How to Evaluate Whether Your Technology Vendors Are Law 25 Compliant

Under Law 25, your responsibility for your clients' personal information doesn't stop at your firm's walls. When you entrust data to a technology vendor (CRM, email platform, electronic signature tool, cloud storage, video conferencing software), you remain responsible for protecting that data. If a breach occurs at your vendor because their security measures were inadequate, it's your firm that faces the class action from your clients.

Choosing a compliant vendor isn't a luxury. It's a legal obligation and a direct financial protection measure.

Your Responsibility Doesn't Stop at Your Walls

Law 25 requires any enterprise that entrusts personal information to a third party to ensure, by contract, that the third party provides sufficient protection guarantees. The enterprise must ensure that the information is used only for the intended purposes, that adequate security measures are in place, and that the information is destroyed at the end of the mandate.

In practice, this means you can't simply choose the cheapest or easiest-to-configure vendor and hope for the best. You must evaluate their security and privacy practices before entrusting your clients' data to them. And this evaluation must be documented in a PIA, especially if the vendor is located outside Quebec. [Our PIA guide details the process](/blog/pia-privacy-impact-assessment-law-25).

If you've never evaluated your current vendors, start now. In the event of a breach, a court could consider that choosing a vendor without adequate security measures constitutes gross negligence in itself, exposing you to a [class action with the $1,000-per-person floor](/blog/law-25-class-action-risk-small-firms).

The 5 Vendor Evaluation Criteria

Every vendor that touches your clients' data should be evaluated against five fundamental criteria.

1. Security Certifications

Certifications are proof that an independent third party has verified the vendor's security practices. They don't guarantee the absence of breaches, but they demonstrate a verifiable level of due diligence.

SOC 2 Type II is the most relevant certification for cloud vendors. It covers five trust principles: security, availability, processing integrity, confidentiality, and privacy. "Type II" means the auditor verified that controls actually function over a period of time (typically 6 to 12 months), not merely that they exist on paper (which would be Type I). Demand Type II. ISO 27001 is the international standard for information security management systems (ISMS). It covers risk management, access controls, encryption, physical security, business continuity, and regulatory compliance. An ISO 27001-certified vendor has implemented a systematic security management framework, audited annually. ISO 27701 is the ISO 27001 extension specific to privacy management. It covers additional requirements for personal information protection: consent, individual rights, incident notification, and international transfers. A vendor certified ISO 27701 on top of ISO 27001 offers the most comprehensive coverage for both security and privacy. What's not enough: A simple statement on the vendor's website claiming they are "compliant" or that they "take security seriously." Without verifiable certification by an independent auditor, these statements have no evidentiary value.

2. Data Residency

The physical location where your clients' data is stored has direct legal implications under Law 25.

Data hosted in Quebec: Ideal situation. No PIA is required for the transfer (a PIA is still required for the technology project itself if it's a new system). Data hosted in another Canadian province: PIA mandatory for the transfer. The assessment of the destination's legal framework is generally favorable, as Canadian provinces have recognized data protection laws. Data hosted in the United States: PIA mandatory. The absence of a U.S. federal data protection law comparable to Law 25 or GDPR requires deeper analysis. Contractual clauses (DPA), vendor certifications, and technical security measures become essential to demonstrate adequate protection. Data hosted in Europe: PIA mandatory, but the assessment is generally favorable thanks to the robust GDPR framework. The common trap: A vendor claiming to host data "in Canada" without specifying the province. Ask for the exact location. A data center in Toronto or Vancouver still triggers the PIA obligation for the out-of-Quebec transfer. Also ask whether data can be replicated or temporarily transferred to other jurisdictions (for backups, processing, or disaster recovery).

3. DPA (Data Processing Agreement)

The DPA is the contract that legally binds your vendor to specific obligations regarding personal information protection. Law 25 requires that any enterprise entrusting data to a third party do so through a written contract.

An adequate DPA should cover at minimum:

• The types of personal information processed and the purposes of processing
• The prohibition on the vendor using data for purposes other than the contractual service
• The security measures the vendor commits to maintaining
• The obligation to notify your firm in the event of a privacy incident, with a specific timeframe
• Subcontracting obligations (can the vendor entrust your data to its own subcontractors?)
• The procedure for destroying or returning data at the end of the contract
• The right to audit or access compliance reports

What's not enough: The vendor's standard Terms of Service (ToS). ToS are drafted to protect the vendor, not you. A specific DPA is necessary. Most serious vendors offer one upon request. If a vendor refuses to sign a DPA, that's a significant red flag.

4. Incident Notification Policy

When a breach occurs at your vendor, the speed at which you're informed determines your ability to fulfill your own obligations under Law 25. You must notify the CAI "with diligence" and inform your clients if the risk is serious. You can't do that if your vendor takes three weeks to notify you.

Verify that your vendor commits contractually (in the DPA) to notifying you within a specific timeframe in the event of an incident. A 24-to-72-hour window is reasonable. Also verify that the notification will include necessary information: nature of the incident, types of data affected, number of individuals concerned, and measures taken.

5. Right to Audit

The right to audit allows you to verify, directly or through a third party, that your vendor is meeting its contractual commitments regarding security and privacy.

