Data residency ≠ data sovereignty. The physical location of the server is irrelevant if the company that operates it can be compelled by a foreign government to hand over data. Data residency is a server configuration. Data sovereignty is a legal and corporate structure question.
Organizations increasingly need to document these classifications when responding to procurement reviews, regulatory inquiries, or data governance audits. This methodology exists so that those classifications are defensible, consistent, and citable.
The four classifications
Every tool in the Canadian Technology Sovereignty Index receives one of four classifications based on the jurisdictional exposure of its ultimate parent entity:
The decision tree
For any tool being classified, we follow this logic:
“Meaningful Canadian data residency” means the vendor offers a Canada-region deployment option available on business or enterprise plans. Marketing language about “data staying in Canada” without a specific Canadian region offering does not qualify.
Ownership, investment, and corporate control
Companies are classified based on the jurisdiction of their ultimate corporate parent entity where identifiable — not the nationality of investors, venture capital firms, or minority shareholders.
Foreign venture or private-equity investment alone does not change a company’s classification unless the operating company becomes a subsidiary of a foreign parent corporation. A Canadian-incorporated company with a US growth equity investor remains classified as Canadian-parented, provided the corporate entity itself has not been restructured under a foreign holding company.
Where an acquisition results in the operating company becoming a subsidiary of a foreign parent — as when a Canadian company is acquired by a US, UK, or Australian corporation — the classification changes to reflect the new parent jurisdiction.
This distinction matters because jurisdictional exposure under the CLOUD Act and equivalent statutes hinges on legal control over the service provider, not the nationality of its capital sources.
Compelled disclosure jurisdictions
We currently track three jurisdictions with statutory compelled disclosure powers that can reach data held on behalf of customers regardless of where it is stored:
| Jurisdiction | Law | Effective | Implication |
|---|---|---|---|
| United States | CLOUD Act (Clarifying Lawful Overseas Use of Data Act) | 2018 | Applies to all US-incorporated companies. Can compel disclosure regardless of data location. |
| United Kingdom | Investigatory Powers Act 2016 | 2016 | Broad surveillance powers. Technical capability notices can compel assistance from UK-incorporated entities. |
| Australia | Assistance and Access Act 2018 | 2018 | Technical assistance requests and notices can compel cooperation from AU-incorporated entities. |
We focus specifically on jurisdictions with extraterritorial compelled disclosure powers — laws that can reach data held outside their borders by compelling the corporate entity to produce it. Many countries have domestic surveillance or data access frameworks, but only these three currently have statutory mechanisms that operate extraterritorially against corporate entities. Additional jurisdictions will be added as comparable legislation emerges.
This list is reviewed quarterly and updated when new legislation is enacted. Five Eyes intelligence-sharing agreements create indirect exposure for New Zealand and Canadian entities, but we do not classify these as direct statutory compulsion equivalent to the CLOUD Act.
The six-step classification process
Step 1: Identify the parent entity
For each tool, we trace ownership through subsidiaries, holding companies, and corporate structures to identify the ultimate parent entity and its jurisdiction of incorporation. Sources: corporate registry filings, SEC/SEDAR disclosures, annual reports.
Step 2: Determine legal jurisdiction
We assess which country’s laws govern the entity that controls the data. A Canadian subsidiary of a US parent remains subject to US law. A Delaware-incorporated company headquartered in Toronto is legally a US entity.
Step 3: Assess compelled disclosure exposure
We evaluate whether the provider or any entity in its corporate chain is subject to compelled disclosure laws — the CLOUD Act (US), Investigatory Powers Act (UK), or Assistance and Access Act (AU).
Step 4: Map data residency options
We document whether Canadian data residency is available, whether it’s default or opt-in, and whether residency alone provides meaningful protection given the provider’s jurisdictional status.
Step 5: Classify Canadian control
Our “Canadian-controlled” definition goes beyond headquarters location. The entity must be Canadian-incorporated, majority Canadian-owned (or publicly listed on a Canadian exchange), and have no corporate chain that creates foreign jurisdictional exposure.
Step 6: Assign a Sovereignty Score
Each tool receives a composite Sovereignty Score (0–100) based on five weighted factors:
The score is designed to be referenced in procurement decisions, compliance audits, and policy analysis. A higher score indicates stronger sovereignty alignment for Canadian organizations.
Sovereignty Scores are illustrative examples based on our methodology. As we formalize the scoring framework, individual tool scores may be refined. The classification tiers (Exposed, Review, Non-Exposed, Canadian) are stable and based on verifiable legal structures.
Edge cases and precedents
Canadian company with US VC backing: Classified as Canadian. VC investment does not change the legal jurisdiction of the corporate entity. However, the note field documents the VC structure as a risk factor for future acquisition.
Canadian company acquired by a US parent: Reclassified immediately to Exposed or Review depending on whether Canadian data residency is maintained.
Dual-headquartered (Canada/US): Classified as Review. If any entity in the corporate chain is US-incorporated, the tool cannot be classified as Canadian.
Non-US company with data on US infrastructure: Classified as Review. Even without a US parent, routing data through US infrastructure creates indirect jurisdictional exposure through the infrastructure provider.
Data sources
Classifications are based on primary research into corporate ownership structures using: provincial and federal corporate registries (Canada), SEC filings (US), SEDAR+ filings (Canada), annual reports, vendor documentation, and publicly reported funding rounds. Each classification includes a note field documenting the specific reasoning and sources.
Update cycle
The index is updated continuously through the Signals pipeline, which monitors for sovereignty-relevant events including acquisitions, reincorporations, new data residency offerings, and regulatory changes. Formal review of all classifications occurs quarterly. Last comprehensive review: March 2026.
How to cite this methodology
This methodology is designed to be cited in procurement documents, compliance reports, Transfer Impact Assessments, and policy analysis. Suggested citation:
Upper Harbour, “Canadian Technology Sovereignty Index: Classification Methodology,” March 2026. Available at: upperharbour.ca/methodology