Law 25: are you compliant?

Enter your domain: we check whether your email and website meet the “reasonable security measures” required by Québec's Law 25 — explained without legal jargon.

Free, no signup. Result in 15 seconds, with the full report (SPF, DKIM, DMARC, website).

What does this Law 25 test check?

Law 25 requires every business operating in Québec to protect personal information with reasonable security measures — without saying which ones. In practice, two technical fronts are unavoidable and publicly verifiable: your email (a domain without SPF/DKIM/DMARC lets a fraudster write to your clients in your name — a reportable confidentiality incident) and your website (HTTPS, valid certificate, security headers if you collect any information at all). This test checks both and gives you a clear score.

What the law concretely requires

Three central obligations since September 2023: protect personal information (reasonable measures), report confidentiality incidents presenting a risk of serious injury, and designate a privacy officer. Québec's regulator (CAI) can impose significant penalties — but demonstrating your diligence completely changes how an incident is assessed.

How do you demonstrate diligence?

Document your checks: our free report downloads as a dated PDF — concrete evidence of your measures. Continuous monitoring (free for 1 domain) does the rest: daily checks and alerts if your posture degrades. For the legal context: our Law 25 and email security guide.

Frequently asked questions

Does Law 25 apply to my small business?

Yes. Law 25 applies to any business collecting personal information in Québec, whatever its size — a client email address, a contact form or a mailing list is enough.

Does this test make my business Law 25 compliant?

No — full compliance also covers your internal policies, consent and governance. This test checks the 'reasonable security measures' side of your email and website, one of the most concrete and verifiable pieces. It is not legal advice.

What is the link between my email and Law 25?

An unprotected domain lets a fraudster send emails in your name to extract personal information from your clients — exactly the kind of confidentiality incident the law requires you to prevent and report.

What does my business risk in case of a breach?

The CAI can impose significant administrative penalties, and a poorly handled incident mostly costs your clients' trust. Demonstrating reasonable measures (like DMARC at reject and a secured site) completely changes the assessment.

Is the test really free?

Yes. The full check (email + website) is free with no signup. We only read public information (DNS, site headers).

Helpful guides