Canadian organizations rely on software controlled by foreign companies, governed by foreign laws, and subject to foreign data access regimes. Upper Harbour maps every layer of the stack — from infrastructure to the applications your team uses every day.
Powered by the Canadian Technology Sovereignty Index — 715 tools mapped to parent jurisdictions, ownership structures, and CLOUD Act exposure.
“If a legally valid US CLOUD Act order is issued, Microsoft is obligated to comply — regardless of where the data is stored.”
Canadian data residency does not equal Canadian data sovereignty. Data residency is a server configuration. Data sovereignty is a legal and corporate structure question. In our dataset, 88% of tools offering Canadian hosting remain CLOUD Act exposed because their parent companies are US-controlled.
Type a tool your organization uses. We’ll show you the parent company, jurisdiction, and CLOUD Act status.
This checker uses a 20-tool sample only. The full database covers 715 tools. Search the full Sovereignty Index · Run a full HarbourScan
Our methodology is open, transparent, and designed to be cited. Every classification is traceable to public corporate filings, ownership records, and legal structures.
The Upper Harbour Sovereignty Score rates tools on a 0–100 scale based on jurisdiction, ownership, compelled disclosure exposure, data residency, and compliance documentation.
We’re building toward a standard that procurement officers can cite in RFPs, compliance teams can reference in TIAs, and policymakers can use to measure Canada’s technology dependency at scale.
How the score works →Upper Harbour’s research identifies the problem. Our tools help organizations act on it — whether you need a first look, compliance documentation, or continuous monitoring.
Our research is designed to be cited, shared, and built upon. We believe transparency strengthens the entire ecosystem.
The most comprehensive mapping of SaaS and cloud infrastructure tools used by Canadian organizations to their parent jurisdictions, ownership structures, and CLOUD Act status.
Province-by-province analysis of regulatory frameworks, enforcement posture, and the gap between legislative requirements and organizational compliance.
Evaluating federal and provincial policy decisions against sovereignty outcomes — which policies strengthen Canadian control, and which leave gaps.
Mapping the technology procurement decisions of federal and provincial governments — and the jurisdictional exposure those decisions create.
Your SaaS runs on infrastructure. We mapped 25 cloud providers — 7 Canadian sovereign alternatives exist. Most organizations never assess this layer.
Organizations increasingly discover this gap only when a regulator, partner, or procurement review demands documentation — and they don’t have it.
A 2026 Kiteworks survey of Canadian security and compliance professionals found that 23% had already experienced a data sovereignty incident, 56% reported a shortage of compliance expertise, and more than half said their customers now ask about sovereignty practices. (Kiteworks, 2026 Data Sovereignty Report)
“We were quoted $20,000+ from a privacy consultant. The sovereignty audit gave us everything — the jurisdictional map, the TIAs, the full compliance record — for a fraction of the cost.”
Run a free HarbourScan to map your jurisdictional exposure in minutes. Need compliance documentation? Request a scoping call.
Or leave your email and we’ll reach out.
Designed for Canadian organizations. No credit card required.