Stripe + CASL + PIPEDA: A Compliant Stack for Canadian SaaS Contractors

1. The compliance stack a Canadian SaaS faces

A Canadian SaaS selling to commercial businesses through Stripe has to satisfy four overlapping regimes:

• CASL — commercial electronic messages (the marketing emails you send subscribers)
• PIPEDA + provincial privacy — handling of personal info (customer accounts, billing data)
• PCI-DSS — payment card security (handled mostly by Stripe, but you have residual obligations)
• Provincial consumer protection — refund obligations, contract disclosure (varies by province)

Stripe takes care of the heaviest lift on PCI-DSS. The other three are on you. This guide walks the practical compliance posture.

2. Stripe's role

When you integrate Stripe Checkout or Elements, the customer's card number never touches your servers. It posts directly to Stripe via tokenization. You receive a customer ID and last-4 digits; the full PAN stays inside Stripe's PCI-DSS Level 1 environment.

This is what reduces your PCI obligations to SAQ A (the simplest self-assessment questionnaire). You still need to:

• Use HTTPS everywhere (no exception)
• Not log the card-related fields you do see
• Complete the SAQ A annually (you self-attest; Stripe doesn't audit you)
• Maintain reasonable security on your own backend (where customer IDs live)

3. CASL for SaaS marketing

Every onboarding email, every product-update email, every "we missed you" email is a Commercial Electronic Message under CASL. The compliance requirements:

• Consent. By signing up + clicking the Stripe Checkout link, the customer gives express consent to transactional emails. Marketing emails require a separate consent (a checkbox at signup, or an opt-in in the first welcome email).
• Identification. Every CEM must include your business name + valid contact info (mailing address + phone or email) valid for 60+ days.
• Unsubscribe. Working unsubscribe link in every CEM. Process within 10 business days.
• Truthful subject lines. No clickbait or misleading "Re:" prefixes.

Pure transactional emails (invoices, password resets, dispatch notifications) are exempt from the marketing-CEM rules — but only if their primary purpose is transactional, not promotional.

4. PIPEDA for customer data

Customer signup data (name, email, company, business address) is "business contact information" — largely exempt from PIPEDA's full obligations. Customer billing data (last-4, billing address) is personal info but processed by Stripe; you should reference your reliance on Stripe's privacy posture in your own privacy policy.

You still need:

• A privacy policy on your website (template available at /privacy.html)
• A designated privacy contact (named person + email)
• A process for access requests (30 days max response time)
• A breach-notification process

5. Provincial overrides

For SaaS operations inside Alberta, BC, or Québec, the substantially-similar provincial Act applies:

• Alberta PIPA + BC PIPA: very similar to PIPEDA, slightly stricter on cross-border data transfer disclosure
• Québec Law 25: strict. Requires designated privacy officer, mandatory breach reporting to the CAI, data portability rights, refusal of automated decisions, French language support. Fines up to 4% of worldwide revenue.

If you serve Québec customers, take Law 25 seriously. Add French-language support for privacy requests at minimum.

6. Stripe-specific compliance gotchas

6.1. Strong Customer Authentication (SCA)

EU customers require SCA (3D Secure 2). Stripe handles this automatically if you use Stripe Checkout or the latest Elements. Older custom integrations may need updates.

6.2. Subscription cancellation policy disclosure

Some provinces require recurring-subscription cancellation terms to be disclosed at checkout. Stripe Checkout has a "billing terms" field; use it. Your Terms of Service should also have a cancellation section (template at /terms.html §4).

6.3. Receipt-of-charge requirements

Canadian sales tax registration (GST/HST/QST) is required once you exceed $30K/year in worldwide sales. Stripe Tax can handle the calculation; you need to register with CRA + provincial revenue agencies.

6.4. Cross-border tax

If you serve US, EU, or other foreign customers, you may have local registration obligations (US sales tax nexus, EU VAT, UK VAT). Stripe Tax helps but doesn't fully solve.

7. Storage + retention

Customer record retention should be:

• Active subscription period + 24 months for billing/audit records (CRA + provincial tax authorities require 6-year retention for tax records, but customer-identifying info can be archived/anonymized earlier)
• Marketing consent records: kept for the full duration of the relationship + 3 years (CASL evidence)
• Unsubscribe records: kept indefinitely (proves you honoured opt-outs)

8. The Shovel Radar compliance posture

Shovel Radar's full posture is documented at:

• /terms.html — refund policy, cancellation terms, multi-city add-on terms, 7-day trial promo
• /privacy.html — PIPEDA, Alberta PIPA, BC PIPA, Law 25 coverage; full data-source listing
• /.well-known/security.txt — vulnerability reporting contact

The structure is fairly portable — feel free to model your own SaaS docs on the same skeleton.

9. Further reading

• CASL Compliance for Canadian Contractors
• PIPEDA for Trade Sales Teams
• Stripe Security & Compliance Guide