TGV Certification Support (Quebec Health Network)
Your entry point to Quebec's health sector. Without the detours.
For technology product and service (PST) vendors required to certify with the Bureau de certification of MSSS / Santé Québec.
TGV certification support (Trousse globale de vérification — Global Verification Kit) is a structured engagement that takes your technology product or service from self-declaration through to the conformity attestation issued by the Bureau de certification et d'homologation (BCH) of MSSS / Santé Québec. Factero leads the vendor-side process: reading and prioritizing the 254 criteria at the time of writing across 4 domains (security, privacy, performance, technology), preparing documentation, implementing missing controls, coordinating the penetration test, pre-submission review, and support through the external verification firm's assessment (30 business days). The TGV evolves regularly — Factero actively monitors MSSS work and anticipates future versions so the frameworks we build with clients hold up over time. We prepare — we don't certify. The certification is issued exclusively by the BCH, following independent verification. Engagement led by a CISA-certified principal associate, with LPRPSP (Law 25), LADOPPRP, the MSSS User Identification Normative Framework, and NIST-CSF as supporting frameworks.
Who is it for?
Software vendors, SaaS providers, and integrators whose product needs to interact with the information assets of Quebec's health and social services network (SSSS).
Companies that have received a certification request from a client institution (CIUSSS, CISSS, GMF, Santé Québec) and have never been through the TGV process.
International or out-of-province vendors whose product is already used elsewhere, but who discover that Quebec's health market requires a specific certification not recognized as equivalent.
Companies in the certification process who have received a verification report with non-conformities to correct within defined timelines.
Already-TGV-certified vendors preparing their annual self-declaration renewal or 5-year recertification and wanting to ensure nothing has drifted since.
Vendors of AI scribes, transcription tools, and AI solutions targeting the health and social services sector, where TGV is now a prerequisite combined with a Privacy Impact Assessment.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A Quebec health institution has added your product to its list but cannot deploy until TGV certification is obtained.
- You've downloaded the kit (254 criteria, over 100 regulatory references) and realized the gap between what you do and what MSSS requires calls for a structured approach, not a line-by-line reading.
- You're already compliant with Law 25 or GDPR — and you want to know precisely what TGV adds (answer: a lot, because TGV is a sector-specific framework with requirements unique to the Quebec health network).
- Your product has been rejected or received non-conformities in the verification report, and you need to correct them quickly without putting the contract at risk.
- You're a vendor of AI scribes, voice transcription, or generative AI looking for the certification that opens the doors of public institutions and family medicine groups.
- You need a penetration test aligned with MSSS orientations, coordinated with the right vendors, delivered with the evidence required by the Bureau de certification.
- Your product is evolving and you're not sure whether a change triggers a new verification or whether a self-declaration update is enough.
- You've received a request from the Bureau de certification and want to frame the relationship before committing — not after.
What will you receive?
A complete gap analysis between your current product and the 254 TGV criteria, prioritized by domain (security, privacy, performance, technology) and by required effort.
A realistic estimate of the timeline, total cost (Factero fees + verification firm fees + any technical investments), and burden on your internal teams — before you commit.
The policies, procedures, and evidence required by the self-declaration, drafted or adapted to your reality — not a pile of generic templates that won't survive verification.
Coordination of the penetration test per MSSS orientations: scope framing, vendor selection if you don't have one, transmission of results and mitigation measures to the Bureau de certification within required timelines.
Implementation of missing technical controls (MFA, encryption, logging, access management, tested backups, etc.) with your product and IT teams.
A submission-ready verification file: structure expected by the BCH, evidence organized by criterion, clear mapping between each criterion and supporting proof.
Active support during the external firm's verification (30 business days): responding to clarification requests, managing any non-conformities, preparing your teams for interviews.
A 5-year maintenance plan: preparation of the annual self-declaration, tracking of product and regulatory changes, preparation of recertification.
Not a good fit?
- TGV certification is a demanding engagement — detailed reading of the standard, technical implementation, independent verification by an external firm, penetration testing, evidence for every criterion. It requires an internal owner (typically the CTO, product lead, or security lead) with a clear mandate to mobilize your development, infrastructure, and compliance teams. Without that anchor, even the best external support can't carry through.
- If your product is not intended to interact with SSSS information assets — for example a tool sold to a private practice that exchanges no data with network systems — TGV is likely not required. We verify together during the discovery call before you invest.
- If your client is asking for "a security certification" without specifying which one, ISO 27001 or CAN/DGSI 104 may be sufficient — TGV is a product certification in a specific sector, not a general organizational certification. We clarify before committing to the wrong target.
