ResearchSovereignty IndexSignalsComplianceMap Your Stack
Signals Tools Research Guides Map Your Stack
HomeResearch → Government SaaS Audit
Audit Government CLOUD Act March 2026

Canadian Government SaaS Stack Audit: CLOUD Act Exposure in Public Sector IT

By Joshua van Es, Founder of Upper Harbour

We analyzed publicly available procurement records, contract disclosures, and departmental IT documentation to identify SaaS tools in use across Canadian federal departments and four provincial governments. Then we mapped each tool to its parent jurisdiction and CLOUD Act exposure status. The findings are significant.

45+
SaaS tools identified across
government procurement records
67%
Operated by US-parented
companies (CLOUD Act exposed)
5
Levels of government
analyzed

Methodology

This audit is based on publicly available information. Sources include the Government of Canada's Proactive Disclosure database, Shared Services Canada's published cloud service provider frameworks, provincial procurement portals (Ontario, Quebec, British Columbia, Alberta), publicly available departmental IT strategies and annual reports, and Access to Information disclosures.

We identified SaaS tools through contract disclosures, vendor mentions in departmental documents, job postings referencing specific platforms, and published IT modernization strategies. Each identified tool was then mapped against Upper Harbour's Canadian Technology Sovereignty Index to determine parent company jurisdiction and CLOUD Act exposure status.

This audit does not claim to be exhaustive. Government SaaS usage is broader than what procurement records capture — many tools are adopted at the departmental level without centralized procurement. The actual exposure is likely higher than what we document here.

Federal government findings

The Government of Canada's IT procurement is primarily managed through Shared Services Canada (SSC). The federal government has established framework agreements with major cloud service providers and has published guidance on secure cloud use. Despite these frameworks, the majority of SaaS tools in use are operated by US-parented companies.

Core productivity and infrastructure

ToolCategoryParent HQCLOUD ActCA Residency
Microsoft 365ProductivityUS (Washington)ExposedAvailable
Microsoft AzureCloud infrastructureUS (Washington)ExposedAvailable (Canada Central/East)
AWSCloud infrastructureUS (Washington)ExposedAvailable (Montreal/Calgary)
Google WorkspaceProductivityUS (California)ExposedPartial (Enterprise)
SalesforceCRMUS (California)ExposedAvailable (Hyperforce)
ServiceNowIT Service MgmtUS (California)ExposedAvailable
SAPERPGermanyNot exposedAvailable
AdobeCreative/DocumentUS (California)ExposedPartial

Communication and collaboration

ToolParent HQCLOUD ActNotes
Microsoft TeamsUS (Washington)ExposedBundled with M365; primary collaboration tool
SlackUS (Salesforce subsidiary)ExposedUsed in some departments/agencies
ZoomUS (California)ExposedAdopted during COVID; still in use
WebexUS (Cisco subsidiary)ExposedGC-approved video conferencing

Specialized and departmental

ToolCategoryParent HQCLOUD Act
Dynamics 365Business applicationsUS (Microsoft)Exposed
GitHubDevelopmentUS (Microsoft)Exposed
Atlassian (Jira/Confluence)Project managementUS (Delaware inc.)Exposed
OktaIdentity/SSOUS (California)Exposed
SplunkSecurity/observabilityUS (Cisco subsidiary)Exposed
CloudflareCDN/SecurityUS (California)Exposed
Key finding

Of the 45+ SaaS tools we identified in federal government use, approximately 67% are operated by US-parented companies and subject to the CLOUD Act. The core digital infrastructure of the Government of Canada — productivity, communication, cloud hosting, CRM, identity management — runs predominantly on US-jurisdictioned platforms. Canadian data residency is configured where available, but as our research consistently shows, residency does not equal sovereignty.

