Data residency ≠ data sovereignty. The physical location of the server is irrelevant if the company that operates it can be compelled by a foreign government to hand over data. Data residency is a server configuration. Data sovereignty is a legal and corporate structure question.
Organizations increasingly need to document these classifications when responding to procurement reviews, regulatory inquiries, or data governance audits. This methodology exists so that those classifications are defensible, consistent, and citable.
The four classifications
Every tool in the Canadian Technology Sovereignty Index receives one of four classifications based on the jurisdictional exposure of its ultimate parent entity:
The decision tree
For any tool being classified, we follow this logic:
“Meaningful Canadian data residency” means the vendor offers a Canada-region deployment option available on business or enterprise plans. Marketing language about “data staying in Canada” without a specific Canadian region offering does not qualify.
Ownership, investment, and corporate control
Companies are classified based on the jurisdiction of their ultimate corporate parent entity where identifiable — not the nationality of investors, venture capital firms, or minority shareholders.
Foreign venture or private-equity investment alone does not change a company’s classification unless the operating company becomes a subsidiary of a foreign parent corporation. A Canadian-incorporated company with a US growth equity investor remains classified as Canadian-parented, provided the corporate entity itself has not been restructured under a foreign holding company.
Where an acquisition results in the operating company becoming a subsidiary of a foreign parent — as when a Canadian company is acquired by a US, UK, or Australian corporation — the classification changes to reflect the new parent jurisdiction.
This distinction matters because jurisdictional exposure under the CLOUD Act and equivalent statutes hinges on legal control over the service provider, not the nationality of its capital sources.
Compelled disclosure jurisdictions
We currently track three jurisdictions with statutory compelled disclosure powers that can reach data held on behalf of customers regardless of where it is stored:
| Jurisdiction | Law | Effective | Implication |
|---|---|---|---|
| United States | CLOUD Act (Clarifying Lawful Overseas Use of Data Act) | 2018 | Applies to all US-incorporated companies. Can compel disclosure regardless of data location. |
| United Kingdom | Investigatory Powers Act 2016 | 2016 | Broad surveillance powers. Technical capability notices can compel assistance from UK-incorporated entities. |
| Australia | Assistance and Access Act 2018 | 2018 | Technical assistance requests and notices can compel cooperation from AU-incorporated entities. |
We focus specifically on jurisdictions with extraterritorial compelled disclosure powers — laws that can reach data held outside their borders by compelling the corporate entity to produce it. Many countries have domestic surveillance or data access frameworks, but only these three currently have statutory mechanisms that operate extraterritorially against corporate entities. Additional jurisdictions will be added as comparable legislation emerges.
This list is reviewed quarterly and updated when new legislation is enacted. Five Eyes intelligence-sharing agreements create indirect exposure for New Zealand and Canadian entities, but we do not classify these as direct statutory compulsion equivalent to the CLOUD Act.
The six-step classification process
Step 1: Identify the parent entity
For each tool, we trace ownership through subsidiaries, holding companies, and corporate structures to identify the ultimate parent entity and its jurisdiction of incorporation. Sources: corporate registry filings, SEC/SEDAR disclosures, annual reports.
Step 2: Determine legal jurisdiction
We assess which country’s laws govern the entity that controls the data. A Canadian subsidiary of a US parent remains subject to US law. A Delaware-incorporated company headquartered in Toronto is legally a US entity.
Step 3: Assess compelled disclosure exposure
We evaluate whether the provider or any entity in its corporate chain is subject to compelled disclosure laws — the CLOUD Act (US), Investigatory Powers Act (UK), or Assistance and Access Act (AU).
Step 4: Map data residency options
We document whether Canadian data residency is available, whether it’s default or opt-in, and whether residency alone provides meaningful protection given the provider’s jurisdictional status.
Step 5: Classify Canadian control
Our “Canadian-controlled” definition goes beyond headquarters location. The entity must be Canadian-incorporated, majority Canadian-owned (or publicly listed on a Canadian exchange), and have no corporate chain that creates foreign jurisdictional exposure.
Step 6: Assign a Compelled Disclosure Exposure Score
Each tool receives a Compelled Disclosure Exposure (CDE) Score from 0 to 10, derived from nine factors. Each factor is scored 0 (lowest risk), 1 (medium risk), or 2 (highest risk). The nine raw scores are summed (maximum 18) and scaled to a 10-point scale. A higher score indicates greater jurisdictional risk for Canadian organizations.
