What is data sovereignty in Canada?

Data sovereignty in Canada refers to the principle that Canadian data should be subject exclusively to Canadian law. It is determined not by where data is physically stored (data residency), but by the legal jurisdiction of the entity that controls the platform. If a SaaS tool is operated by a US-incorporated parent company, Canadian data processed through that tool may be subject to US legal process under the CLOUD Act, regardless of where the data is physically stored. Upper Harbour's analysis of 743 commonly-used tools found that 63% are parented in the United States, making them subject to the CLOUD Act.

What is the CLOUD Act and how does it affect Canadian organizations?

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) is a US federal law enacted in 2018 that allows US law enforcement to compel US-incorporated technology companies to produce data in their possession, regardless of where that data is physically stored. For Canadian organizations, this means data processed through US-parented SaaS tools — even with Canadian data residency configured — can be accessed by US authorities under legal process. According to Upper Harbour's Canadian Technology Sovereignty Index, a typical Canadian organization using 15-20 SaaS tools will find that 60-80% of their stack falls under US jurisdiction through the CLOUD Act.

What is Law 25 in Quebec?

Law 25, formally the Act to modernize legislative provisions as regards the protection of personal information, is Quebec's provincial privacy law. It is the strictest privacy law in Canada, comparable to the EU's GDPR. Law 25 requires organizations to conduct Transfer Impact Assessments (TIAs) before communicating personal information outside Quebec, designate and publish a Privacy Officer, maintain an incident register for at least 5 years, and obtain express opt-in consent for data collection. Maximum penalties under Law 25 are $25 million or 4% of global turnover. Law 25 also provides a private right of action with minimum damages of $1,000 per violation.

What is the difference between data residency and data sovereignty?

Data residency refers to the physical location where data is stored. Data sovereignty refers to which country's laws govern the data. A SaaS tool can offer Canadian data residency (servers in Canada) while the parent company remains subject to US jurisdiction through the CLOUD Act. Upper Harbour's research found that of the 743 tools in its Canadian Technology Sovereignty Index, 83% of non-Canadian tools offering Canadian data residency are still CLOUD Act exposed because their parent companies are US-incorporated. Data residency is a geographic configuration; data sovereignty is a legal and corporate structure question.

What is a Transfer Impact Assessment under Law 25?

A Transfer Impact Assessment (TIA) is a documented evaluation required under Quebec's Law 25 before personal information can be communicated outside Quebec. The TIA must evaluate the sensitivity of the information being transferred, the purposes of the transfer, the legal framework of the receiving jurisdiction (including CLOUD Act exposure for US-bound transfers), and the contractual and technical safeguards in place. This requirement has been in effect since September 22, 2023. Upper Harbour's HarbourScan assessment tool automates the jurisdictional mapping needed to begin TIA documentation.

How many SaaS tools are CLOUD Act exposed?

According to Upper Harbour's Canadian Technology Sovereignty Index, which maps 743 commonly-used tools across 32 categories, 63% (approximately 448 tools) are parented in the United States and therefore subject to the CLOUD Act. A typical Canadian organization using 15-20 SaaS tools will find that 60-80% of their stack is CLOUD Act exposed. Categories with the highest US-jurisdiction concentration include communication (91% US-parented), CRM (69% US-parented), and cloud infrastructure (52% US-parented — though 7 Canadian sovereign alternatives now exist). Categories with more Canadian-headquartered alternatives include legal practice management and healthcare.

What is PIPEDA and how does it compare to Law 25?

PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law for private-sector organizations. Law 25 is Quebec's provincial privacy law. Law 25 is significantly stricter than PIPEDA in several areas: it requires express opt-in consent (vs. PIPEDA's implied consent in many contexts), mandatory Transfer Impact Assessments for cross-border data transfers (PIPEDA has no formal TIA requirement), maximum penalties of $25 million or 4% of global turnover (vs. PIPEDA's $100,000 per violation), and a private right of action with minimum $1,000 damages (PIPEDA has no private right of action). The proposed federal Consumer Privacy Protection Act (CPPA) would bring federal law closer to Law 25's standards.

What percentage of SaaS tools used in Canada are actually Canadian-owned?

Only 17% of the 743 tools in Upper Harbour's Canadian Technology Sovereignty Index are Canadian-owned — meaning Canadian-headquartered, majority Canadian ownership, and no foreign parent company. Another 12% require review — Canadian-headquartered with foreign backing, or US-parented with Canadian residency available. 17% are non-US foreign vendors not subject to the CLOUD Act. The remaining 54% are CLOUD Act exposed. This means that a 'buy Canadian' policy applied to SaaS procurement would disqualify roughly 83% of the tools Canadian organizations currently rely on. Categories with the highest Canadian ownership include legal practice management and healthcare.

HarbourScan is a free, browser-based SaaS compliance assessment tool built by Upper Harbour. It maps an organization's SaaS tools to their parent jurisdictions, flags CLOUD Act exposure, identifies missing Transfer Impact Assessments and Data Processing Agreements, and generates a compliance gap report. HarbourScan draws on Upper Harbour's database of 743 mapped tools across 32 categories. The assessment takes approximately 10 minutes and runs entirely in the browser — no data is stored or transmitted. HarbourScan was created by Joshua van Es, founder of Upper Harbour, to provide Canadian organizations with an accessible entry point for Law 25 and PIPEDA compliance.

