ResearchSovereignty IndexSignalsComplianceMap Your Stack
Signals Tools Research Guides Map Your Stack
Upper Harbour Research · Updated Q1 2026

Independent research on Canadian data sovereignty

We maintain the most comprehensive database of SaaS jurisdictional exposure in Canada. Our research informs compliance strategy, procurement decisions, and policy development.

0
Tools mapped to
parent jurisdictions
across multiple categories
0%
US-parented and
CLOUD Act exposed
0
Canadian provinces &
territories analyzed
regulatory framework mapped
0%
CA-resident tools still
CLOUD Act exposed
residency ≠ sovereignty

Used by Canadian legal, procurement, and compliance teams to assess vendor exposure.

Policy Context

Why this research matters now

Data sovereignty has moved from a technical concern to a national policy priority. Our research provides the empirical foundation that the policy conversation currently lacks.

The Microsoft admission
In June 2025, Microsoft France's director of public and legal affairs testified before the French Senate that if a legally valid US order is issued under the CLOUD Act, Microsoft must comply — regardless of where data is stored. Microsoft subsequently pledged $7.5B to build Canadian AI infrastructure with promises to "defend digital sovereignty." But contractual promises cannot override statutory obligations. Our research quantifies the gap between vendor sovereignty claims and jurisdictional reality: most of the SaaS and cloud infrastructure tools Canadian organizations rely on are operated by companies that cannot guarantee sovereignty under oath.
The sovereign cloud question
Prime Minister Carney announced plans to build a "Canadian sovereign cloud" through the Major Projects Office. Minister Solomon has called digital sovereignty "the most pressing policy and democratic issue of our time." But the policy conversation focuses on infrastructure — servers and data centres. Our research shows the problem sits one layer up: in the SaaS applications running on that infrastructure. A sovereign cloud running US-parented SaaS is not sovereign. The tools in our index represent the application layer that cloud strategy alone doesn't address.
The compliance gap
Quebec's Law 25 has required Transfer Impact Assessments for cross-border data transfers since September 2023. In 2023–2024, the CAI received 277 privacy complaints and 444 confidentiality incident notifications. Yet our analysis suggests the typical Quebec organization using 15–20 SaaS tools needs 10–16 TIAs — and most haven't completed a single one. The proposed federal CPPA would extend similar requirements nationally. The compliance infrastructure doesn't exist yet. That's what we're building.
The ownership question
The Council of Canadian Innovators has called for "buy Canadian" rules in government tech procurement. SHIELD has proposed a Sovereignty Score measuring Canadian ownership and control. Our Sovereignty Acquisition Tracker documents how Canadian SaaS companies are quietly acquired by US-incorporated parents — shifting jurisdictional exposure for every Canadian client. Only a small fraction of the tools in our index are Canadian-headquartered. Without tracking corporate ownership changes, sovereignty assessments go stale the moment an acquisition closes.
The Sovereignty Index · by Category
SaaS categories have
zero Canadian options

767 tools mapped to parent jurisdictions. Here's what the data shows when you break it down by category — and where no sovereign option exists at all.

No Canadian option
Some Canadian options
Strong Canadian presence
Search individual tools in the Sovereignty Index Browse all 767 tools →
◆ Flagship Research Paper · Updated Q1 2026

Canadian Technology Sovereignty Index: The Full Methodology & Findings

The complete written analysis behind the interactive data above. How we traced 767 tools through corporate registries and SEC filings, what the jurisdictional mapping reveals about Canadian digital infrastructure, and why data residency doesn't mean data sovereignty.

Read the full research paper →
Jurisdictional breakdown
US-parented
Other foreign
Canadian
New Research
Cloud Infrastructure Sovereignty: Who Actually Controls Your Stack?
Your SaaS tools run on infrastructure. We mapped 25 cloud providers to their parent jurisdictions. 7 Canadian sovereign alternatives exist.
25providers
7Canadian
5exposed
Research Projects

Active investigations

Original research across four dimensions of Canadian data sovereignty — each producing data and analysis not available anywhere else.

🏛
New
Government SaaS Stack Audit
Using publicly available procurement records, we mapped the SaaS and infrastructure tools used by Canadian federal departments and provincial governments — then assessed their sovereignty exposure. The results show significant CLOUD Act exposure at every level of government.
Scope Federal + 4 provinces
Tools identified 45+
Read the audit →
🗺
New
Provincial Exposure Index
A province-by-province analysis of data sovereignty regulatory frameworks, enforcement capacity, penalty exposure, and compliance gaps. From Quebec's Law 25 to BC's FIPPA to Alberta's PIPA — mapped and compared for the first time in one place.
Coverage 13 provinces & territories
Frameworks 8 provincial laws
View the index →
🔄
Ongoing
Sovereignty Acquisition Tracker
When a Canadian SaaS company is acquired by a foreign parent, every client's data sovereignty changes — often without notice. We track acquisitions that shift jurisdictional exposure, so organizations know when their compliance posture has silently changed.
Tracking since 2024
Format Running log
View the tracker →
📊
New
Data Sovereignty Policy Scorecard
We graded the federal government and every province on data sovereignty readiness across six transparent dimensions: legislation strength, enforcement capacity, procurement sovereignty, cross-border transfer controls, CLOUD Act awareness, and penalty structure. Quebec scores 82. Ontario scores 18. The federal government fails.
Coverage Federal + all provinces
Updated Quarterly
View the scorecard →
About the Researcher

Upper Harbour's research is conducted by Joshua van Es, who has a background in corporate law and policy research. His work on data sovereignty and Canadian AI infrastructure has been published in The Globe and Mail, Maclean's, OpenCanada, The Logic, and BetaKit.

He previously contributed to Landscapes of Injustice, a SSHRC-funded research collaboration across Canadian universities, and authored a chapter published by McGill-Queen's University Press.

Methodology
01
Primary research
Every tool in our database is traced through corporate registries, SEC filings, vendor documentation, and subsidiary disclosure. We verify parent company jurisdiction — not brand claims.
02
Independent analysis
Upper Harbour has no commercial relationships with the SaaS vendors in our database. Our assessments are independent. We don't sell vendor listings or accept paid placements.
03
Quarterly updates
Corporate structures change. Acquisitions happen. Vendors launch new regions. Our database is updated quarterly to reflect jurisdictional reality as it stands — not as it stood last year.

Full scoring methodology and rubric →

Assessment Tool

Apply the research to your stack

HarbourScan uses our sovereignty database to map your organization's specific jurisdictional exposure — free, browser-based, in about 10 minutes.

Map Your Stack →