ResearchSovereignty IndexSignalsComplianceMap Your Stack
Engagements

From exposure mapping to compliance documentation

Upper Harbour's research covers 715 SaaS tools across 32 categories. Our engagements apply that research directly to your organization — producing the jurisdictional assessments, Transfer Impact Assessments, and monitoring infrastructure that compliance requires.

How engagements work

Every engagement starts with the same question: what's in your stack, and where is it jurisdictionally?

01
Scoping call
30 minutes. We understand your stack size, regulatory obligations, and timeline. You get a clear scope and fee estimate.
02
Stack intake
You share your SaaS inventory — or we help you build one. We map every tool against the Sovereignty Index database.
03
Analysis & documentation
We produce jurisdictional assessments, TIAs, and gap analysis. Every finding is documented and sourced.
04
Delivery & briefing
Board-ready report, executive summary, and a walkthrough call. You know exactly where you stand and what to do next.
Three services

Most organizations start with an audit, then document TIAs for exposed tools, then move to ongoing monitoring. Each engagement is scoped independently.

Core Engagement
SaaS Sovereignty Audit

A complete jurisdictional map of your organization's SaaS stack. We identify every tool, trace it to its parent company and country of incorporation, assess CLOUD Act exposure, and produce a board-ready compliance gap report.

Deliverables
  • Full SaaS stack inventory with jurisdictional mapping
  • CLOUD Act exposure assessment for each tool
  • Canadian data residency status verification
  • DPA and contractual safeguards review
  • Compliance gap report with prioritized risk register
  • Executive summary for board or audit committee
What you'll know
  • Which tools in your stack are CLOUD Act exposed
  • Where data residency claims don't equal sovereignty
  • Which tools require Transfer Impact Assessments
  • Where your DPA coverage has gaps
  • What your overall sovereignty posture looks like
  • What to prioritize first
For: Privacy Officers, General Counsel, CIOs, and procurement leads at organizations with 20+ SaaS tools — particularly those subject to Law 25, operating in regulated sectors, or selling into government.
Get in touch Or start with a free HarbourScan →
Compliance Documentation
TIA Documentation Package

Law 25 requires a Transfer Impact Assessment for every cross-border SaaS tool processing personal information of Quebec residents. Most organizations need 10–16 and haven't completed one. We produce them — using the methodology from our published TIA template, applied to your specific stack.

Deliverables
  • Individual TIA for each cross-border SaaS tool
  • Jurisdictional analysis of parent company legal framework
  • CLOUD Act exposure assessment per tool
  • Contractual safeguards evaluation (DPAs, SCCs)
  • Residual risk determination with mitigation recommendations
  • CAI-ready documentation format
Why this matters now
  • TIAs have been mandatory since September 2023
  • The CAI processed 277 complaints in 2023–2024
  • First post-Law 25 enforcement order issued Sept 2024
  • Penalties up to $25M or 4% of worldwide turnover
  • Private right of action with $1,000 minimum per violation
  • Class actions are explicitly permitted
For: Quebec organizations — or any organization processing personal information of Quebec residents — that need to document Law 25 compliance for their cross-border SaaS tools. Particularly urgent for healthcare, financial services, legal, education, and government contractors.
Get in touch See our TIA methodology →
Ongoing
Sovereignty Monitoring

Sovereignty isn't static. Vendors get acquired. Corporate structures change. Regulations evolve. New tools enter your stack. We provide quarterly monitoring so your compliance posture stays current — not just accurate on the day it was assessed.

What's included
  • Quarterly sovereignty posture review
  • Acquisition and jurisdiction change alerts
  • New tool assessment as your stack evolves
  • TIA update when vendor circumstances change
  • Regulatory change briefings (Law 25, CPPA, provincial)
  • Annual board-ready sovereignty status report
Why ongoing matters
  • Canadian SaaS companies are acquired regularly — shifting jurisdiction for every client
  • Vendors launch (and retire) Canadian data centre regions
  • The CPPA will change federal requirements when enacted
  • Alberta's PIPA amendments are expected in 2026
  • EU adequacy review of Canada's framework is pending
  • A point-in-time audit goes stale within months
For: Organizations that have completed a sovereignty audit and need to maintain compliance as conditions change. Particularly valuable for regulated enterprises, Crown corporations, universities, and organizations selling into government procurement.
Get in touch See what we track →
Why Upper Harbour
715-tool database
Every assessment draws on the Canadian Technology Sovereignty Index — the most comprehensive jurisdictional dataset for Canadian SaaS. We don't start from scratch. We start from verified corporate registry data.
Canadian-specific
Built for Law 25, PIPEDA, and Canadian procurement requirements. Not a US GRC platform repurposed for the Canadian market. The analysis accounts for the CLOUD Act, provincial variations, and the regulatory landscape that actually governs your data.
Independent
No vendor affiliations. No paid placements. No commercial relationships with the SaaS tools we assess. Our analysis is independent because our business model doesn't depend on the vendors we're evaluating.

Start with a conversation

Tell us about your stack, your regulatory obligations, and your timeline. We'll tell you exactly what we can do and what it costs.

Get in touch

Not ready for an engagement? Run a free HarbourScan first.