Compliance Summary – Law 25

Accolad – Updated 2025-09-18

Background and objective

Quebec's Bill 25, also known as the Act to Modernize Legislative Provisions for the Protection of Personal Information , strengthens the obligations of organizations that collect or process personal information. This includes obtaining explicit consent before any non-essential collection (such as tracking technologies such as cookies ), transparency about data use, and the implementation of robust security measures. This document summarizes the measures Accolad has implemented to comply with this law and is intended to respond to requests from customers or partners wishing to verify this compliance.

Consent and management of cookies

Law 25 requires that any data collection via tracking technologies be preceded by clear and informed consent. Consequently, here's what Accolad has put in place:

• Consent banner : A banner is automatically displayed to all site visitors. It requests permission before installing non-essential cookies and is configured according to several legal frameworks (Bill 25 – Quebec, General Data Protection Regulation [GDPR] for the EU/EEA, UK GDPR for the United Kingdom, US personal data protection laws [CCPA/CPRA for California, VCDPA for Virginia, CPA for Colorado, CTDPA for Connecticut and UCPA for Utah], LGPD – Lei Geral de Proteção de Dados Pessoais in Brazil, PIPEDA – Personal Information Protection and Electronic Documents Act in Canada, LPRP – Personal Information Protection Act in Alberta and British Columbia, APPI – Act on the Protection of Personal Information in Japan, PDPA – Personal Data Protection Act in Thailand, LPD – Federal Data Protection Act in Switzerland).
• Detailed descriptions : each cookie is described individually (name, duration, purpose), in addition to being classified by category (necessary, functional, analytical, marketing), in order to ensure complete transparency.
• Preference management : users can accept or refuse certain categories of cookies and modify their choices at any time.
• Automated detection and filters : Security mechanisms may block automated scans by some audit tools, which can sometimes falsely display undescribed cookies . In practice, cookies are set in accordance with legal requirements.

Privacy and Security

The law requires the implementation of organizational, physical, and technological measures to protect data. At Accolad, these measures include:

• Hosting and certifications : Personal data is stored on servers located in Canada that are ISO/IEC 27001:2022 certified and comply with the CSA STAR CCM v4.0 framework.
• Encryption and access controls : Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Access is via multi-factor authentication (MFA) and a role-based system with granular permissions (RBAC) enforcing the principle of least privilege.
• Internal policies : Data loss prevention (DLP), access management and data minimization policies are in place.
• Continuous monitoring and audits : Production environments are continuously monitored using centralized logging solutions and a SIEM system. Audit logs are kept and vulnerability tests are performed regularly.
• Cybersecurity Insurance : Accolad has insurance covering network security and privacy up to $10,000,000 per occurrence. No cybersecurity incidents have been reported in the past five years.

Rights of data subjects

Law 25 grants individuals extensive rights, such as the right to access, rectification, portability, erasure, and withdrawal of consent. Accolad responds to these rights as follows:

• Right of access and rectification : any person may consult the data held by Accolad concerning them and request their rectification via the contact details provided in the privacy policy.
• Right to erasure and portability : Upon request, Accolad will delete personal information or provide a portable copy (subject to legal obligations).
• Withdrawal of consent : Users can withdraw their consent for data collection or marketing communications at any time.
• Incident notification : A response plan is in place. The relevant authorities and affected individuals will be notified in the event of a breach that could cause serious harm.

Third Party Relations and Supplier Management

For any subcontracting or transfer of data, Accolad ensures that suppliers respect an equivalent level of protection, in accordance with the requirements of Law 25:

• Contractual clauses : Contracts with suppliers include obligations regarding security, limitation of data use, retention periods and audit rights.
• Confidentiality agreements : a confidentiality agreement is signed with each partner or client, guaranteeing the confidentiality of the information exchanged.
• Periodic assessments : Suppliers' security measures are assessed regularly and audits may be conducted to verify compliance.

Continuous improvement

Accolad adopts a continuous improvement approach. External audits (e.g., UpGuard) are regularly consulted. Relevant recommendations (strengthening DNS records, adjusting Content Security Policy and clickjacking protections, optimizing cookie settings) are integrated into an action plan that is updated as needed.

Conclusion

Accolad applies rigorous practices to meet the requirements of Law 25:

• Obtaining explicit and transparent consent for cookies and tracking technologies.
• Implementation of advanced security measures and hosting on ISO/IEC 27001:2022 certified infrastructures.
• Respect for the rights of data subjects (access, rectification, erasure, portability, withdrawal of consent).
• Strict management of relationships with suppliers and subcontractors, particularly through solid contractual commitments.

In summary, Accolad complies with Bill 25 and demonstrates its commitment to the protection of personal information. This compliance is supported by technical, organizational, and contractual measures designed to ensure the confidentiality, integrity, and availability of its customers' and users' data.