- If you're at a very early stage — product in beta, no health contract yet — it may be wiser to pursue an independent Factero audit or prepare for ISO 27001 / CAN/DGSI 104 as a foundation, then tackle TGV when a concrete contract appears.
How does the process work?
A rigorous and transparent approach, step by step.
Scoping and registration
We start with a shared reading of your context: which product, which version, which institutions targeted, which data flows with SSSS systems, what's your current maturity on security and privacy. This is also the step where we complete the certification request form with the Bureau de certification and confirm your product's interoperability objectives — a choice that influences the scope of verification.
Gap analysis on 254 criteria
We map your product against the 254 TGV criteria, across 7 groups (General, Interoperability, Privacy/PRPS, Performance, Security, Technology) and 36 categories. We identify what's already in place and documentable, what needs adjustment, and what requires real work. Deliverable: a gap report prioritized by effort and risk, with a realistic timeline estimate.
Self-declaration and implementation
We draft the policies, procedures, and evidence expected — at the level of detail required by the BCH, not the level of a sales pitch. In parallel, we implement missing technical controls with your teams: MFA, encryption in transit and at rest, logging, access management, tested backups, incident management, etc. The NIST-CSF framework structures prioritization by actual risk.
Penetration test
We coordinate the penetration test per MSSS orientations. If you already have a provider, we frame the scope with them. Otherwise, we connect you with qualified firms: the recommendation follows your needs, and any referral arrangement is disclosed, per our Charter of Independence. Results and mitigation measures are transmitted to the BCH alongside the self-declaration.
Submission and verification
We submit the file to the Bureau de certification. The external firm's verification takes 30 business days. We actively support you during this period: translating the firm's requests into concrete actions for your teams, preparing for interviews, managing any non-conformities and correction plans within the required timelines.
5-year maintenance
The certification is valid for 5 years, renewable annually via self-declaration attesting that commitments are upheld and nothing material has changed. We remain available to prepare each annual self-declaration, document product changes, and prepare the 5-year recertification — without locking you into a recurring contract.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
How long does it really take?
The honest answer depends on your starting maturity — 3 to 9 months is realistic for most vendors. Per MSSS documentation, preparation for the verification stage typically takes 1 to 6 weeks, followed by 30 business days of verification by the external firm. Those timelines assume your product is already largely aligned with requirements and you simply need to document, formalize, and provide evidence. In reality, the initial gap is often bigger: missing technical controls to implement, policies that don't exist, coordination of a first penetration test, sometimes architectural adjustments. At Factero, we don't promise "3 months" in the sales call: we give a realistic estimate from the gap analysis onward, based on your product as it is, not as we'd like it to be. (Source: MSSS, "About certification.")
What does it cost — and what's not included?
Factero's engagement covers the full preparation — gap analysis, self-declaration drafting, control implementation, penetration test coordination, support through verification, maintenance. Costs not included and paid directly by you: external verification firm fees mandated by the BCH, the penetration test (a few thousand to several tens of thousands of dollars depending on product complexity), and any technical investments identified during the engagement. MSSS is explicit: certification costs are borne by the vendor and are not refundable — and they vary based on product complexity and interoperability objectives. We provide a full estimate of all three from the gap analysis onward. (Source: MSSS, "About certification.")
We're already Law 25 / GDPR / ISO 27001 compliant. Is that enough?
No — none of these certifications replaces TGV. TGV is a Quebec sector-specific framework with requirements unique to the health network: some are technical (interoperability with network systems, measurable performance, French-language support), others are regulatory and health-specific (LADOPPRP, User Identification Normative Framework, requirements on data residency). That said, solid Law 25 or ISO 27001 foundations significantly accelerate the process: privacy requirements overlap substantially, security governance is already in place, and existing documentation is often reusable with adaptation. The gap analysis identifies precisely what transfers as-is, what needs rewording, and what remains to be built.
What's in the 254 criteria?
The criteria span 4 major domains: security, privacy (PRP), performance, and technology. Concretely, the list covers 7 groups and 36 categories, including: Accountability and privacy governance, Consent, Lawfulness and purpose specification, Collection minimization and limitation, Data accuracy and quality, Use and disclosure limitation, Retention limitation, Openness and transparency, Individual participation, Security organization, HR security, Asset management, Access control, Cryptography, Physical security, Operational security, Communications security, Acquisition and development, Supplier relationships, Incident management, Continuity, Compliance management, User identification, Data residency, Interoperability, Performance. Each criterion maps to a reference: LPRPSP (Law 25), LADOPPRP, User Identification Normative Framework, and other MSSS orientations. (Source: TGV Criteria List, version June 18, 2024, MSSS.)
Does certification cover our whole company or just the product?
