Every NorthClaw technical control mapped to the Canadian privacy regulation it satisfies. Forward this page to your legal team.
Canada's federal private-sector privacy law. Each principle maps to a concrete NorthClaw control.
Organization responsible for personal information under its control
Tamper-evident audit log with SHA-256 hash chain, designated data controller logging
Purposes identified at or before time of collection
CASL consent gate classifies commercial vs transactional, purpose recorded per message
Knowledge and consent required for collection, use, or disclosure
Real-time consent verification before every outbound message, consent database on host
Collection limited to what is necessary for identified purposes
Default-deny egress, agents can only access explicitly allowed data
Personal info used only for identified purposes, retained only as needed
Container isolation (agents can't see other agents' data), 120s hard timeout destroys containers
Personal information kept accurate, complete, and up-to-date
Consent database maintained on host with versioned records
Protected by security safeguards appropriate to sensitivity
5-layer security model (container, network, credentials, audit, compliance)
Policies and practices readily available to individuals
Open source (MIT), all security controls inspectable
Right to access and challenge accuracy of personal information
/consent-export skill exports all consent records (JSON, CSV, text)
Ability to challenge an organization's compliance with these principles
Tamper-evident audit log provides complete evidence chain for regulators
Requirements for sending commercial electronic messages. NorthClaw's consent gate handles these at runtime.
Explicit permission required before sending commercial electronic messages
Consent gate requires express consent for commercial messages, records consent type and timestamp
Permitted in limited circumstances with existing business relationship
Jurisdiction detection with automatic implied consent rules, time-limited tracking
CEMs must include sender identification, contact info, and unsubscribe mechanism
Automatic CASL field injection (sender ID, unsubscribe mechanism, physical address)
Functional unsubscribe in every CEM, processed within 10 business days
Built into CASL consent gate, processed within 10 business days
Quebec's privacy law with stricter consent and data residency requirements.
PIA required for projects involving personal information
Audit log provides complete record for PIA
Consent required under Quebec-specific rules
Consent gate supports Quebec-specific consent requirements
Personal information must be handled with jurisdictional awareness
Canadian infrastructure, data stays on Canadian servers
Breach notification obligations under Law 25
Tamper-evident audit enables rapid incident response and notification
Individuals can request their data in a transferable format
/consent-export provides data in standard formats
Every control listed above is implemented in code, not policy documents. Your legal team can verify each one in the open-source repository.