HarbourScan

Are your tools sending data outside Canada?

67% of SaaS tools used by Canadian organizations are US-owned and CLOUD Act exposed. Enter your tools. See which fall under foreign jurisdiction, where your compliance gaps are, and what to do about it. What is the CLOUD Act? →

Check Your Stack →

Free · Browser-based · No signup required

767

Tools mapped

Built for Canada

100%

Independent

Example scan output

CLOUD Act

Review

Canadian

Slack

US · CLOUD Act

Salesforce

US · CLOUD Act

Microsoft 365

US · CA res. available

Notion

US · CLOUD Act

Clio

Canadian

⚠ 3 tools require TIAs · 0 documented

Built on the 767-tool Canadian Technology Sovereignty Index

When a regulator, procurement officer, or partner asks “which of your SaaS vendors are subject to foreign jurisdiction?” — most organizations cannot answer. HarbourScan produces that answer in minutes. (Why jurisdiction matters more than data residency →)

As seen in

The Globe and Mail Maclean's OpenCanada The Logic BetaKit

See it. Document it. Fix it.

Start with a free scan. Add compliance reports or consulting when you need them.

Free

Exposure Scan

See your exposure in 10 minutes.

“I need to see what we’re dealing with.” — Enter the tools your organization uses. See which ones fall under foreign jurisdiction, where your compliance gaps are, and what Canadian alternatives exist. Runs entirely in your browser.

What you get

Jurisdictional exposure breakdown by risk level
CLOUD Act exposure count
Tool-by-tool risk classification
Applicable regulatory framework for your province
Total compliance gap count and severity
TIA requirement count (Quebec organizations)

What you’ll know

How exposed your organization is — and how urgently it needs attention
Which tools are under foreign jurisdiction
Whether your province’s regulations require immediate action
The scale of the documentation gap you’re facing

From $99

Compliance Reports

Document your exposure. Meet your legal obligations.

“We need to prove we’ve done the work.” — Canadian organizations are required under Quebec’s Law 25 to complete Transfer Impact Assessments. BC’s FIPPA requires Privacy Impact Assessments. Penalties under Law 25 reach $25 million or 4% of worldwide turnover. Our reports are pre-built with jurisdictional data for each tool.

Available reports

Transfer Impact Assessment (Law 25) — from $99
Privacy Impact Assessment (FIPPA) — from $99
Industry-specific compliance packages
Pre-filled with jurisdictional data from 767-tool database
Immediate delivery — PDF download

When you need this

Law 25 requires written TIAs — not just awareness
Procurement officers ask for compliance documentation
You’re preparing for audit or regulatory review
You need a defensible record without a $20K consulting engagement

Browse Reports — from $99 →

Custom

Consulting & Advisory

When you need more than a report.

“We need someone to scope this properly.” — For organizations that need a full sovereignty assessment, remediation roadmap, vendor migration strategy, or board-ready compliance documentation. We’ll scope it based on your scan results and your regulatory obligations.

What we can help with

Full jurisdictional exposure assessment
Remediation and vendor migration roadmap
Board-ready sovereignty documentation
Regulatory framework mapping (province-specific)
Ongoing sovereignty monitoring

When you need this

Your organization handles sensitive data (legal, health, financial)
You’re responding to an RFP with sovereignty requirements
A regulator or auditor has asked questions you can’t answer yet
You want expert guidance on what to migrate and what to keep

Book a Call → We’ll scope based on your scan results

Frequently asked questions

Is my data stored when I run a HarbourScan?

No. The scan runs entirely in your browser. Nothing is sent to our servers or stored anywhere. You can optionally email yourself a summary of your results, but the scan itself is completely private.

How long does a HarbourScan take?

Most organizations complete the scan in under 10 minutes. You select your tools from a database of 767 mapped SaaS products, and HarbourScan instantly maps each one to its parent jurisdiction and CLOUD Act status.

What do I need to run a scan?

Just a list of the SaaS tools your organization uses. No login, no account, no access to your systems. You select tools from our database and HarbourScan does the rest.

What are the compliance reports?

Transfer Impact Assessment and Privacy Impact Assessment reports, pre-built with jurisdictional data from our 767-tool database. Available from $99 with immediate PDF delivery. Required under Quebec's Law 25 and BC's FIPPA.

When do I need consulting vs a report?