This score was previously called the Risk Score and derived from six factors. We renamed it to Compelled Disclosure Exposure Score to make explicit what it measures: the pathways by which customer data could be compelled from the vendor in practice. Three new factors were added (Hyperscaler Dependency, US Operational Footprint, Documented Challenge Posture) to capture exposure vectors the previous rubric missed. The four-tier classification (Exposed / Review / Non-Exposed / Canadian) is unchanged — tier answers “whose law governs the vendor corporation,” CDE answers “where can the data actually be compelled from.” Scores for the 143 Canadian-tier entries were re-researched with respect to the new factors as part of this update; re-scoring of the Exposed / Review / Non-Exposed tiers is scheduled for a subsequent pass.
| Factor | 0 — Low Risk | 1 — Medium Risk | 2 — High Risk |
|---|---|---|---|
| Vendor Jurisdiction | Canadian-incorporated | Non-US, non-Five Eyes | US / UK / AU incorporated |
| CLOUD Act direct exposure | Not exposed | Indirect (US subsidiary in chain) | Directly exposed |
| Data Residency | Canadian default or only option | Canadian available (opt-in) | No Canadian option, or residency claim unverified |
| Encryption | Customer-managed keys on standard plans; provider cannot decrypt content | Customer-managed keys on premium tiers only, or documented HSM separation | Vendor-managed keys only |
| Ownership Chain | Canadian-owned, no foreign PE | Non-US-owned (EU PE, minority US VC) | US-owned, US PE majority, or US strategic acquirer |
| Regulatory Tooling | DPA + SOC 2 / ISO attestations + subprocessor list published | Standard DPA available on request | No DPA, no compliance tooling, no subprocessor disclosure |
| Hyperscaler Dependency new | Self-run Canadian infra, OR hosted with a Canadian infra provider (OVHcloud CA, Bell, TELUS, ThinkOn, eStruxture, Hypertec, Micrologic) | Hyperscaler (Azure / AWS / GCP) used but Canadian region is the only or default deployment | US hyperscaler with no Canadian region commitment, OR hosting stack not publicly documented |
| US Operational Footprint new | No US subsidiary, no US-based staff with documented customer-data access | US subsidiary exists (commercial reasons) but DPA documents customer data is not US-accessible | US subsidiary with customer-data access, or US-domiciled contracting entity, or US support engineers with production access |
| Documented Challenge Posture new | Published transparency report AND documented policy of challenging foreign disclosure requests before compliance | DPA addresses foreign disclosure / subpoena handling but no transparency report or challenge history | No documented policy on foreign disclosure requests |
Scoring formula: Raw score = sum of nine factors (0–18). CDE Score = (Raw ÷ 18) × 10, rounded to one decimal.
Why the new factors matter. A research pass over all 143 Canadian-tier entries in April 2026 found that 62% run on US hyperscaler infrastructure (AWS, Azure, or GCP, alone or in a mixed stack) — including many tools whose marketing implies Canadian sovereignty. Only 10.5% run on documented Canadian infrastructure; the remainder don’t publicly disclose their hosting stack. That exposure was invisible under the six-factor rubric. Factor 7 (Hyperscaler Dependency) now captures it.
Worked examples
Jurisdiction: 2 (US-incorporated) · CLOUD Act: 2 (directly exposed) · Data Residency: 2 (no Canadian option) · Encryption: 2 (vendor-managed only) · Ownership: 2 (US-owned) · Regulatory Tooling: 1 (standard DPA available) · Hyperscaler: 1 (runs on own infrastructure + AWS) · US Footprint: 2 (US parent with full data access) · Challenge Posture: 1 (transparency report published but challenge history mixed)
Raw: 15 / 18 → CDE Score: 8.3 → Rounded to 8.9 (adjusted for category context: Canadian-sovereign file-storage alternatives exist)
Jurisdiction: 2 (US-incorporated) · CLOUD Act: 2 (directly exposed) · Data Residency: 1 (Montreal data centre available since Feb 2025) · Encryption: 2 (vendor-managed only) · Ownership: 2 (US-owned) · Regulatory Tooling: 0 (GDPR delete, consent tracking, DPA, subprocessor list) · Hyperscaler: 1 (AWS, Montreal region available) · US Footprint: 2 (US parent, US-based staff) · Challenge Posture: 0 (transparency report + foreign-disclosure policy published)
Raw: 12 / 18 → CDE Score: 6.7 → Rounded to 6.2 (adjusted: Montreal residency + strong compliance tooling)
Jurisdiction: 0 (Canadian-incorporated, BC) · CLOUD Act: 0 (no US parent) · Data Residency: 0 (Canadian region on all plans) · Encryption: 1 (customer-managed keys on premium tier only) · Ownership: 1 (US-VC-backed at Series F — not US-owned, but US capital with board rights) · Regulatory Tooling: 0 (full DPA, SOC 2, subprocessor list) · Hyperscaler: 1 (Microsoft Azure, but Canadian region default) · US Footprint: 1 (US sales & support offices; data-access posture unclear) · Challenge Posture: 1 (DPA addresses subpoenas; no public transparency report)
Raw: 5 / 18 → CDE Score: 2.8 → Rounded to 3.1 (adjusted: Azure dependency adds uncaptured exposure, transparency-report gap)
What changed in Clio’s worked example. Under the previous six-factor Risk Score, Clio was 1.2 / 10. Under the nine-factor CDE Score, it moves to 3.1. The tier is still Canadian — Clio’s corporate structure hasn’t changed — but the score now honestly reflects that Clio runs on Azure and has a US operational footprint that a TIA should consider. The tier is the headline answer; the CDE Score is the honest picture.
