Québec Law 25 compliance platform — assessment engine, gap analysis, action planning, evidence vault, and template library

The problem

Québec's Law 25 requires private-sector organisations to document, assess, and act on personal data practices across nine compliance domains. Most businesses have no idea where to start, lack internal expertise to run a structured assessment, and can't afford legal consultants for the full process.

Approach

• 9-domain weighted assessment engine (Accountability 15%, Governance 15%, Transparency 12%, Consent 12%, Incidents 12%, PIA 10%, Transfers 8%, Retention 8%, Security 8%) — guided questionnaire with conditional questions based on business type, save-and-resume per domain, and final scoring producing a 0–100 readiness score with Low / Medium / High / Critical risk classification
• Automated gap analysis — 23+ predefined finding templates mapped to failing question keys, each with domain-specific descriptions and severity ratings based on CAI compliance criticality
• Phased action plan generated from findings — Immediate (7-day), 30-day, 60-day, and 90-day phases with priority levels, assignable ownership, due dates, and status tracking (Open → In Progress → Done)
• Evidence vault — file upload linked to specific assessments or action items, multiple file type support, UUID-based storage, listing with name/type/date, and deletion
• Template library with 8 Law 25 starter documents — Privacy Policy, Governance Policy, Consent Wording, Privacy Impact Assessment, Incident Register, Retention Policy, Photo Release Form, and Vendor Assessment Checklist — downloadable as Markdown or JSON
• Team user management (Admin and Staff roles) — admin creates and manages staff accounts with no self-signup; user activation, deactivation, and deletion included
• Compliance report generation — full report including assessment metadata, all questionnaire responses, findings list, and complete action plan; JSON export with PDF framework
• FastAPI backend with Supabase for auth, PostgreSQL storage, and file storage; row-level security on all tables; bilingual interface (EN/FR), light and dark theme; three-tier plan structure (Starter, Pro, Business) with feature gating by report detail level, template access, evidence uploads, and team size

Outcome

• End-to-end Law 25 compliance workflow in one product — structured assessment, prioritised findings, phased action plan, and supporting documentation without a consultant
• Business-type-specific guidance (website, office, salon) ensures recommendations are relevant rather than generic — the platform adapts its findings and action items to the organisation's actual context
• Fully portable: deploy to a client's own Supabase instance by running one SQL schema file and setting three environment variables