REDACT LABS/TORONTO · ON
Home/ Industries/ Charities & Nonprofits

A practice for Canadian charities.

A five-tier cybersecurity practice built for the realities of the nonprofit sector. Tight budgets. Donor-data sensitivity. Board oversight. PIPEDA, Quebec Law 25, and PHIPA. We have packaged the work into clear, board-defensible tiers.

Start a Posture Snapshot See the Tiers
Five-tier practice

From posture snapshot to continuous guardian.

Each tier builds on the last. Most charities start with a Tier 0 Posture Snapshot and choose where to go from there.

TIER 0

Posture Snapshot

Fixed-fee

A 1-week posture assessment with board-ready output and a clear remediation roadmap.

  • Identity & access review
  • Endpoint baseline check
  • Email security posture
  • Donor-data flow map
  • Board-ready summary
TIER 1

Stabilisation

Project-based

Urgent fixes addressing the highest-risk findings from the snapshot.

  • MFA rollout
  • Endpoint hardening
  • Identity cleanup
  • Phishing-resistant auth
  • 30-day stabilisation report
TIER 2

Essentials

Monthly retainer

Foundational managed controls and quarterly reporting for ongoing posture.

  • EDR & endpoint management
  • Email & phishing controls
  • Quarterly posture reviews
  • Annual tabletop exercise
  • Direct senior contact
TIER 3

Secure

Monthly retainer

A mature programme with active monitoring and full policy infrastructure.

  • Active monitoring & alerting
  • Vulnerability management
  • Policy library & review
  • Vendor risk reviews
  • Compliance documentation
TIER 4

Guardian

Monthly retainer

Continuous protection with full vCISO leadership and active board engagement.

  • Embedded vCISO
  • 24/7 monitoring & response
  • Quarterly board reporting
  • Annual penetration testing
  • Insurance & audit liaison
Not sure which tier fits

Answer five questions, get a recommendation.

A 90-second interactive tool that maps your size, data sensitivity, and current posture to the right Redact Labs tier. No email required.

Find Your Tier
Compliance posture

Built for Canadian privacy law.

PIPEDA, Quebec Law 25, PHIPA, and CyberSecure Canada are first-class concerns in every tier — not afterthoughts.

FederalPIPEDA
QuebecLaw 25
Ontario HealthPHIPA
NationalCyberSecure Canada
FAQ

Common charity questions.

We are a small charity. Is the Posture Snapshot worth it?

Yes — it is the most common starting point. The snapshot is fixed-fee, takes about a week, and produces a board-ready document. Even charities under 10 staff benefit because it surfaces the 3–5 highest-risk items every team should fix first.

Do you offer charity rates?

Yes. Our charity practice carries adjusted pricing across all tiers, and the Posture Snapshot is intentionally accessible. We are happy to discuss pro-bono or partial-pro-bono engagements for specific causes when our calendar allows.

Can you help us prepare for a funder or auditor cybersecurity review?

Yes. We produce funder-ready documentation as part of Tier 2 and above, and we can liaise directly with funders, auditors, and insurance underwriters on your behalf.

What about Quebec-specific Law 25 obligations?

Law 25 introduces specific obligations around privacy officers, breach notification, and consent. We bake these into engagement scope for charities operating in Quebec, and we provide template documentation as part of Tier 2+.

Do you handle charities operating in multiple provinces?

Yes. Multi-province charities are common in our book of work. We map provincial obligations against your operational footprint and provide a unified posture that satisfies all of them.

Ready when you are

Start with a Posture Snapshot.

A one-week, fixed-fee assessment. Board-ready output. Clear next steps. No commitment beyond the snapshot itself.

Book a Snapshot