TGV certifies a specific version of a product or technology service — not the company as a whole. If you have three products that need to interact with SSSS systems, each must be certified separately. If you release a major version that changes architecture, data flows, or security posture, a new verification is typically required — a self-declaration update isn't enough. This is an important difference from ISO 27001, which certifies your management system (ISMS). For a vendor serving Quebec's health sector, it's not uncommon to run both processes in parallel: ISO 27001 for broad commercial credibility, TGV for actual sector authorization. Factero can run both in parallel, reusing common documentation — we discuss this at the gap analysis.
Our MSP already manages our infrastructure. Can they also drive our TGV process?
Your MSP is a key player in technical implementation — but driving the TGV process is a separate role, and the external verification will pay attention to it. TGV is verified by an external specialized firm mandated by the Bureau de certification; this firm has an explicit mandate to validate independence between documented practices and the actors operating them. If your MSP drafts policies, implements controls, and is responsible for enforcing them daily, the verification firm will ask hard questions. Factero has no commercial ties to your MSP or any technology vendor: we structure the process, document reality, and let your MSP do what they do well — operations. We work with them, not in their place, exactly as in an independent audit.
What happens if we have non-conformities in the verification report?
Non-conformities are a normal stage — few products pass on the first try with no comments. The external firm documents gaps against the criteria; you have a formal deadline to correct them or implement mitigation measures. Per MSSS documentation, these corrections must be delivered within a maximum timeframe, with evidence. If non-conformities are numerous or structural, the impact on timeline and budget can be significant — which is exactly why internal review before submission is worth the investment. Factero supports you through every step of correction: prioritization, team coordination, resubmission to the BCH. If non-conformities stem from deep architectural decisions, we'll tell you clearly rather than pushing cosmetic mitigation that won't survive recertification.
How long is the certification valid?
The certification is valid for 5 years but must be renewed annually via self-declaration. The self-declaration attests that commitments made during initial certification are still upheld and nothing material has changed. It's valid as long as there's no change — neither in your product nor in the SSSS information systems. If you release a major version, if your architecture changes, or if MSSS updates the criteria kit, a new verification may be triggered before the 5 years are up. Factero tracks these developments for you, without charging for every email along the way. (Source: MSSS, "About certification.")
Is TGV mandatory to sell to Quebec's health sector?
Yes — as soon as your product is intended to interact with SSSS information assets. Per the management framework published by MSSS, any version of an application intended to interact with SSSS information assets must be officially certified or homologated and receive a unique identification code. In other words, without certification, your product cannot be deployed in an institution connected to the network. Progressive rollout of the obligation follows MSSS priorities, but the trajectory is clear: certification is becoming a structural prerequisite for the Quebec health and social services market. It's a real market barrier — which also protects your investment once crossed. (Source: Certification and Homologation Management Framework, MSSS.)
We're developing an AI scribe or transcription tool. Are there specifics?
Yes — and they've intensified in 2025-2026. For AI scribes, voice transcription tools, and AI solutions targeting the health and social services sector, TGV is now a prerequisite combined with a Privacy Impact Assessment (PIA). Santé Québec has set up a provincial committee that performs the PIA for certain TGV-certified tools for institutional use, but the PIA remains to be performed by each acquiring organization outside institutions (for example in family medicine groups). For you as a vendor, this means: your product must pass TGV and provide the documentation that allows an institution or Santé Québec to perform the PIA on their side. Factero prepares both sets of evidence in parallel. (Source: quebec.ca, AI transcription program, updated March 2026.)
What methodology do you use?
Factero uses the official TGV criteria list (in-force version published by MSSS) as the target, complemented by the NIST Cybersecurity Framework (NIST-CSF) to structure risk assessment and prioritize recommendations. Regulatory frameworks mobilized based on the criteria involved: LPRPSP (Law 25), LADOPPRP, User Identification Normative Framework (CN-GIU) from MSSS, and specific Bureau de certification orientations (notably on penetration testing). The principal associate holds the CISA certification (Certified Information Systems Auditor) from ISACA — the international reference in information systems auditing. The approach is adapted to each product's size and complexity: we don't prepare a critical transactional application the way we prepare a local transcription tool.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — source code, architecture documentation, pentest results, product strategy — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to the Bureau de certification and the verification firm are transmitted under your control and with your approval. This standard applies across all our engagements, without exception.
Does this commit us to ongoing work?
No. The engagement ends naturally with certification. For maintenance — annual self-declaration, regulatory change monitoring, 5-year recertification preparation — some organizations prefer to keep us on a light cadence. Others internalize after the first cycle. Our Charter of Independence prohibits artificial dependency: we never recommend follow-up you don't need. If your team can take over after the first certification, that's a good outcome.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A certification engagement extends over 6 to 18 months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.