29 Microsoft, Law 25 and cybersecurity definitions.

A 1- or 3-year commitment on a stable Azure VM or service in exchange for a discount of up to 72% off the pay-as-you-go rate.

1 year: typically 30–40% off. 3 years: 55–72%. Not suitable for workloads that will migrate within 12 months. For variable workloads, prefer Azure Savings Plans (up to 65% off, more flexible, introduced in Oct. 2022).

The two Microsoft Azure regions in Canada — Toronto (Canada Central) and Québec City (Canada East).

Canada Central has Availability Zones (high availability); Canada East does not. By default, Microsoft 365 hosts the tenant in Canada Central for Canadian organizations. For health information and certain Québec public bodies, Canada East is preferred.

A set of access rules in Entra ID that evaluates context (user, device, location, risk) before allowing a sign-in.

It can require MFA, block legacy protocols (POP/IMAP/SMTP basic auth), restrict by country, and require an Intune-compliant device. It is the foundation of Zero Trust on Microsoft 365.

Microsoft's low-code platform for building custom AI agents connected to Dataverse, SharePoint and business APIs, accessible from Teams or a website.

2025 pricing: US$200/pack/month = 25,000 Copilot Credits, or pay-as-you-go at US$0.01/credit. Typical use cases: HR assistant, Tier 1 IT support, product-catalog FAQ, access to business data without custom development.

A generative-AI assistant built into Word, Excel, Outlook, Teams and SharePoint that draws on Microsoft Graph to access the organization's data.

Launched in 2023, Microsoft 365 Copilot requires a license at US$30/user/month (annual commitment) on top of a Microsoft 365 E3/E5/Business Premium or Office 365 E1/E3/E5 base. An SMB variant (Copilot Business) is offered at US$21. The tool requires a prior SharePoint oversharing audit to prevent it from surfacing historically overshared content.

An eXtended Detection and Response platform that automatically correlates endpoint, identity, email and cloud-app signals.

Microsoft Defender XDR brings together Defender for Endpoint, Defender for Identity, Defender for Office 365 and Defender for Cloud Apps. Included in Microsoft 365 E5 and Business Premium (lighter versions). Microsoft analyzes more than 100 trillion signals per day (Digital Defense Report 2025), which feed detection for every client.

Microsoft's cloud identity service (formerly Azure Active Directory) that manages authentication, conditional access and identity governance.

Entra ID includes Conditional Access, MFA, Privileged Identity Management (PIM, P2 license), Identity Protection and SSO federation. It is the cornerstone of the Microsoft security posture: universal MFA + blocking legacy authentication via Conditional Access eliminates more than 99% of account compromises, according to Microsoft.

Microsoft's unified SaaS analytics platform (GA late 2023) combining lakehouse, data warehouse, data science, real-time analytics and Power BI.

Built around a shared OneLake storage (Delta Parquet). Capacity SKUs from F2 to F2048. F8 ≈ US$1,050/month, F16 ≈ US$2,100/month (pay-as-you-go), about 40% off with a 1-year reservation. Copilot for Power BI requires F64+.

Microsoft's data-governance platform: classification, labeling (Sensitivity Labels), data-loss prevention (DLP), lifecycle management.

Purview is the go-to tool for Law 25 compliance on Microsoft 365: it can automatically label personal information, block it from being sent out via DLP policies, and produce the audit reports requested by the CAI. Available in M365 E5 and as an add-on.

Microsoft's cloud SIEM, a complement to Defender XDR for organizations with non-Microsoft logs or regulatory long-retention requirements.

Sentinel bills on ingestion (GB/day). For most SMBs, Defender XDR alone is enough; Sentinel becomes relevant when there are firewalls/IoT/OT/in-house applications, or for PCI-DSS, ISO 27001.

A Law 25 provision (in force since 22 September 2023) that governs decisions made exclusively by an automated system about a person.

If a decision is made 100% by a system (including Copilot or a Copilot Studio agent) without significant human intervention, the organization must: inform the person, allow them to know the factors involved, and allow them to request human review within 30 days. Concrete cases: automated résumé screening, lead scoring, price personalization.

A Law 25 provision (in force since Sept. 2023) that requires a prior assessment before any transfer of personal information outside Québec.

The assessment covers: the adequacy of legal protection in the destination jurisdiction, contractual measures imposed on the recipient, technical measures (encryption, access controls). Microsoft Azure Canada Central (Toronto) is considered a transfer outside Québec and must therefore be documented.

Québec's supervisory authority responsible for enforcing Law 25; it can impose administrative penalties of up to $10M without a trial.

Address: 2045 Stanley Street, Suite 900, Montreal QC H3A 2V4. Phone: 1 888 528-7741. Organizations must notify the CAI without delay in the event of a privacy incident presenting a risk of serious injury.

Québec law modernizing the protection of personal information in the private sector (CQLR c. P-39.1), phased in over three waves: September 2022, 2023 and 2024.

