PPCDA Evidence Checklist

A practical, operator-grade checklist to help Canadian SaaS teams map, validate, and centralize the evidence PPCDA requires.

Built for privacy, ops, and security teams who need clarity on what PPCDA actually expects — and who owns each evidence item.

Core Evidence Categories

DSAR Evidence

Intake logs, identity verification, fulfillment proof, deletion confirmations, timestamped audit trails.

Vendor Evidence

Security questionnaires, deletion guarantees, access control documentation, renewal evidence.

Retention Enforcement

Retention schedules, automated deletion logs, exception tracking, enforcement proof.

Access Control Evidence

Role definitions, permission mappings, access review logs, revocation proof.

Security Controls

Encryption evidence, incident logs, vulnerability management proof, backup verification.

Policy-to-Evidence Mapping

Documentation showing how each policy is operationalized, enforced, logged, and validated.

Detailed Checklist

DSAR Evidence

  • DSAR intake logs with timestamps
  • Identity verification steps
  • Data location mapping
  • Fulfillment proof (exports, screenshots, logs)
  • Deletion confirmations
  • Audit trail showing each step

Vendor Evidence

  • Vendor assessment records
  • Security questionnaire responses
  • Deletion guarantees and retention alignment
  • Access control documentation
  • Renewal evidence and risk scoring

Retention Enforcement

  • Retention schedules
  • Automated deletion logs
  • Manual deletion proof
  • Exception tracking
  • System-level enforcement evidence

Access Control Evidence

  • Role definitions and permission mappings
  • Access review logs
  • Revocation proof
  • MFA enforcement evidence
  • Privileged access monitoring

Security Controls

  • Encryption evidence
  • Incident response logs
  • Vulnerability management proof
  • Backup verification
  • System hardening records

Policy-to-Evidence Mapping

  • Policies mapped to operational workflows
  • Evidence showing enforcement
  • Logs validating each policy requirement
  • Ownership mapping across teams

Quietly Onboarding Canadian Teams

Kelunoa helps teams map evidence ownership across privacy, ops, and security — and centralize PPCDA compliance workflows.

Join the Waitlist