Free tool · 2 minutes

Assess your Bill 25 exposure in 8 questions.

No email required. No data transmitted — the calculation runs in your browser. You leave with a score out of 100 and a prioritized roadmap.

1. ChatGPT, Claude, Gemini, or Copilot internally

Do your employees use these tools with business data?

2. Privacy Impact Assessment (PIA)

Do you have a signed PIA for every generative AI tool in use?

3. Privacy Officer designated

Have you formally designated a Privacy Officer (Bill 25 art. 3.1)?

4. Privacy incident register

Do you maintain an incident register per art. 3.8 (since Sept. 2022)?

5. Cross-border transfers

Are your AI/SaaS vendors US-based or do they store data outside Canada?

6. Vendor contracts

Do your AI vendor contracts contain adequate-protection clauses?

7. Employee training

Have employees been trained on acceptable use of generative AI?

8. Redaction / anonymization before send

Do you have a deterministic mechanism to redact personal data before sending to an AI vendor?

No data transmitted. Calculation runs in your browser.

How we calculate your score

The score is a weighted average of the 8 questions. Each dimension carries a distinct weight (cross-border transfers and PIA weigh more, for instance).

What the score is not: legal advice. For a defensible analysis before the Commission d'accès à l'information du Québec, consult a Canadian privacy lawyer. We can recommend several.