Question 1

What is the Sovereignty Stack?

Accepted Answer

The Sovereignty Stack is a framework developed by Upper Harbour that maps where jurisdictional exposure sits across the four layers of a technology stack: hardware, infrastructure, platforms, and SaaS applications. Canada's sovereignty policy focuses on the bottom two layers (infrastructure and hardware), while 82% of the SaaS applications organizations use daily remain under foreign jurisdiction. The framework shows the gap between sovereign infrastructure and sovereign software.

Question 2

Does Canadian data residency protect against the CLOUD Act?

Accepted Answer

No. Upper Harbour's data shows that 83% of application-layer tools advertising Canadian data residency are still operated by companies under US parent jurisdiction. The CLOUD Act grants US authorities the ability to compel access to data held by US-parented companies regardless of where that data is physically stored. Data residency is a server configuration; sovereignty is a legal and corporate structure question.

Question 3

How many SaaS categories have zero Canadian-owned vendors?

Accepted Answer

Seven major enterprise software categories have zero Canadian-owned vendors, including analytics, customer support, ERP, DevOps, design, integration, and productivity. This means Canadian organizations have no domestically controlled option in these categories.

Question 4

What is the difference between the sovereign cloud RFI and SaaS sovereignty?

Accepted Answer

The Government of Canada's sovereign cloud RFI (updated March 2026) requires that cloud infrastructure providers and their ultimate parent corporations are not subject to foreign compelled-disclosure laws. This covers IaaS and PaaS. No equivalent policy instrument applies a parent-jurisdiction test to SaaS vendors — the application layer where most organizations encounter foreign jurisdiction daily.

Question 5

What is a technology stack?

Accepted Answer

A technology stack is the combination of software and infrastructure an organization uses to operate. It consists of four layers: hardware and data centres at the base, cloud infrastructure (IaaS) above that, platforms (PaaS), and software applications (SaaS) at the top. Each layer has different ownership, jurisdiction, and legal exposure. In Canada, most sovereignty policy addresses the lower layers while the application layer — CRM, HR, messaging, analytics, finance — remains largely under foreign jurisdiction.

Question 6

What does a Canadian tech stack look like?

Accepted Answer

A fully Canadian tech stack would use Canadian-owned and operated tools at every layer — from data centres (Bell-Hypertec, Equinix Canada, Cologix) to cloud infrastructure (ThinkOn, Micrologic) to SaaS applications (Clio, FreshBooks, Jane App). In practice, Upper Harbour's data shows only 17% of SaaS tools used by Canadian organizations are truly Canadian-owned. Seven major enterprise software categories have zero Canadian-owned vendors, including analytics, customer support, and ERP.

Question 7

How do I make my organization's tech stack more Canadian?

Accepted Answer

Start by mapping your current stack to parent jurisdictions. Upper Harbour's free HarbourScan tool identifies which of your SaaS tools are under foreign jurisdiction and CLOUD Act exposure. From there, prioritize replacing tools in high-sensitivity categories (HR, finance, legal, healthcare) with Canadian-controlled alternatives where they exist. For categories with no Canadian option, document the jurisdictional exposure with Transfer Impact Assessments as required by Law 25 and recommended under PIPEDA. The goal is informed risk management, not replacing every tool.

The Sovereignty Stack

Digital systems run on four layers.

Independent sovereignty risks exist at every level.

Sovereignty policy is addressing infrastructure.

The top two layers have no equivalent policy.

Infrastructure can be domestic. Software can remain governed abroad.

We map every layer.

The application layer, measured.

Every layer mapped. The application layer for the first time.

Where Canada’s policy is and isn’t

Sovereign Cloud RFI

Digital Sovereignty Framework

Buy Canadian Framework

Sovereign AI Compute

See where your stack sits