adequate protections, the transfer may proceed if supplementary measures are in place. These include contractual clauses (DPAs) that bind the vendor to specific obligations, technical measures like encryption where the keys remain with the Canadian organization, organizational measures like access controls and audit rights, and legal measures like binding commitments to contest government access requests.

A practical TIA framework

Here's a step-by-step approach to completing a TIA for a SaaS vendor:

Identify the data flows

Document exactly what personal information flows to the vendor, including data types (names, emails, financial records, health data), data volume, data subjects (employees, clients, patients, students), and whether the data includes sensitive categories.

Map the jurisdictional chain

Identify the vendor's parent company and incorporation jurisdiction, the physical location of servers processing your data, any sub-processors the vendor uses and their jurisdictions, and whether the vendor's personnel in foreign jurisdictions can access your data.

Assess the legal framework

Evaluate the privacy laws of each jurisdiction in the chain. For US-bound data, document the CLOUD Act exposure, any applicable sector-specific protections, the vendor's published policies on government access requests, and whether transparency reports are available.

Document safeguards

Record what contractual, technical, and organizational measures are in place: the status of your DPA with the vendor, encryption standards (in transit and at rest), access controls and audit capabilities, breach notification commitments, and data deletion and portability provisions.

Assess residual risk and make a determination

Based on the above, determine whether the transfer provides adequate protection. If gaps exist, document what supplementary measures you'll implement — or, if the risk is unacceptable, consider alternative vendors or data handling arrangements.

TIA checklist for SaaS vendors

Use this as a starting checklist for each vendor assessment:

☐ Vendor parent company and incorporation jurisdiction identified

☐ Physical data storage location(s) documented

☐ Sub-processors and their jurisdictions identified

☐ Types of personal information transferred are classified

☐ Sensitivity level of data assessed

☐ Purpose and necessity of transfer documented

☐ Legal framework of receiving jurisdiction evaluated

☐ CLOUD Act / government access risk assessed (if US)

☐ DPA executed with vendor

☐ Encryption standards documented

☐ Breach notification provisions confirmed

☐ Adequacy determination made and documented

☐ Supplementary measures identified (if needed)

☐ Assessment signed and dated

How HarbourScan helps

Completing TIAs requires knowing, for each tool in your stack, who the parent company is, where they're incorporated, whether they're CLOUD Act exposed, and whether Canadian data residency is available. Gathering this information manually across 10–20 SaaS tools is time-consuming.

HarbourScan automates the first two steps of the TIA process: it maps your SaaS tools to their parent jurisdictions and flags CLOUD Act exposure, giving you the foundational data you need to complete the legal assessment and documentation.

Get started

Run a free HarbourScan assessment to map your stack's jurisdictional exposure in about 10 minutes. The output gives you the vendor-by-vendor jurisdictional data you need to begin your TIA documentation. Start your assessment →

Ongoing maintenance

A TIA is not a one-time exercise. Your assessments should be reviewed whenever you adopt a new SaaS tool that processes personal information, when a vendor changes its corporate structure (acquisitions, mergers), when the legal framework of the receiving jurisdiction changes, when you change what data you process through a vendor, or at minimum annually as part of your privacy program review.

Maintaining a current register of your TIAs, alongside your SaaS inventory and DPA records, is the foundation of demonstrable compliance under Law 25.

Transfer Impact Assessments Under Law 25: What's Required