Philterd

Talk to the Team

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer email? support@philterd.ai

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

Reference and how-to

PIPEDA and Law 25: PII Redaction for Canadian Privacy Compliance

How Philter addresses PIPEDA and Quebec's Law 25: self-hosted deployment for data residency, bilingual redaction, and Canadian identifier handling.

This is not a comprehensive legal guide to PIPEDA or Quebec’s Law 25. Consult your privacy officer or legal counsel before deploying Philter in a regulated Canadian environment.

Canada has two distinct privacy frameworks that organizations handling personal information need to address: the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and, for organizations subject to Quebec law, the Act respecting the protection of personal information in the private sector (commonly called Law 25 or Bill 64). Both impose obligations that are well-served by a self-hosted redaction approach.

PIPEDA

PIPEDA governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. It applies to federally regulated industries and to interprovincial or international transfers of personal information.

Key obligations relevant to redaction:

  • Purpose limitation. Personal information may only be used for the purpose for which it was collected. Redacting before sharing data internally or with third parties is a direct control for enforcing this.
  • Safeguards principle. Organizations must protect personal information with security safeguards appropriate to the sensitivity. Redacting PII from logs, transcripts, and secondary datasets limits the scope of what needs to be safeguarded.
  • Breach notification. Real-risk-of-significant-harm breaches must be reported to the Privacy Commissioner and affected individuals. Reducing the volume of identifiable data in circulation reduces breach scope.

How Philter addresses PIPEDA: Philter detects and redacts the personal information categories covered by PIPEDA, including names, Social Insurance Numbers (SINs), addresses, dates of birth, health information, financial details, and contact information. Phinder can scan data stores (S3, GCS, Azure Blob, local filesystems) to locate where personal information is held before redaction. Self-hosted deployment means personal information never leaves your environment for processing.

Law 25 (Quebec)

Quebec’s Law 25 modernizes the province’s private-sector privacy law and is widely regarded as the strictest privacy statute in Canada. It applies to organizations that collect, hold, use, or communicate personal information about Quebec residents, regardless of where the organization is based.

Key obligations with direct operational implications:

  • Data residency and localization. Before communicating personal information outside Quebec, organizations must assess the adequacy of protection and implement contractual safeguards. Self-hosted redaction inside your own Quebec or Canadian infrastructure avoids the question entirely for the redaction step itself.
  • Minimization by default. Only information necessary for the stated purpose should be collected and retained. Automated redaction in pipelines before data lands in secondary systems is the practical implementation.
  • Breach notification. Confidentiality incidents involving personal information must be reported to the Commission d’accès à l’information (CAI) and to affected individuals if the incident presents a risk of serious injury.
  • Profiling and automated decision-making. Individuals must be informed and given the right to be assisted by a person when automated decisions are made using their personal information.

How Philter addresses Law 25:

  • Data residency. Philter is self-hosted Docker. It runs inside your own environment: a VPC in a Canadian AWS, Azure, or GCP region, or on-premises. Personal information processed for redaction never crosses a border.
  • Minimization. Policy-driven redaction strips personal information from text before it reaches analytics, AI training, or third-party systems. The policy file defines exactly which entity types are removed.
  • Bilingual operation. Quebec law applies to organizations serving French-speaking residents. Philter handles French and English in the same deployment, with a separate policy per language. The French policy detects French person names and medical conditions and recognizes Canadian identifier formats. See Multilingual Medical PII Redaction: English and French with Philter for a full walkthrough with runnable examples.

Canadian identifiers

Canada uses a distinct set of identifiers from the US. The key ones Philter handles:

  • Social Insurance Number (SIN). Nine-digit number in NNN-NNN-NNN format. The French-language policy in the multilingual demo uses the pattern \d{3}-\d{3}-\d{3} to detect and redact SINs, labeling them {{{REDACTED-canadian-id}}}.
  • Provincial health card numbers. Format varies by province (Ontario’s is 10 digits; Quebec’s RAMQ number is formatted differently). Custom identifier patterns in a Philter policy file can cover each format. Use the Redaction Policy Editor to add patterns without editing JSON by hand.
  • Standard identifiers. Names, addresses, dates of birth, phone numbers, and email addresses are detected the same way they are under HIPAA or GDPR policies.

Deployment for Canadian data residency

To keep personal information within Canada:

  1. Deploy Philter in a Canadian AWS region (ca-central-1 or ca-west-1), the Azure Canada Central region, or on-premises in a Canadian facility.
  2. Confirm that no Philter configuration sends data to external services. The default deployment has no outbound dependencies. Disable any optional OpenSearch or external cache integrations if they would route data outside the intended perimeter.
  3. For healthcare data, verify that the deployment region’s BAA or equivalent agreement is in place with your cloud provider for the underlying infrastructure. Philterd does not sign BAAs; Philter runs inside your own infrastructure and Philterd never receives your data. See Why Philterd Doesn’t Sign a BAA for the reasoning.

Getting started

The fastest path to a compliant Canadian deployment is to start with the multilingual demo repo (philterd/philter-multilingual-medical), which ships English and French policy files and a docker-compose.yaml. Adapt the French policy to add provincial health card number patterns for your province, point the deployment at a Canadian cloud region, and you have the core of a Law 25-ready redaction pipeline.

If you need help sizing the deployment, tuning policies for French clinical text, or mapping Philter’s controls to a Law 25 or PIPEDA audit questionnaire, get in touch.

Related reading