GraphWarden and Loi 25: how the proxy supports your compliance obligations
Quebec's Loi 25 imposes strict obligations on organizations that collect, use, or disclose personal information, including data accessible through Microsoft Graph. GraphWarden acts as a centralized control point to minimize data transmitted, trace every access, and keep Graph authentication credentials inside your own Azure Key Vault. This document maps the key Loi 25 requirements to GraphWarden's technical capabilities, with explicit limits on what GraphWarden does not cover.
Who this document is for
Loi 25 context
Loi 25 — officially the "Act to modernize legislative provisions as regards the protection of personal information" — was passed by Quebec's National Assembly in 2021 (formerly Bill 64). Its provisions came into force in stages from September 2022 to September 2024, with graduated obligations for public bodies and private enterprises operating in Quebec. The law modernizes Quebec's personal information protection regime, aligning it with international standards while preserving specifics of Quebec civil law.
The supervisory authority is the Commission d'accès à l'information du Québec (CAI), which receives complaints, conducts investigations, and publishes guidelines. Key requirements include appointing an access-to-personal-information officer in each organization (Art. 3.1), maintaining a confidentiality incident register (Art. 3.5), minimizing personal information collected and retained (Art. 5), ensuring traceability of disclosures (Art. 8), managing consent (Art. 12–14), the right to data portability (Art. 27), and performing a privacy impact assessment (PIA, known in French as EFVP) before any project involving personal information (Art. 22). Administrative penalties can reach 10 million Canadian dollars or 2 percent of worldwide turnover.
Loi 25 mapping to GraphWarden capabilities
| Loi 25 article | GraphWarden capability | Status | Technical proof |
|---|---|---|---|
| Art. 5 — Personal information minimization | Graph response filtering (Response Filter transforms) | Aligned | Configure a Response Filter in your ruleset to restrict the fields returned by Graph to those strictly needed for the operation. |
| Art. 8 — Traceability and logging | HMAC-authenticated audit log to your SIEM platform | Aligned | Every proxied Graph call is recorded with the app identity, path, HTTP status, and latency. |
| Art. 3.5 — Confidentiality incident register | Scheduled extraction of the audit log | Supported | Periodically export the audit log to your incident register via the HMAC /audit endpoint. |
| Art. 22 — Privacy impact assessment (PIA / EFVP) | Ruleset configuration documented per app identity | Aligned | Each app identity has its versioned YAML ruleset documenting the permitted Graph endpoints — a direct artifact for the PIA. |
Concrete scenario
A Quebec public body operates 12 SaaS applications integrated with Microsoft 365. Without GraphWarden, each application holds full Graph credentials and can query every Graph endpoint authorized on its app registration — including fields that are not strictly necessary for its business use. With GraphWarden: 12 distinct app identities, each with a ruleset restricting endpoints and returned fields. A security incident on one application exposes only that application's ruleset, not the whole tenant. The incident register (Art. 3.5) can pinpoint precisely which identities accessed which endpoints during the exposure window.
Hosting and data residency
Hosted tier: the proxy runtime is in Azure Canada Central; the control plane runs in Canada East (OVHCloud). On-premise tier (Windows Service or Docker): the proxy runs entirely in your infrastructure — no Graph data leaves your environment. For Loi 25 purposes, Canada-based hosting is the gold standard: data stays under Canadian jurisdiction. Graph secrets (client secrets, certificates) never leave your Azure Key Vault: GraphWarden holds only their SHA-256 fingerprint to authenticate calls from your applications.
Limits
GraphWarden supports several Loi 25 obligations but does not cover the entire regime. The following items remain your responsibility.
- GraphWarden does NOT cover consent requirements (Art. 12–14) — those apply to your application, not the proxy.
- GraphWarden does NOT cover data retention and destruction (Art. 23) — your application remains responsible for lifecycles.
- GraphWarden does NOT cover management of data subject rights (Art. 27 and following) — access, rectification, and portability belong to your application.
- GraphWarden does NOT cover explicit consent requirements for automated decision-making (Art. 12.1).
- GraphWarden does NOT perform the PIA on your behalf — the proxy provides technical artifacts (rulesets, audit logs) but the assessment remains your responsibility.
- GraphWarden does NOT replace your designation of an access-to-personal-information officer (Art. 3.1).
Prepare your PIA package with an AI assistant
Prepare a Loi 25 compliance brief
Prepare a Loi 25 compliance brief for my Microsoft 365 tenant using GraphWarden.
I need to deliver to my security committee:
1. Which Loi 25 requirements GraphWarden helps meet (article-by-article mapping)
2. Which requirements stay under my responsibility (not covered by GraphWarden)
3. Which technical artifacts I can extract from GraphWarden for my compliance package
Reference documentation: https://graphwarden.com/llms.txt
Ask me:
- How many Microsoft Graph-integrated applications I have today
- Whether I already have a PIA in progress
- My filing deadline
Reference: llms.txt
Troubleshooting
- The audit log does not show every Graph operation. Verify that the app identity actually routes through the proxy (
Get-MgContextin PowerShell; inspect thebaseUrlin .NET). A call that bypasses the proxy is not logged — see App Identities. - I cannot find the HMAC
/auditendpoint. See Agent API for the HMAC specification and available endpoints. - My PIA asks for data geolocation and GraphWarden does not specify it. See the Hosting section above: in hosted mode the proxy runs in Azure Canada Central and the control plane in Canada East (OVHCloud); in on-premise mode, processing stays entirely inside your infrastructure.
- One of my rulesets is more permissive than Art. 5 requires. Revisit the Response Filter and reduce the returned fields; see Rulesets and Rules.
- How do I produce the incident register in the CAI format? Export the audit log through the HMAC endpoint and filter on
blockverdicts or on the correlation IDs tied to a known incident — see Agent API.
Resources
- For deployment technical details, see On-Premise Windows Installation.
- For credential management, see App Identities.
- For the proxy trust model, see Trust Model.
- Data Processing Agreement (DPA) template — coming in Phase 5b .
Next steps
For a demo tailored to your Loi 25 deployment, contact the GraphWarden team. Review the use cases to see how other organizations subject to Loi 25 have mapped rulesets to their access-officer program. Bring to the session: your list of Graph-integrated applications, your PIA deadline, and the desired audit retention tier (90 days, 1 year, or 7 years).
Last reviewed: