How do Canadian startups comply with Law 25 for SaaS tools?

Law 25 requires Quebec organizations to conduct Transfer Impact Assessments for any SaaS tool that transfers personal information outside Quebec. Upper Harbour's HarbourScan maps this exposure automatically, and the full sovereignty audit produces the required documentation.

Do I need to replace US SaaS tools to comply with Law 25?

No. Law 25 does not prohibit the use of US-parented SaaS tools. It requires organizations to document the jurisdictional exposure and demonstrate that they have assessed the risks. Athena Collective continued using all 11 of its existing SaaS tools after completing its sovereignty audit.

What is a SaaS sovereignty audit?

A SaaS sovereignty audit maps every SaaS tool an organization uses to its parent company, country of incorporation, CLOUD Act status, and data residency configuration. Upper Harbour's audit draws on a database of 743 mapped tools and produces board-ready documentation including Transfer Impact Assessments, DPA gap analysis, and remediation plans.

How Athena Collective Documented Law 25 Compliance Across 11 SaaS Tools

The situation

Athena Collective is a platform for women founders, offering personalized business assessments, a searchable member directory, and community tools. Hundreds of members across Canada share personal information through the platform — skills assessments across 212 areas, profiles searchable by stage, industry, and location, and direct community interactions.

That's a lot of personal data flowing through a SaaS stack. Co-founder Mikayla Stewart had already made a smart infrastructure choice: hosting on DigitalOcean's Toronto region, keeping core application data in Canada. But with Law 25 in effect since September 2023, she needed to document the full jurisdictional picture — not just where data is stored, but who can be legally compelled to produce it.

The alternative was expensive. Privacy consultants typically charge $15,000–$40,000 for a full Law 25 compliance engagement. Individual TIAs from law firms run $2,000–$5,000 per tool — for 9 cross-border tools, that's $18,000–$45,000 in legal fees alone. Doing it internally means 20–30+ hours of research before any documentation gets written.

What the scan revealed

Athena Collective ran a HarbourScan, mapping all 11 tools against Upper Harbour's 715-tool sovereignty database.

Athena Collective — jurisdictional map

DigitalOceanCloud infrastructureUS

Auth0AuthenticationUS

StripePaymentsUS

ResendEmail APIUS

MixpanelAnalyticsUS

GitHubCode repositoryUS

Google WorkspaceProductivityUS

ClickUpProject managementUS

SlackCommunicationUS

SageAccountingUK

HubSpotCRMUS

10 of 11 tools are operated by companies incorporated outside Canada. This is typical — in our database, 63% of commonly used tools are US-parented.

tools scanned

→

jurisdictions

→

TIAs produced

→

compliance record

Why DigitalOcean Toronto wasn't enough

Mikayla's choice to host in Toronto keeps core data — databases, file storage, compute — physically in Canada. That's a meaningful starting point.

But DigitalOcean is US-incorporated. Under the CLOUD Act, US law enforcement can compel data production regardless of server location. Canadian residency creates friction, but it doesn't close the legal question. This is exactly the nuance Law 25 documentation captures: here's the residency configuration, here's the jurisdictional reality, and here's the assessed risk.

Mikayla Stewart, Co-Founder of Athena Collective

We were quoted $20,000+ from a privacy consultant. I looked into doing it myself and realized I'd spend weeks just understanding what a Transfer Impact Assessment needs to include. The sovereignty audit gave us everything — the jurisdictional map, the TIAs, the full compliance record — for a fraction of the cost.

Mikayla Stewart, Co-Founder · Athena Collective

What was delivered

📋

Jurisdictional mapEvery tool traced to parent company, incorporation country, and legal frameworks.

📑

Transfer Impact AssessmentsTIAs for each cross-border tool, as required by Law 25.

🔍

DPA gap analysisData Processing Agreement review with remediation plan.

📊

Board-ready compliance recordSingle document for regulators, clients, or procurement.

The takeaway

Law 25 doesn't require you to replace your SaaS tools. It requires you to document them.

Athena Collective kept every tool in its stack. What changed was the paper trail — a structured record showing that jurisdictional exposure has been identified, assessed, and documented. That's what compliance looks like in practice.

Looking ahead

The proposed federal Consumer Privacy Protection Act (CPPA) would extend similar documentation requirements nationally. Organizations that document now are building on solid ground.

Athena Collective: Law 25 compliance without replacing a single tool

The situation

What the scan revealed

Why DigitalOcean Toronto wasn't enough

What was delivered

The takeaway

Common questions

Map your jurisdictional exposure.