Trust CenterPIPEDA

HASP and PIPEDA

PIPEDA is Canada's federal private-sector privacy law. Its ten fair-information principles are satisfied by the same control set that underpins HASP's GDPR compliance — no separate tooling. Every paid tier, and the Free Evaluation tier, gets the same individual-rights mechanisms and the same cross-border transfer accountability.

Data Processing Agreement → Trust Center — full posture → Sub-processor register →
The relationship

One control set, two convergent frameworks

PIPEDA and the GDPR are structurally convergent. All ten of PIPEDA's Schedule 1 fair-information principles map onto controls HASP already operates for GDPR — consent capture, individual access, correction, erasure, portability, the sub-processor register, and the signed audit chain. There is no separate work for PIPEDA: an Article 17 erasure is the same delete operation a Canadian individual relies on, and an Article 20 export is the same machine-readable access response.

The one PIPEDA-specific surface is cross-border transfer accountability. It is handled contractually in the HASP Data Processing Agreement (DPA) — the single instrument that already carries the GDPR controller-processor obligations and the CCPA / CPRA service-provider obligations. HIPAA obligations are handled separately by the Business Associate Agreement (BAA).

Schedule 1

The ten fair-information principles

PIPEDA's Schedule 1 sets out ten principles every organization must follow. Each is satisfied by a control HASP already operates — the table below maps the principle to the mechanism behind it.

Principle 1

Accountability

HASP is responsible for the personal information under its control, including information transferred to sub-processors. Accountability is documented in the DPA and the public sub-processor register.

Principle 2

Identifying purposes

The purposes for which personal information is collected are identified at or before collection — in the Privacy Policy, the DPA, and (for PHI) the Business Associate Agreement.

Principle 3

Consent

Where HASP relies on consent as the basis for processing, consent is captured and can be withdrawn at any time, subject to legal and contractual restrictions.

Principle 4

Limiting collection

HASP collects only the personal information needed to operate the platform. Tenant data is isolated at the database and application layers; nothing is collected for secondary purposes.

Principle 5

Limiting use, disclosure, retention

Personal information is used only for the documented business purpose, never sold, never shared for advertising. Retention follows the published schedule; erasure runs a 30-day cascade.

Principle 6

Accuracy

Individuals can challenge the accuracy of their personal information and request corrections, in-app or through an account administrator acting on their request.

Principle 7

Safeguards

AES-256 encryption at rest, TLS 1.3 in transit, role-based access control, and a hash-chained, Ed25519-signed audit log of every data-touching action.

Principle 8

Openness

HASP's privacy practices are public — the Privacy Policy, the DPA, the sub-processor register, and the Trust Center document what is collected, why, and where it flows.

Principle 9

Individual access

An individual can request the personal information HASP holds about them, and how it has been used or disclosed, via a machine-readable export.

Principle 10

Challenging compliance

An individual can challenge HASP's compliance with these principles by contacting [email protected], and escalate to the Office of the Privacy Commissioner of Canada if not satisfied.

Cross-border transfers

Accountability for data that leaves Canada

Personal information that originates in Canada may be transferred to and processed in the United States — HASP's infrastructure and several sub-processors are US-based. Unlike the EU-US Data Privacy Framework, there is no Canada-US bilateral adequacy mechanism. PIPEDA addresses this through accountability rather than adequacy.

Schedule 1 §4.1.3
The originating organization remains accountable for personal information transferred to a third party for processing, even when that processing happens outside Canada. HASP does not shed responsibility by handing data to a sub-processor.
Contractual safeguards
HASP discharges that accountability through clauses in the DPA requiring every sub-processor to maintain protection equivalent to what PIPEDA requires — covering security, purpose limitation, and onward-transfer restrictions.
Transparency
Every direct sub-processor that may receive Canadian personal information is listed publicly on our sub-processors page, with the processing purpose, the data categories, and the storage region.
Advance notice
HASP gives 30 days' advance notice before adding or materially changing a direct sub-processor, so a Canadian customer can assess any new transfer before it takes effect.
Individual rights

What a Canadian individual can do

Access
Request the personal information HASP holds about you, and how it has been used or disclosed — served by the same machine-readable export that satisfies GDPR Article 20.
Correction
Challenge the accuracy and completeness of your personal information and request corrections, in-app or through an account administrator acting on your request.
Withdrawal of consent
Where HASP relies on consent as the basis for processing, you may withdraw it at any time, subject to legal or contractual restrictions.
Challenging compliance
Challenge HASP's compliance with PIPEDA by contacting [email protected], and escalate to the Office of the Privacy Commissioner of Canada if you are not satisfied with the response.

Where HASP processes personal information on behalf of a customer, HASP will either forward a rights request to that customer or direct the individual to them — the customer is the organization accountable for data it controls.

What's next

The forthcoming CPPA (Bill C-27)

Bill C-27 proposes the Consumer Privacy Protection Act as PIPEDA's successor. The bill is not yet law. HASP's existing control set is designed to satisfy it ahead of enactment — but no CPPA compliance claim is made until the legislation comes into force.

When it does, the same single control set is expected to cover it. Adding a framework means mapping existing controls to new requirements — no new commitments, no changes to how data is handled. That is the same reason PIPEDA and GDPR already share one control set today.

Substrate posture

PIPEDA is universal, not a tier feature

HASP's compliance posture is a floor at every paid tier and at the Free Evaluation tier — not a feature gated to Enterprise. The DPA, the individual-rights tooling, the cross-border accountability clauses, the sub-processor transparency, and the security controls that back them up all apply uniformly. The Trust Center documents the full posture.

