CanucktAI
Glossary

Cross-border data transfer

A cross-border data transfer is any movement of personal information outside the jurisdiction where it was collected — which, in Quebec, triggers a mandatory assessment before the data leaves.

Sending personal information to a service provider, affiliate, or server in another province or country is a cross-border transfer. Under federal PIPEDA, transfers for processing are allowed, but the organization remains accountable and must use contractual and other means to ensure a comparable level of protection.

Quebec’s Law 25 is stricter: before communicating personal information outside Quebec, you must conduct a privacy impact assessment (ÉFVP) that weighs the data’s sensitivity, the purpose, the safeguards in place, and the legal framework of the destination. The transfer may proceed only if the assessment shows the information will receive adequate protection, and it should be governed by a written agreement.

In practice: inventory your transfers in your ROPA, run the PIA where required, lock in contractual safeguards, and consider data residency options to reduce the number of transfers you have to justify.

Our own compliance

We run our own compliance programme inside Valdra — the product we sell. Our SOC 2, ISO 27001 and ISO 42001 programmes are actively in progress; we do not claim certifications we do not yet hold.

Valdra compliance badge — click to verify
  • PIPEDA
  • Law 25 (Quebec)
  • CASL
  • Data hosted in Canada 🇨🇦
  • AI governance
View our Trust Centre

Self-declared, not audited by a third party. Click the badge to verify it is genuine and see what it covers.

Cross-border data transfer — definition | Canuckt AI