Clear, operator-grade answers to the most common PPCDA questions Canadian SaaS teams ask.
PPCDA introduces new obligations around evidence, retention, access control, and vendor alignment — this FAQ helps teams understand what’s actually required.
PPCDA is Canada’s new privacy law focused on operational evidence — not just policies.
Any organization handling personal data of Canadians, including SaaS companies.
Logs, exports, screenshots, deletion proof, access records, vendor confirmations.
A user request to access, delete, or correct their data — PPCDA requires proof of each step.
Yes — vendors must enforce your retention, deletion, and access requirements.
Proof that data is deleted on schedule — automated, manual, and exception-based.
PPCDA is Canada’s Personal Privacy and Data Control Act. It shifts privacy from policy statements to operational evidence. Teams must prove how data is accessed, deleted, retained, and shared — not just document intentions.
PPCDA applies to any organization handling personal data of Canadians. SaaS companies, service providers, and vendors must all comply, regardless of size.
Evidence includes logs, exports, screenshots, deletion confirmations, access records, vendor guarantees, retention enforcement logs, and audit trails. PPCDA requires verifiable artifacts — not policy statements.
A DSAR is a user request to access, delete, or correct their personal data. PPCDA requires timestamped logs, verification steps, exports, deletion proof, and a complete audit trail.
Yes. Vendors must enforce your retention schedule, deletion requirements, access controls, and DSAR support. PPCDA requires evidence of vendor alignment — not just contracts or SOC 2 reports.
Retention enforcement is proof that data is deleted on schedule. PPCDA requires automated deletion logs, manual deletion proof, exception tracking, and vendor retention alignment.
A timestamped record of every action taken during a compliance workflow. PPCDA requires full audit trails for DSARs, retention enforcement, vendor reviews, and access control changes.
Yes — PPCDA expects evidence of encryption at rest, encryption in transit, key rotation, and vendor encryption alignment.
Yes. Teams must provide evidence of periodic access reviews, MFA enforcement, privileged access restrictions, and revocation logs.
Vendors must provide deletion proof, access logs, retention alignment, DSAR support, and updated evidence during renewals.
Kelunoa helps teams centralize evidence, map ownership, and operationalize PPCDA compliance across privacy, ops, and security.
Join the Waitlist