Enter your domain: we check whether your email and website meet the “reasonable security measures” required by Québec's Law 25 — explained without legal jargon.
Free, no signup. Result in 15 seconds, with the full report (SPF, DKIM, DMARC, website).
Law 25 requires every business operating in Québec to protect personal information with reasonable security measures — without saying which ones. In practice, two technical fronts are unavoidable and publicly verifiable: your email (a domain without SPF/DKIM/DMARC lets a fraudster write to your clients in your name — a reportable confidentiality incident) and your website (HTTPS, valid certificate, security headers if you collect any information at all). This test checks both and gives you a clear score.
Three central obligations since September 2023: protect personal information (reasonable measures), report confidentiality incidents presenting a risk of serious injury, and designate a privacy officer. Québec's regulator (CAI) can impose significant penalties — but demonstrating your diligence completely changes how an incident is assessed.
Document your checks: our free report downloads as a dated PDF — concrete evidence of your measures. Continuous monitoring (free for 1 domain) does the rest: daily checks and alerts if your posture degrades. For the legal context: our Law 25 and email security guide.
Yes. Law 25 applies to any business collecting personal information in Québec, whatever its size — a client email address, a contact form or a mailing list is enough.
No — full compliance also covers your internal policies, consent and governance. This test checks the 'reasonable security measures' side of your email and website, one of the most concrete and verifiable pieces. It is not legal advice.
An unprotected domain lets a fraudster send emails in your name to extract personal information from your clients — exactly the kind of confidentiality incident the law requires you to prevent and report.
The CAI can impose significant administrative penalties, and a poorly handled incident mostly costs your clients' trust. Demonstrating reasonable measures (like DMARC at reject and a secured site) completely changes the assessment.
Yes. The full check (email + website) is free with no signup. We only read public information (DNS, site headers).