In practice, few small firms will conduct a direct audit of their vendor. But the right to audit serves as a negotiating lever and guarantee. If a vendor categorically refuses any right to audit, even in the form of access to their SOC 2 reports, that's concerning.

Acceptable alternatives to direct audit rights include providing the most recent SOC 2 Type II report (typically under a confidentiality agreement), verifiable ISO 27001 certification, and recent penetration test results.

Certifications Decoded: What Each Actually Covers

Certification acronyms can be confusing. Here's what each one concretely verifies.

SOC 2 Type II verifies that the vendor's security controls actually work on a daily basis over a 6-to-12-month period. The auditor (an accredited accounting firm) tests access, logs, alerts, backups, and incident management processes. It's the most concrete and operational certification. Renewed annually. ISO 27001 verifies that the vendor has implemented an information security management system (ISMS) compliant with the international standard. The audit covers governance, risk management, policies, and technical and organizational controls. Certification is valid for 3 years, with annual surveillance audits. ISO 27701 verifies specific privacy management practices: personal information processing, consent management, individual rights, privacy incident notification, and international transfers. It complements ISO 27001 by adding the "privacy" layer to the "security" layer. SOC 2 + ISO 27001 + ISO 27701: This is the most comprehensive combination. It covers operational security (SOC 2), the management system (ISO 27001), and privacy management (ISO 27701). A vendor holding all three offers the highest level of assurance available on the market. SOC 1: Does not concern information security. It's an audit of financial controls. Not relevant for Law 25 compliance evaluation. HIPAA Compliance: Relevant only for U.S. health data. It has no direct value under Law 25, but it indicates the vendor is accustomed to working in a regulated environment.

Quick Checklist: 10 Questions to Ask Every Vendor

Before signing a contract with a vendor that will process your clients' data, ask these ten questions. The answers will directly feed your PIA.

1. Where is the data physically hosted? Demand the country and province (or state). Not just "in North America." 2. Can data be transferred or replicated to other jurisdictions? Some vendors replicate data across multiple data centers for redundancy. You need to know this. 3. Do you hold SOC 2 Type II, ISO 27001, or ISO 27701 certifications? Ask to see the certificates or reports. A certified vendor will provide them without hesitation. 4. Do you offer a DPA? If the vendor doesn't know what a DPA is, you have your answer. 5. What is your notification timeframe in the event of a privacy incident? The answer should be a number of hours, not "as soon as possible." 6. What is your data retention and destruction policy? What happens to your clients' data when you terminate the contract? Is it deleted? Within what timeframe? How? 7. What access controls are in place? Encryption in transit and at rest, multi-factor authentication, role-based access, access logging. 8. Is our clients' data used to train AI models or for purposes other than the contractual service? This question has become critical with the proliferation of AI tools. If the answer is yes, or "not currently," that's a risk to document. 9. Can we access your most recent SOC 2 report? Most certified vendors provide it under a confidentiality agreement (NDA). 10. What happens to our data if your company is acquired, merged, or goes bankrupt? Few firms ask this question, but it can have major consequences if your clients' data ends up with an unknown acquirer.

A vendor that answers all ten questions clearly and promptly demonstrates compliance maturity. A vendor that evades, delays, or doesn't understand the questions is a risk you bear personally.

Red Flags

Certain answers (or lack of answers) should make you reconsider your choice of vendor.

No verifiable certification. A compliance statement on a website is not a certification. If the vendor holds no SOC 2, no ISO 27001, no independent audit, you have no external guarantee of their security practices. Refusal to sign a DPA. A vendor that refuses to commit contractually to protecting the data you entrust to them doesn't take compliance seriously. Find an alternative. Inability to specify data location. If the vendor can't tell you exactly where your data is stored, they probably don't control their own hosting chain. Vague or absent incident notification timeframe. "We will notify you within a reasonable timeframe" is not an acceptable answer. Demand a contractual commitment in hours. Data used for AI training without explicit consent. If the vendor uses your clients' data to improve its products or train its algorithms, that's an unauthorized use that directly exposes you. No data destruction process at contract end. If your data remains indefinitely with a former vendor, your exposure surface only grows over time.

Why Data Residency in Canada Matters

For a Quebec financial services firm, a vendor hosting data in Canada (and ideally in Quebec) offers three concrete advantages.

The PIA is simplified. For Quebec hosting, the destination legal framework analysis isn't necessary (data doesn't leave the province). For hosting elsewhere in Canada, the assessment is generally favorable thanks to provincial and federal data protection laws. The legal framework is consistent. Data remains under the jurisdiction of compatible personal information protection laws. In the event of litigation, Quebec and Canadian courts have jurisdiction. No conflict of laws between jurisdictions. Your clients' perception. In the financial sector, trust is the foundation of the relationship. Being able to tell your clients that their data never leaves Canada is a concrete argument for transparency and security.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[PIA: How to Conduct a Privacy Impact Assessment Under Law 25](/blog/pia-privacy-impact-assessment-law-25)*
• *[Law 25 Class Actions: The Financial Risk Small Firms Underestimate](/blog/law-25-class-action-risk-small-firms)*