mapped
sovereign
exposed
review required
The layer most organizations never assess
When organizations audit their SaaS exposure, they typically ask: who is the vendor, where is the vendor incorporated, does the vendor offer Canadian data residency? These are the right questions for the application layer. But they miss the layer underneath.
Every SaaS tool runs on cloud infrastructure. When a vendor tells you "your data is stored in Canada," what they usually mean is that it's hosted on AWS Montréal, Azure Canada Central, or Google Cloud's Montréal region. All three are operated by US-incorporated companies subject to the CLOUD Act. The Canadian data centre is a geographic configuration. The legal jurisdiction is still American.
This creates layered exposure. Even a Canadian-owned SaaS tool hosted on US infrastructure carries a residual jurisdictional risk at the infrastructure level. To understand your organization's full sovereignty posture, you need to assess both layers.
How a technology stack creates layered jurisdiction
Consider a typical Canadian organization using a Canadian SaaS tool that runs on AWS. The jurisdictional layers look like this:
The SaaS vendor is Canadian. The data is physically in Canada. But the infrastructure provider is a US company that can be compelled to provide access to data under its control. The practical risk depends on encryption architecture and the shared responsibility model — but the jurisdictional exposure exists at the infrastructure layer regardless.
Now compare the same organization using a Canadian SaaS tool hosted on a Canadian sovereign cloud provider like ThinkOn or Micrologic:
Every layer is under Canadian jurisdiction. No foreign government can compel access to any layer of the stack. This is what full-stack sovereignty looks like — and it's now achievable for Canadian organizations that choose their infrastructure deliberately.
AWS, Azure, and Google Cloud all market Canadian data centres prominently. But data residency is a geographic configuration. Data sovereignty is a legal and corporate structure question. A Canadian data centre operated by a US company is still a US-jurisdictioned service. Read more: Data residency vs. data sovereignty →
The 25 providers: what the data shows
Upper Harbour mapped 25 cloud infrastructure providers commonly used or available to Canadian organizations. We classified each using the same methodology applied across the full Technology Sovereignty Index: parent company, country of incorporation, CLOUD Act exposure, and Canadian data residency.
| Provider | Parent | Jurisdiction | CLOUD Act | Classification |
|---|---|---|---|---|
| ThinkOn | Think On Inc. | Canada | No | Canadian ✓ |
| Micrologic | Micrologic Inc. | Canada | No | Canadian ✓ |
| eStruxture | eStruxture Data Centers | Canada | No | Canadian ✓ |
| Hypertec Cloud | Hypertec Group | Canada | No | Canadian ✓ |
| Bell Cloud / AI Fabric | BCE Inc. | Canada | No | Canadian ✓ |
| TELUS Cloud | TELUS Corporation | Canada | No | Canadian ✓ |
| OpenText Sovereign Cloud | Open Text Corporation | Canada | No | Canadian ✓ |
| AWS | Amazon.com Inc. | United States | Yes | Review |
| Azure | Microsoft Corporation | United States | Yes | Review |
| Google Cloud | Alphabet Inc. | United States | Yes | Review |
| Oracle Cloud | Oracle Corporation | United States | Yes | Review |
| IBM Cloud | IBM Corporation | United States | Yes | Review |
| DigitalOcean | DigitalOcean Holdings | United States | Yes | Review |
| Vultr | The Constant Company | United States | Yes | Review |
| Linode | Akamai Technologies | United States | Yes | Review |
| Aptum | Aptum Technologies | Canada (US PE) | Indirect | Review |
| OVHcloud | OVH Groupe S.A. | France | No | Non-exposed |
| Hetzner | Hetzner Online GmbH | Germany | No | Non-exposed |
| Scaleway | Iliad SA | France | No | Non-exposed |
| Civo | Civo Ltd. | United Kingdom | No | Non-exposed |
| Vercel | Vercel Inc. | United States | Yes | Exposed |
| Cloudflare | Cloudflare Inc. | United States | Yes | Exposed |
| Netlify | Netlify Inc. | United States | Yes | Exposed |
| Heroku | Salesforce Inc. | United States | Yes | Exposed |
| Render | Render Services Inc. | United States | Yes | Exposed |
Source: Upper Harbour Canadian Technology Sovereignty Index. Classification based on parent company jurisdiction and CLOUD Act exposure. Browse all 715 tools →
The Canadian sovereign cloud landscape
Canada now has a credible and growing domestic cloud infrastructure ecosystem. These are the providers that meet the full sovereignty standard: Canadian-owned, Canadian-operated, not subject to any foreign data access law.