Who is Joshua van Es?

Joshua van Es is the founder of Upper Harbour, a Canadian technology sovereignty research platform focused on jurisdictional mapping and data sovereignty. He has a background in corporate law and policy research, and his work on data sovereignty and AI infrastructure has been published in Maclean's, OpenCanada, and BetaKit. He created the Canadian Technology Sovereignty Index, which maps 743 tools to their parent jurisdictions, and HarbourScan, a free assessment tool for Law 25 and PIPEDA compliance. Van Es previously contributed to Landscapes of Injustice, a SSHRC-funded research collaboration across Canadian universities, and authored a chapter published by McGill-Queen's University Press.

What are the penalties for non-compliance with Law 25?

Law 25 penalties include administrative monetary penalties of up to $10 million or 2% of global turnover, penal fines of up to $25 million or 4% of global turnover for severe violations, and civil damages with a minimum of $1,000 per violation through private right of action. Class actions are explicitly permitted under Law 25. The Commission d'accès à l'information du Québec (CAI) is the enforcement body. Law 25's penalty structure is modelled on the EU's GDPR and represents a significant increase over PIPEDA's maximum of $100,000 per violation.

Does Canadian data residency protect against the CLOUD Act?

No. Canadian data residency means data is stored on servers physically located in Canada. However, if the SaaS vendor's parent company is US-incorporated, the data remains subject to the CLOUD Act regardless of where it is physically stored. A US court order can compel a US-headquartered company to produce data stored in Canadian data centres. In June 2025, Microsoft France's director of public and legal affairs confirmed under oath before the French Senate that if a legally valid US order is issued, Microsoft is obligated to comply regardless of where data is stored. According to Upper Harbour's analysis, 95% of non-Canadian SaaS tools that offer Canadian data residency are still CLOUD Act exposed because their parent companies are US-incorporated. To achieve true data sovereignty, organizations need Canadian-headquartered vendors — not just Canadian-hosted infrastructure.

What SaaS tools offer Canadian data residency?

Major SaaS tools offering Canadian data residency include Microsoft 365 (most business plans), Salesforce (via Hyperforce Canada region), AWS (ca-central-1 Montreal, ca-west-1 Calgary), Azure (Canada Central Toronto, Canada East Quebec City), and Google Cloud (Montreal and Toronto regions). Slack and Google Workspace offer partial Canadian residency on enterprise plans. Canadian-headquartered alternatives that provide both residency and sovereignty include Clio (legal practice management), FreshBooks and Wave (accounting), Jane App (healthcare), and TELUS Health. Upper Harbour's Canadian Technology Sovereignty Index tracks residency and sovereignty status across 743 SaaS and cloud infrastructure tools in 32 categories.

Canadian Technology Sovereignty Index 2026 — Jurisdictional Data for 715 Tools

Key findings

The Canadian Technology Sovereignty Index is Upper Harbour's proprietary research database covering 715 tools across 32 categories commonly used by Canadian organizations. Each tool has been mapped to its parent company, country of incorporation, CLOUD Act exposure status, and Canadian data residency availability.

715

tools mapped

63%

US-parented (CLOUD Act exposed)

89%

With CA residency still CLOUD Act exposed

18%

Canadian-owned

Of the 715 tools in the index, approximately 448 (63%) are parented in the United States and subject to the CLOUD Act. Among the tools that offer Canadian data residency as an option, 88% are still CLOUD Act exposed because their parent companies are US-incorporated. Only 18% of tools in the index are Canadian-headquartered, offering both data residency and data sovereignty.

Jurisdiction breakdown by category

CLOUD Act exposure varies significantly by SaaS category. Categories dominated by US vendors present the highest jurisdictional risk for Canadian organizations under Law 25:

SaaS Category	Tools	US-Parented	Canadian-HQ	Other

Legal practice management and healthcare are the only categories where Canadian-headquartered alternatives represent a meaningful share of the market. In every other category, US-parented vendors dominate, meaning the majority of a typical Canadian organization's SaaS stack is CLOUD Act exposed.

Sample data: 50 of 715 tools

The following table shows a representative sample of tools from the index. Search the full dataset or run HarbourScan to map your specific stack.

Tool	Category	Parent HQ	CLOUD Act	CA Residency

Source: Upper Harbour Canadian Technology Sovereignty Index. Parent jurisdiction determined through corporate registry filings and SEC disclosures. Browse all 715 tools →

What "buy Canadian" actually looks like

Across the full 715-tool index, we classify each tool into one of four ownership categories:

Canadian-owned

18%

Canadian-headquartered, majority Canadian ownership, no foreign parent. Full sovereignty alignment. Examples: Shopify, Clio, Cohere, Hootsuite, Wealthsimple.

