Valdra·Canadian Privacy Compliance

Valdra/Data Governance

Trace where every type of
PII lives in your stack

A layered, left-to-right map showing how personal information enters, processes, stores, and exits your organization. Click any PII type to highlight only the paths carrying it. Auditor-grade evidence of data accountability.

Start Free Assessment View all features

comply.canuckt.ai/data-governance/flow-maps

Data Sources

CRM

Database

Cloud Storage

Analytics

Last scan

2 min ago

PII Data Flow Map

Showing active PII flows · Cross-border transfers highlighted · Click node to inspect

PII Found

Total Fields

Sensitive

Needs Review

Top PII Types

Name

SIN

DOB

Province

Built for Canadian businesses

421+Entity Types

95%+F1 Accuracy

0 bytesData Retained

🍁Canadian Servers

PIPEDACertified

3.5×

more personal data found than businesses expect during discovery

¹ Canuckt Data Discovery Report, 2025

Start Free Assessment

Records of Processing ActivitiesLaw 25 · PIPEDA

Processing Activity	Legal Basis	Data Categories	Retention
Customer Onboarding	Contract	Name, Email, ID	7 years
Email Marketing	Consent	Email, Preferences	Until withdrawal
Analytics	Legitimate	Usage, Device	2 years
HR Processing	Contract	SIN, Banking	7 years

Auto-updated as new data flows are detected · 4 activities

Find personal data you didn't know you had.

Canuckt's discovery engine scans your connected systems — CRM, cloud storage, email, databases — and surfaces personal information flows you didn't know existed. Average businesses find 3.5× more PII than expected.

Request a demo

Records of Processing ActivitiesLaw 25 · PIPEDA

Processing Activity	Legal Basis	Data Categories	Retention
Customer Onboarding	Contract	Name, Email, ID	7 years
Email Marketing	Consent	Email, Preferences	Until withdrawal
Analytics	Legitimate	Usage, Device	2 years
HR Processing	Contract	SIN, Banking	7 years

Auto-updated as new data flows are detected · 4 activities

Retention Schedules4 active policies

Customer Records

Archive → Delete · PIPEDA

7 years

Employee Data

Secure Delete · Provincial

7 years

Marketing Consents

Anonymize · CASL

Until withdrawal

Access Logs

Delete · Law 25

2 years

Automated Records of Processing Activities.

Law 25 and PIPEDA require documented data inventories. Valdra automatically maintains your ROPA as your systems change — new integrations, new vendors, new data types are detected and logged.

Request a demo

Additional features

Request a demo

Four-Layer Lineage View

Sources (consent forms, intake) → Internal apps → Storage (databases, file systems) → Third-party vendors. Industry-standard Sankey layout.

Auto-Derived Edges

Vendors aren't orphaned — we automatically pair each vendor with the asset whose data types overlap most. No manual flow drawing required.

PII-Type Filter Chips

Click "email" or "SIN" or "health" — only paths carrying that data type stay lit, everything else dims. Answers the auditor question "where does X end up?".

Sensitivity Heat-Ring

Red ring = node holds sensitive PII (SIN, health, passport, biometric, minor). Amber = medium. Slate = low. Risk visible at a glance.

CLOUD-Act + Cross-Border Pills

Each node tagged with US CLOUD Act exposure and cross-border data transfer flags — Law 25 art. 17 disclosures derive directly from this.

PNG Export

One-click 2x retina PNG for your ROPA appendix, PIA exhibits, or board pack.

“
Law 25 requires a data inventory we estimated would take 6 months to build manually. Canuckt's data discovery had our ROPA populated and mapped in under a week.
SL
Sophie Lavoie
Privacy Lead · Quebec Health Network