The $99 compliance reports cover standard TIA and PIA documentation. If you need a full sovereignty assessment, remediation roadmap, vendor migration strategy, or board-ready documentation, consulting gives you expert guidance scoped to your specific situation.

Map your stack. Understand your sovereignty exposure.

Most organizations complete the scan in under 10 minutes. No account required. Choose the level of documentation you need after you see your results.

Want to discuss your situation first? Book a call · Compliance reports

Profile

Stack

Results

Step 1 of 3

Tell us about your organization

Most organizations start here when a regulator, partner, or procurement review asks how their SaaS vendors handle data. The initial scan runs entirely in your browser.

Organization Name

Province

Industry

Approximate Headcount

Privacy Officer Designated?

Breach Incident Plan in Place?

Incident Register Maintained?

Step 2 of 3

Select your tools

Search for the SaaS tools your organization uses. We'll map each one to its parent jurisdiction. Add as many as apply.

Selected

Exposed

Review

Non-Exposed

Canadian

Your Results

Sovereignty exposure map

Based on the 0 tools you selected, here's your organization's jurisdictional exposure.

Your Stack — Jurisdictional Exposure

Most organizations discover at least one foreign-controlled SaaS tool processing personal data without documented safeguards. If your organization were asked to produce a defensible processing inventory today — could you?

Get your results by email

We'll send a summary of your scan — jurisdiction breakdown, CLOUD Act exposure, and compliance gaps — within one business day.

No spam. Just your scan results and a note from the founder.

Next steps

Document your exposure

Your scan results are ready to be documented.

Canadian organizations are required under Quebec’s Law 25 to complete Transfer Impact Assessments for any personal data processed by foreign-jurisdiction vendors. Penalties reach $25 million or 4% of worldwide turnover.

Compliance Reports

From $99

→ Transfer Impact Assessment (Law 25)
→ Privacy Impact Assessment (FIPPA)
→ Pre-filled with jurisdictional data
→ Immediate PDF delivery

Browse Reports →

Consulting

Custom

→ Full sovereignty assessment
→ Remediation roadmap
→ Board-ready documentation
→ Ongoing monitoring

Book a Call →

Not sure which you need? The $99 reports cover standard compliance. Consulting is for complex environments.

What's in your HarbourScan Report

1. Compliance Gap Analysis

Every compliance gap in your stack — what’s missing, how serious it is, and which regulation it violates. The list your privacy officer or legal team needs to start fixing things. Your report found 0 gaps.

Critical

2. Register of Processing Activities

The document procurement and legal teams ask for — every tool mapped to its parent entity, jurisdiction, CLOUD Act status, and risk classification. Ready to attach to an RFP response, audit file, or board report.

3. Transfer Impact Assessment (TIA / PIA) Guidance

For any foreign-controlled SaaS in your stack, HarbourScan identifies where a TIA or PIA is likely required based on your province's regulatory framework, and what factors regulators expect you to document. Includes jurisdictional exposure, vendor control analysis, and safeguard considerations. 0 tools in your stack require assessment.

Law 25

4. Prioritized Remediation Plan

Numbered, ranked actions — what to fix first, what can wait, and why. Structured so you can hand it to your team and start working immediately.

5. Regulatory Framework Analysis

Province-specific regulatory requirements mapped to your stack. Which laws apply, what they require, who enforces them, and what the penalties are.

Delivered as a structured HarbourScan report — exportable for legal review, security validation, procurement approval, and audit response.

The full HarbourScan report turns your SaaS stack from an undocumented risk surface into a defensible compliance record.

What comes next

Document your compliance

Canadian organizations are required under Law 25 to complete Transfer Impact Assessments for foreign-jurisdiction vendors.

Self-serve

Compliance Reports

From $99

Immediate PDF delivery

TIA and PIA reports pre-built with jurisdictional data from our 767-tool database. Required under Law 25. Penalties reach $25M or 4% of worldwide turnover.

Browse Reports →

Full service

Consulting & Advisory

Custom

Scoped to your environment

Full sovereignty assessment, remediation roadmap, board-ready documentation, and ongoing monitoring. For complex environments handling sensitive data.

Book a Call →

Need consulting?

Tell us about your environment and we’ll scope the right engagement.

Name

Organization

Province / Jurisdiction

Anything we should know about your environment? (optional)

We’ll review your scan results and reach out within 24 hours.
No obligation until your team confirms the engagement.