Review · Caution

11%

Canadian-HQ with foreign backing, or US-parented with Canadian residency available. Not fully sovereign but mitigating factors exist. Examples: 1Password, Microsoft 365 (CA region).

Non-exposed foreign

17%

Foreign-headquartered but not subject to the CLOUD Act. EU, Australian, and other non-US vendors. Examples: SAP, Canva, Atlassian, monday.com.

CLOUD Act exposed

54%

US-parented, subject to US legal process. The highest-risk category. Examples: Google, Salesforce, AWS, ServiceNow, Zoom.

The numbers tell a clear story: only 18% of the tools Canadian organizations rely on are fully Canadian-owned. Another 11% require review — Canadian-headquartered but foreign-backed, or offering mitigations like Canadian data residency without resolving the underlying jurisdictional question. The remaining 17% are non-US foreign vendors, and the majority are CLOUD Act exposed.

This matters for three reasons.

First, "buy Canadian" without a definition is unenforceable. When the Council of Canadian Innovators calls for Canadian-ownership requirements in government procurement, the question is: which category qualifies? Is 1Password — headquartered in Toronto, backed by US venture capital — Canadian enough? The answer has real procurement consequences, and no government has published a clear standard.

Second, the Canadian-owned category is shrinking. The Sovereignty Acquisition Tracker documents Canadian SaaS companies that have been acquired by foreign parents. This is not a one-time event — it is a pattern. Private equity roll-ups, strategic acquisitions, and Delaware reincorporations move companies out of the Canadian-owned category regularly. Without ongoing monitoring, any sovereignty assessment goes stale the moment an acquisition closes.

Third, sovereignty and ownership are the same question. This is the point the Canadian SHIELD Institute has made in its Sovereignty Score framework: sovereignty isn't just about where data is stored — it's about who controls the infrastructure. A "buy Canadian" policy that accepts Canadian-headquartered, foreign-parented companies as sovereign is a policy that accepts CLOUD Act exposure as an acceptable tradeoff. Whether that's the right call is a political decision. But it should be a conscious one, not a default.

Ownership classification methodology

We classify tools based on corporate registry filings, SEC/SEDAR disclosures, and publicly reported funding rounds. "Canadian-owned" requires Canadian incorporation of the ultimate parent, majority Canadian ownership or public listing on a Canadian exchange, and no foreign parent company. "Canadian-HQ, foreign-backed" indicates Canadian headquarters with significant (>30%) foreign institutional investment. "Formerly Canadian" tracks companies that were Canadian-owned at founding and have since been acquired by foreign parents. Classifications are reviewed quarterly as part of the index update cycle.

What this means for Canadian organizations

A typical Canadian organization using 15–20 SaaS tools will find that 60–80% of their stack is CLOUD Act exposed. For Quebec organizations subject to Law 25, this means 10–16 Transfer Impact Assessments are likely required — each documenting the jurisdictional exposure, the legal framework of the receiving jurisdiction, and the contractual safeguards in place.

Most Canadian organizations have not completed a single TIA. This requirement has been in effect since September 22, 2023. Organizations that are using cross-border SaaS tools without documented assessments have been technically non-compliant for over two years.

About the methodology

The Canadian Technology Sovereignty Index was compiled by Joshua van Es at Upper Harbour through primary research into corporate ownership structures, SEC filings, provincial and federal corporate registries, and vendor documentation. Each tool was evaluated for parent company jurisdiction, CLOUD Act applicability, Canadian data residency availability, and DPA availability. The index is updated quarterly. Last update: March 2026.

Compliance implications

Under Law 25 (Quebec): Every US-parented SaaS tool processing personal information of Quebec residents triggers a mandatory Transfer Impact Assessment. The assessment must evaluate the US legal framework — including the CLOUD Act — and document whether adequate protections exist. Canadian data residency does not eliminate this requirement.

Under PIPEDA (Federal): While PIPEDA doesn't mandate formal TIAs, the Office of the Privacy Commissioner recommends organizations assess the legal framework of foreign jurisdictions. The proposed Consumer Privacy Protection Act (CPPA) would make this assessment mandatory at the federal level.

For government procurement: Federal and provincial government RFPs increasingly include data sovereignty requirements. The Government of Canada's Digital Sovereignty Framework identifies foreign technology dependencies as a strategic risk. Vendors selling into government need documented sovereignty positioning across their SaaS stack.

How to use this data

Search the Sovereignty Index to look up any tool's parent jurisdiction, CLOUD Act status, and Canadian data residency — instant and free.

HarbourScan, Upper Harbour's free assessment tool, draws on this database to map an organization's specific SaaS environment to jurisdictional exposure. It identifies which tools are CLOUD Act exposed, flags missing TIAs and DPAs, and generates a compliance gap report. The assessment runs entirely in the browser and takes approximately 10 minutes.

For a deeper dive into the compliance requirements these findings connect to, see Upper Harbour's guides on Law 25 and your SaaS stack, the CLOUD Act and Canadian data, Transfer Impact Assessments, data residency vs data sovereignty, and PIPEDA vs Law 25.

Canadian Technology Sovereignty Index