ThinkOn
First Canadian VMware Sovereign Cloud partner. The only Canadian cloud service provider authorized for Protected-B government workloads under the GC Cloud Framework Agreement. Channel-only model. Part of the four-company consortium (with Hypertec, Aptum, eStruxture) building Canada's first end-to-end sovereign AI-ready government cloud.
Micrologic
The only Canadian sovereign cloud recognized by Gartner in the Operational Sovereignty category. Cirrus cloud platform powered by VMware. ISO 27001/27017/27018 certified. Qualified for PSPC SaaS catalogue. $150M pan-Canadian expansion underway. Over a decade of sovereign cloud operations — well before sovereignty became a mainstream topic.
eStruxture
Largest Canadian-owned data centre provider. 16 facilities across Montreal, Toronto, Vancouver, and Calgary — over 760,000 square feet. Majority-owned by Fengate Asset Management (Canadian). Provides the physical data centre layer for the sovereign government cloud consortium. Carrier and cloud-neutral, serving nearly 1,200 customers.
Hypertec Cloud
100% Canadian-owned. NVIDIA Canadian Partner of the Year 2025. Cloud infrastructure division formed via acquisition of cloud.ca in 2021. Capacity for 100,000 GPUs. Hardware designed and assembled in Montreal. Provides the hardware layer for the sovereign government cloud consortium. Sovereign AI Research Hub partnership with Mila. Strategic partnership with Bell for sovereign AI infrastructure.
Bell Cloud / AI Fabric
Bell's sovereign cloud and AI infrastructure platform. $500M investment in hydro-powered AI data centres in British Columbia. Partnered with SAP Canada for sovereign cloud (February 2026) and Hypertec for sovereign AI compute. Canadian-owned, subject exclusively to Canadian law. Targeting government and regulated industries.
TELUS Cloud
Sovereign cloud data centres in Rimouski, QC and Kamloops, BC. Partnered with OpenText to launch the Canadian Sovereign Cloud in July 2025 — enterprise-grade cloud and AI operating entirely within Canadian borders. Early signatory of the Government of Canada's voluntary AI code of conduct. Not subject to any foreign data access law.
OpenText Sovereign Cloud
Canadian-incorporated. Serves 1,600 Canadian institutions with nearly 1,000 actively using AI-powered cloud applications. Private cloud solutions available through existing PSPC procurement channels. Aviator AI platform hosted entirely in Canada. Partnered with TELUS for sovereign cloud delivery.
The policy context: why now
This research arrives at a moment when Canadian sovereign cloud infrastructure is moving from aspiration to operational reality. In 2025, Prime Minister Carney directed the Major Projects Office to prioritize the development of a Canadian sovereign cloud. The federal government issued a Request for Information on sovereign public cloud capability. Budget 2024 earmarked roughly $2 billion for sovereign AI compute infrastructure.
The private sector has responded. The ThinkOn-Hypertec-Aptum-eStruxture consortium launched Canada's first end-to-end sovereign government cloud in October 2025. OpenText and TELUS launched their joint sovereign cloud in July 2025. Bell partnered with SAP for sovereign cloud in February 2026 and with Hypertec for sovereign AI compute days later.
For Canadian organizations, the practical implication is straightforward: sovereign infrastructure alternatives now exist. The question is no longer whether Canadian cloud providers can meet enterprise requirements. It's whether organizations will assess the infrastructure layer at all — or continue to assume that a Canadian data centre address is the same as Canadian sovereignty.
If your organization uses US hyperscaler infrastructure, you should document the layered jurisdiction in your Transfer Impact Assessments. If your SaaS vendor runs on AWS or Azure, your TIA should note the infrastructure-layer CLOUD Act exposure even if the SaaS vendor is Canadian. HarbourScan identifies which tools in your stack run on which infrastructure. Run a free assessment →