The corollary: a Canadian buyer evaluating HASP does not need a higher tier to get a DPA or the individual-rights primitives. Enterprise differentiation is about the dedicated data plane, region selection, SSO enforcement, and procurement workflow — not about whether PIPEDA is honored.

Read the DPA Request a countersigned copy
FAQ

PIPEDA — frequently asked

Is HASP PIPEDA compliant?
Yes. PIPEDA — the Personal Information Protection and Electronic Documents Act — is Canada's federal private-sector privacy law. Its ten fair-information principles (Schedule 1) are satisfied by the same controls that underpin HASP's GDPR compliance: consent capture, individual access, correction, erasure, portability, the sub-processor register, and the signed audit chain. PIPEDA does not have a government-issued certification; compliance is demonstrated through controls, contracts, and documented practice — all of which HASP publishes.
Which HASP customers does PIPEDA apply to?
PIPEDA applies whenever HASP processes the personal information of a Canadian data subject, or whenever the customer is a Canadian-domiciled organization. It governs personal information collected, used, or disclosed in the course of commercial activity. A Canadian buyer evaluating HASP does not need a special tier — PIPEDA support is part of the universal compliance posture that applies at every paid tier and the Free Evaluation tier.
How does PIPEDA relate to GDPR?
The two frameworks are structurally convergent. All ten PIPEDA fair-information principles map onto controls HASP already operates for GDPR — accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance. There is no separate work for PIPEDA. The one PIPEDA-specific surface is cross-border transfer accountability, handled contractually in the DPA.
What is cross-border transfer accountability, and how does HASP handle it?
Personal information that originates in Canada may be transferred to and processed in the United States — HASP's infrastructure and several sub-processors are US-based. Under PIPEDA Schedule 1 §4.1.3, the originating organization remains accountable for personal information transferred to a third party for processing, even when that processing happens outside Canada. There is no Canada-US bilateral adequacy mechanism equivalent to the EU-US Data Privacy Framework. HASP discharges this accountability through contractual clauses in the DPA that require every sub-processor to maintain protection equivalent to what PIPEDA requires.
How does HASP support Canadian individual rights?
Access: an individual can request the personal information HASP holds about them and how it has been used or disclosed — served by the same machine-readable export that satisfies GDPR Article 20. Correction: an individual can challenge the accuracy of their personal information and request corrections, in-app or through an account administrator. Withdrawal of consent: where HASP relies on consent as the basis for processing, it can be withdrawn at any time, subject to legal or contractual restrictions. Erasure follows the same 30-day cascade as a GDPR Article 17 request.
What if a Canadian individual is not satisfied with HASP's response?
PIPEDA gives individuals the right to challenge an organization's compliance and, if not satisfied with the response, to escalate to the Office of the Privacy Commissioner of Canada (OPC). HASP's first step for any rights request or complaint is [email protected]. Where HASP processes personal information on behalf of a customer, HASP will either forward the request to that customer or direct the individual to them, since the customer is the organization accountable for that data.
Is HASP ready for the Consumer Privacy Protection Act (CPPA, Bill C-27)?
Bill C-27 proposes the Consumer Privacy Protection Act as PIPEDA's successor. The bill is not yet law. HASP's existing control set is designed to satisfy it ahead of enactment — but no CPPA compliance claim is made until the legislation comes into force. When it does, the same single control set is expected to cover it, consistent with how PIPEDA and GDPR already share controls.
Where is PIPEDA compliance offered — on which plans?
Every paid plan and the Free Evaluation tier. PIPEDA support is part of HASP's universal compliance posture: the same compliance floor applies at every tier. There is no upgrade gate on the DPA, the individual-rights tooling, the sub-processor transparency, or the cross-border accountability clauses. Enterprise customers additionally receive a dedicated data plane and region selection for residency requirements.
Related

Adjacent frameworks and reference material

Sibling framework

GDPR

European data protection — controller / processor model, Article 17 erasure, Article 20 portability. PIPEDA is satisfied by the same controls.

Sibling framework

CCPA / CPRA

California consumer privacy — service-provider contract, consumer rights, no-sale commitments, served by the same self-service tooling.

Healthcare

HIPAA

Business Associate Agreement, how patient data flows through HASP, breach notification, and the signed audit chain.

Control attestation

SOC 2

Substrate-inherited Type II report from our compliance substrate, available under NDA. HASP's own direct engagement scheduled.

Healthcare control framework

HITRUST CSF

Posture inherited from the compliance substrate, attestation letter available under NDA, direct certification on the roadmap.

Contract

Data Processing Agreement

The single processor contract that carries PIPEDA cross-border accountability alongside GDPR and CCPA / CPRA obligations.

Register

Sub-processors

Every downstream recipient with processing purpose, data categories, and storage region. 30-day advance notice before any change.

First-party processing

Privacy Policy

How HASP handles personal information collected directly from account holders, billing contacts, and marketing leads.

Hub

Trust Center

The full posture — frameworks, controls, sub-processors, data flow inventory, and audit verification recipe — in one place.

Talk to us

Canadian privacy contacts

PIPEDA inquiries
[email protected]

DPA execution, sub-processor questions, cross-border transfer assessments, pre-filled privacy questionnaires.

Individual rights
[email protected]

For HASP's own first-party processing. Customer end-user requests should be directed to the organization that holds the account.

Enterprise procurement
[email protected]

Countersigned DPA, custom assessment scope, dedicated data plane and region selection, SSO enforcement.