Formerly Bill 64. It imposes 11 main obligations: a designated Privacy Officer, a public policy, PIAs, an incident register, access/rectification/portability rights, transfers outside Québec, granular consent, automated decisions. Administrative penalties up to $10M or 2% of worldwide revenue. Criminal penalties up to $25M or 4%. Private civil remedies since Sept. 2023.

A mandatory assessment (s. 3.3 Law 25) to carry out before any new project involving personal information — a Copilot rollout, a CRM migration, a new HR application.

The PIA documents: the nature of the project, the types of personal information processed, the purposes, the retention period, security measures, any transfers, residual risks. It must be available to the CAI on request during an inspection.

A person formally designated by the organization as the guarantor of Law 25 compliance; mandatory since 22 September 2022 (s. 3.1).

By default, the Privacy Officer is the most senior executive. They can delegate to a designated employee but remain accountable. Their name and contact details must be published (usually in the privacy policy). It is the simplest obligation and yet the one most often forgotten by SMBs.

A Law 25 provision (in force since Sept. 2023) that allows any aggrieved person to sue an organization directly in the civil courts.

Minimum punitive damages of $1,000 per aggrieved person, with no upper cap. Cumulative with the CAI's administrative penalties and penal sanctions. A significant risk for organizations hit by an unmanaged privacy incident.

A right granted since 22 September 2024 to any person to receive their personal information in a structured, commonly used technological format.

Expected format: JSON, CSV, XML — available within 30 days. The organization may also be required to transfer the information directly to a third party designated by the person, subject to technical feasibility.

An attack technique that intercepts post-MFA authentication tokens through a reverse proxy, thereby bypassing traditional MFA.

Sharply on the rise in 2024–2025. Countermeasures: phishing-resistant MFA (FIDO2 keys, Windows Hello), Conditional Access with sign-in risk, Defender for Office 365 anti-AiTM, ITDR monitoring. Microsoft 365 Business Premium already provides the necessary baseline.

Technical policies that block sensitive data (SIN, bank account numbers, credit cards) from being sent out by email, sharing or printing.

On Microsoft 365, configured in Purview. Typical start: the preconfigured 'Canada Financial Data' policy to block card numbers and bank account numbers. A 30-day 'audit' mode to calibrate false positives before 'block' mode.

A detection-and-response solution on workstations and servers. Microsoft Defender for Endpoint is the go-to EDR for Microsoft organizations.

Enabled in EDR in block mode, Defender automatically contains a compromised machine without human intervention. Included in Microsoft 365 Business Premium and E5.

Detection of threats targeting identities: impossible travel, MFA fatigue, abnormal privilege escalation, account compromise.

Covered by Microsoft Defender for Identity (formerly Azure ATP) and Entra ID Identity Protection. Combined with Defender for Endpoint to form Defender XDR.

Managed Detection and Response: an outsourced 24/7 security-incident monitoring service, with human triage and active containment.

Unlike an EDR alone (which detects without a human), a managed SOC provides analysts who handle alerts 24/7, dismiss false positives and run predefined remediation actions. io4 SOC operates on Microsoft Defender XDR with an average MTTR of ~8 minutes on a critical incident.

A Microsoft score from 0 to 100 measuring the cybersecurity posture of a Microsoft 365 organization, which became the benchmark for Canadian cyber-insurers in 2026.

A non-hardened SMB typically starts at around 40/100. With 12 priority settings (universal MFA, blocking legacy auth, Defender for Office Preset, EDR in block mode, Sensitivity Labels), it reaches 80+ in 30–45 days. Beyond 85, the marginal points cost user friction without real security value.

Mean Time To Respond (MTTR) and Mean Time To Detect (MTTD): key SOC indicators. The shorter, the better.

Industry: median MTTD of about 204 days without a managed SOC (IBM 2024 report), MTTR about 73 days for full containment. With Defender XDR + io4 managed SOC: MTTR ~8 minutes on a critical incident thanks to automatic XDR correlation and 24/7 human action.

Autorité des marchés publics: the Québec body that issues authorizations to contract with Québec public bodies.

AMP authorization is mandatory for service contracts of $1M or more and construction contracts of $5M or more. A 3-to-6-month process requiring detailed declarations on ownership, history and structures. Without AMP authorization, a supplier is ineligible for large public contracts.

Bill 14 (formerly Bill 96), strengthening French-language obligations in Québec since 2022.

For a website: the French version must be at least equivalent in content and accessibility to any other language version. For legal documents (privacy policy, legal notices), the French version prevails. There is no obligation to publish an English version — but if one exists, French must dominate.

The Québec secretariat that publishes the general terms applicable to public contracts, followed by all organizations bound by them.

The SCT's general terms cover: bid security, language compliance (Bill 96), accessibility (WCAG 2.1 AA), data residency, confidentiality clauses. Almost all suppliers sign these terms without modification — negotiations are rare.

Système électronique d'appel d'offres: the Québec government's single portal for publishing and submitting public-procurement bids.

All Québec public bodies (ministries, municipalities, state-owned corporations, health/education networks) publish their RFPs on SEAO. Suppliers must submit their response there in the prescribed format with a bid security, a valid Revenu Québec attestation, and — above $1M — AMP authorization.