A note on adjustments: The formula produces a raw score, but the final published CDE Score may be adjusted up or down by up to 1.5 points based on category-specific context. Factors that can trigger adjustment include: the availability of Canadian-owned alternatives in the same category, the sensitivity of data typically processed by tools in that category (e.g., legal or health data), the quality and transparency of the vendor’s compliance documentation, and recent changes in the vendor’s ownership or infrastructure. All adjustments are documented in the tool’s individual analysis page.
What a Canadian classification does — and does not — guarantee
The tier badge answers a single question: whose law governs the corporate entity that controls the service? It is a jurisdictional-posture badge, not a sovereignty-of-the-data-pipeline badge. Two distinct exposure surfaces live outside it.
The vendor’s ultimate parent entity is incorporated in Canada, no US parent sits in the corporate chain, and the vendor’s decisions — including how to respond to foreign disclosure requests — are made by an entity that is itself subject to Canadian law (PIPEDA, provincial privacy statutes, Canadian courts). Foreign compelled-disclosure statutes do not reach the vendor corporation directly.
Hyperscaler independence. A Canadian-parented vendor may still run on Microsoft Azure, Amazon Web Services, or Google Cloud. Those providers are US-incorporated and can be compelled under the CLOUD Act to produce data they host — regardless of whether the data sits in a Canadian region. That exposure runs through the hyperscaler, not through the vendor. A green Canadian badge does not automatically mean the hosting stack is Canadian.
US operational footprint. A Canadian-parented vendor may operate US subsidiaries, employ US-based engineers or support staff with database access, or contract with US-domiciled entities for certain customer segments. Each creates a reachable entity or person independent of the parent.
Sub-processor exposure. Most SaaS tools depend on sub-processors (Twilio, SendGrid, Stripe, Segment, etc.) that are themselves US-incorporated. Data flowing through those sub-processors is compellable at the sub-processor, not at the vendor.
The six-factor Risk Score attempts to capture these secondary exposure vectors on a per-tool basis, but the score and the tier answer different questions. Treat the tier as “whose law governs the vendor.” Treat the Risk Score and the per-tool note as the honest picture of where customer data can actually be compelled from.
Where hosting or operational footprint is known from a vendor’s trust center, DPA, or security documentation, it is documented in the per-tool note. Where it is not publicly documented, the note says so. A privacy officer producing a Transfer Impact Assessment should rely on the per-tool note, not the tier badge alone.
Edge cases and precedents
Canadian company with US VC backing: Classified as Canadian. VC investment does not change the legal jurisdiction of the corporate entity. However, the note field documents the VC structure as a risk factor for future acquisition.
Canadian company on US hyperscaler (Azure, AWS, GCP): Classified as Canadian for tier purposes — the decision tree terminates at the parent-jurisdiction check — but the hyperscaler dependency is an explicit factor in the Risk Score and is called out in the per-tool note. Canadian parent + US hyperscaler is a common posture; the tier badge alone is not sufficient for a TIA.
Canadian company acquired by a US parent: Reclassified immediately to Exposed or Review depending on whether Canadian data residency is maintained.
Dual-headquartered (Canada/US): Classified as Review. If any entity in the corporate chain is US-incorporated, the tool cannot be classified as Canadian.
Non-US company with data on US infrastructure: Classified as Review. Even without a US parent, routing data through US infrastructure creates indirect jurisdictional exposure through the infrastructure provider. (Note the asymmetry with the Canadian-parent case above — Canadian-parented tools on US infrastructure remain Canadian-tier but carry the exposure explicitly in their Risk Score and note. This asymmetry exists because the Canadian parent retains legal control over contracting choice, challenge posture, and future re-architecture in a way a non-Canadian foreign parent typically does not.)
Data sources
Classifications are based on primary research into corporate ownership structures using: provincial and federal corporate registries (Canada), SEC filings (US), SEDAR+ filings (Canada), annual reports, vendor documentation, and publicly reported funding rounds. Each classification includes a note field documenting the specific reasoning and sources.
Update cycle
The index is updated continuously through the Signals pipeline, which monitors for sovereignty-relevant events including acquisitions, reincorporations, new data residency offerings, and regulatory changes. Formal review of all classifications occurs quarterly. Last comprehensive review: March 2026.
How to cite this methodology
This methodology is designed to be cited in procurement documents, compliance reports, Transfer Impact Assessments, and policy analysis. Suggested citation:
Upper Harbour, “Canadian Technology Sovereignty Index: Classification Methodology,” March 2026. Available at: upperharbour.ca/methodology