Provincial findings

Quebec
Quebec government departments use Microsoft 365 and Azure as primary platforms, supplemented by Salesforce for citizen services and various specialized SaaS tools. Quebec is unique in that Law 25 applies to public bodies — meaning provincial government departments are themselves subject to TIA requirements for cross-border SaaS tools. The province has invested in CGI Group (Quebec-headquartered) for some IT services, providing partial sovereignty coverage.
~62% CLOUD Act exposed
Ontario
Ontario's government IT runs heavily on Microsoft infrastructure (Azure, M365, Dynamics). The province has made significant cloud investments through its Ontario Digital Service. ServiceNow is used for IT service management. Ontario does not have a provincial privacy law equivalent to Law 25 for the private sector, but FIPPA governs public bodies. The province has been more permissive of US-jurisdictioned cloud tools than Quebec or BC.
~70% CLOUD Act exposed
British Columbia
BC's FIPPA historically imposed the strictest data residency requirement in Canada. The 2021 amendment now requires privacy impact assessments for sensitive data stored outside Canada, shifting from a blanket prohibition to a risk-assessment model. BC uses Microsoft 365 with Canadian residency but also uses Salesforce, ServiceNow, and AWS. Despite the residency mandate, the majority of SaaS tools are US-parented. BC has been more proactive than most provinces in issuing sovereignty guidance through its Office of the Information and Privacy Commissioner.
~63% CLOUD Act exposed
Alberta
Alberta's government IT procurement includes Microsoft Azure and M365, Salesforce, and various specialized tools. Alberta's PIPA governs private sector organizations but the Freedom of Information and Protection of Privacy Act (FOIP) applies to public bodies. Alberta has been less publicly active on sovereignty questions than BC or Quebec, but the province's growing technology sector has brought increased attention to data jurisdiction issues.
~65% CLOUD Act exposed

The structural problem

The pattern across all levels of government is consistent: Canadian government IT infrastructure is overwhelmingly dependent on US-parented SaaS vendors. This isn't because Canadian alternatives don't exist — it's because the US vendors (particularly Microsoft, Salesforce, and AWS) have dominant market positions, extensive government certification programs, and deeply embedded procurement relationships.

The Government of Canada's 2025 Digital Sovereignty Framework explicitly acknowledges this challenge. It identifies "global technology market dependencies" as a strategic risk, noting that most digital products and services used by the government are provided by a small number of major global technology companies. The framework calls for supplier diversification and investment in domestic digital capacity.

But the gap between policy aspiration and operational reality is wide. Migrating core government IT from Microsoft 365 to a Canadian-sovereign alternative would be an enormous undertaking — measured in years and hundreds of millions of dollars. In the near term, Canadian governments will continue to operate with significant CLOUD Act exposure, mitigated by contractual safeguards, residency configurations, and encryption measures that reduce but do not eliminate jurisdictional risk.

Implications

For government IT leaders: The sovereignty gap is real and documented. The question is not whether to acknowledge it, but how to manage it. Priority actions include mapping your full SaaS stack to parent jurisdictions (not just your cloud provider), ensuring Canadian data residency is configured on every tool that offers it, executing DPAs with sovereignty-relevant provisions, and documenting your risk assessment rationale.

For SaaS vendors selling to government: Sovereignty documentation is becoming a procurement differentiator. Vendors that can demonstrate Canadian-headquartered operations, Canadian data residency, and independence from CLOUD Act jurisdictions will have a meaningful advantage in government procurement. See our guide on data sovereignty for government procurement.

For policymakers: The gap between the Digital Sovereignty Framework's aspirations and operational reality needs a bridge. Investment in Canadian SaaS alternatives for critical government functions — particularly productivity, communication, and identity management — would reduce systemic CLOUD Act exposure. The current approach of relying on contractual safeguards with US vendors is a mitigation strategy, not a sovereignty strategy.

Assessment tool

HarbourScan uses Upper Harbour's 715-tool sovereignty database to map any organization's SaaS stack to parent jurisdictions — including government organizations. Run a free assessment →

Frequently asked questions

What SaaS tools does the Canadian government use?
Upper Harbour identified over 45 SaaS tools in use across federal and provincial governments, including Microsoft 365, Azure, AWS, Salesforce, ServiceNow, Slack, Zoom, and Adobe. Approximately 67% are operated by US-parented companies subject to the CLOUD Act.
Is Canadian government data exposed to the CLOUD Act?
Yes. Approximately 67% of SaaS tools used by Canadian governments are operated by US-incorporated companies. Canadian data residency is configured where available but does not eliminate CLOUD Act exposure. The Government of Canada's own Digital Sovereignty Framework acknowledges this risk.
How was this audit conducted?
Through analysis of publicly available procurement records, contract disclosures, departmental IT documentation, and Access to Information disclosures. Each identified tool was mapped against Upper Harbour's 715-tool Canadian Technology Sovereignty Index. The audit does not claim to be exhaustive — actual exposure is likely higher.

Map your organization's exposure

HarbourScan maps your SaaS stack to parent jurisdictions — the same methodology used in this government audit.

Map Your Stack →

Need help operationalizing HarbourScan? Request a scoping call →