At Makerble, protecting personal information is fundamental to how we build and maintain our platform. This article explains how Makerble supports compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and what your organisation needs to do to use the platform responsibly under Canadian privacy law.

Please note: This article provides general guidance only and is not legal advice. Canada's privacy landscape includes both federal and provincial laws. For advice specific to your organisation's situation, consult a qualified Canadian privacy lawyer or the Office of the Privacy Commissioner of Canada (OPC). For questions about Makerble's practices, contact data.security@makerble.com.

Does PIPEDA apply to your organisation?

PIPEDA applies to private sector organisations that collect, use or disclose personal information in the course of commercial activity. Nonprofits are generally exempt unless they engage in commercial activities such as selling merchandise, running paid events or holding personal information for commercial purposes.

Where PIPEDA does not apply, provincial laws might instead. Quebec's Law 25 (Bill 64) is significantly more stringent than PIPEDA and applies broadly to any organisation handling personal information of Quebec residents, which includes nonprofits. If your organisation operates in Quebec, Law 25 compliance is almost certainly required regardless of your commercial activities.

Alberta and British Columbia have their own private-sector privacy laws deemed substantially similar to PIPEDA. The principles in this article apply comparably to those frameworks.

PIPEDA's 10 fair information principles

PIPEDA is built around 10 fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use / disclosure / retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles broadly align with respected data protection frameworks used around theworld, e.g. the EU's GDPR and Australia's APPs.

1. Data security and encryption: Safeguards principle

PIPEDA's safeguards principle requires organisations to protect personal information with security safeguards appropriate to the sensitivity of the information. This includes protection against loss, theft, unauthorised access, disclosure, copying, use or modification.

Makerble's safeguards include:

At rest: All data stored within Makerble is encrypted using AES encryption.

In transit: All data transmitted between users and the platform is protected using SSL/TLS encryption.

Additional measures: Cloudflare and Wazuh firewall protection, Grafana and Loki real-time monitoring and logging, internal VPNs for secure access, and six-monthly security audits covering access controls, encryption standards, incident response and physical security.

2. Access controls

Makerble restricts access to personal information through:

Two-Factor Authentication (2FA): Available for all user accounts.

Role-based access controls: Administrators can control which team members access which records within the platform.

These controls support the safeguards principle and your organisation's broader duty to protect personal information from unauthorised access.

3. Cross-border transfers: Accountability principle

Makerble is hosted on Microsoft Azure in Ireland (EU). When your organisation uses Makerble, personal information is stored and processed in the European Union.

Under PIPEDA, cross-border transfers of personal information for processing are permitted but the transferring organisation remains accountable for the protection of that information and must use contractual or other means to ensure a comparable level of protection. PIPEDA does not require data to remain in Canada; it requires that the data is protected wherever it goes.

Makerble processes your organisation's data under the terms of our Data Processing Agreement. The EU's GDPR provides a level of data protection that is comparable to or exceeds PIPEDA's requirements, making Ireland a sound jurisdiction for Makerble's infrastructure from a Canadian compliance perspective.

We recommend your organisation:

• Documents the cross-border transfer in its privacy policy
• Retains a copy of Makerble's Terms and Conditions and Data Processing Agreement as evidence of the contractual safeguards in place
• Notifies individuals that their personal information may be transferred to and processed in the EU, and that it may be accessible by courts, law enforcement and national security authorities in that jurisdiction, as recommended by the Privacy Commissioner of Canada

Note for Quebec organisations: Law 25 requires a Privacy Impact Assessment (PIA) before transferring personal information outside Quebec. If your organisation is subject to Law 25, you must complete a PIA covering Makerble's EU-hosted infrastructure before using the platform to process personal information of Quebec residents.

4. Breach notification

Canada's mandatory breach notification rules require organisations to report to the OPC and notify affected individuals when a breach of security safeguards creates a real risk of significant harm. Records of all breaches must be maintained, even those that do not trigger notification obligations.

Makerble has an incident response process in place including automated monitoring, a dedicated cybersecurity team, and clear communication procedures. In the event of a security incident affecting your organisation's data, we will notify you promptly with the information you need to assess your notification obligations.

5. Individual access and correction

Under PIPEDA, individuals have the right to access their personal information and to challenge its accuracy. Your organisation, as the entity collecting and holding data, is responsible for responding to these requests.

Makerble supports this through:

• Contact record management: Administrators can locate, view, edit and delete individual contact records within the platform
• Data export: Contact and survey data can be exported in CSV format, enabling efficient responses to access requests

6. Consent and purpose limitation

PIPEDA requires that personal information is collected only with the knowledge and consent of the individual, for purposes that a reasonable person would consider appropriate in the circumstances. Consent must be meaningful; vague, bundled, or implied consent is increasingly subject to scrutiny, particularly under Quebec's Law 25 which requires express consent for sensitive information.

When configuring Makerble for your programmes:

• Be clear about purpose: only create fields for information you genuinely need
• Obtain appropriate consent at the point of intake or sign-up, explaining how information will be used
• Do not repurpose data collected for one programme for a different programme without obtaining fresh consent

What your organisation needs to do

To use Makerble in compliance with PIPEDA and applicable provincial laws:

• Determine whether PIPEDA, Law 25, or a provincial equivalent applies to your organisation's activities
• Update your privacy policy to name Makerble as a data processor and describe the cross-border transfer to EU infrastructure
• Notify individuals at the point of collection of the purpose of data collection and the EU-based hosting arrangement
• Complete a Privacy Impact Assessment if subject to Quebec's Law 25 before processing personal information of Quebec residents
• Retain a copy of Makerble's Terms and Conditions and Data Processing Agreement as evidence of your contractual safeguards
• Respond to access and correction requests using Makerble's contact management and export tools
• Maintain breach records and notify the OPC and affected individuals where required

For questions about Makerble's security and data practices, contact data.security@makerble.com. For guidance on PIPEDA, visit the Office of the Privacy Commissioner of Canada. For Quebec's Law 25, visit the Commission d'accès à l'information.

‍