Answer a few questions about where you operate, what data you hold, what sector you are in, and what customers or contracts you support. The questionnaire maps Canadian cybersecurity and privacy requirements across privacy law, critical infrastructure, defence contracting, financial services, health privacy, breach reporting, anti-spam, payment card, and baseline control expectations.
Canada is the only country available right now. The goal is practical triage: identify the requirements your organization needs to validate, assign, and turn into controls. This tool is not legal advice.
Questionnaire
Answer the sections in order. Your requirements update from the answers, and Canada is the only country available right now.
Progress
20%
Country
Start with where your organization operates, has employees, serves customers, or stores regulated data. The country list is intentionally narrow for this version: Canada is available now, and other countries can be added later.
Canada
Available now
Provinces or territories
Select every province or territory where your organization operates, has employees, customers, regulated data, or vendors handling Canadian data.
At least one location stays selected so the results always have a Canadian operating footprint.
The page is written for security leaders, privacy owners, founders, operators, and CISOs who need a practical first pass before calling counsel, preparing a board briefing, or answering customer diligence. It does not try to replace legal review. It helps you ask sharper questions before the meeting.
The questionnaire checks for federal PIPEDA signals and then separates the province-specific laws: British Columbia's BC PIPA, Alberta PIPA, and Quebec Law 25. It also calls out when more than one privacy law may need validation because data crosses borders, vendors are involved, or the company is federally regulated.
The tool flags privacy breach reporting, breach recordkeeping, regulator notice paths, and provincial health privacy analysis when personal, employee, health, biometric, government ID, or youth information is selected.
The critical infrastructure signals cover Bill C-8, the Critical Cyber Systems Protection Act, designated operators, critical cyber systems, cyber program duties, incident reporting, and vendor risk flow-down for suppliers to critical infrastructure.
The defence and specified government information signals flag CPCSC and the need to confirm whether Level 1 certification or other cyber clauses appear in select defence contracts.
The questionnaire separates anti-spam and software consent requirements, federally regulated financial institution expectations, investment dealer incident reporting, card payment requirements, and energy or operational technology signals.
Every result includes the CCCS Baseline Cyber Security Controls as a recommended baseline so smaller teams still leave with a practical control starting point while they validate stricter requirements.
The questionnaire is most useful when it becomes an action list. Use the result to decide which obligations need counsel confirmation, which controls need owners, which suppliers need evidence, and which issues should be escalated to executives before a customer, regulator, auditor, or incident forces the conversation.
If the result mentions vendors, critical suppliers, AI tools, cloud hosting, or outsourced support, use the questionnaire to collect evidence before approving or renewing that relationship.
Open Vendor Tool
If AI touches customer, employee, health, financial, or critical system data, review data access, retention, delegated actions, model behavior, and human approval paths before launch.
Open AI Tool
If you operate or sell into critical infrastructure, use the guide to brief executives on designation analysis, cyber program ownership, incident reporting, and supplier readiness.
Read the Guide