Practical guidance on Law 25, the CLOUD Act, Transfer Impact Assessments, and data sovereignty — written for privacy officers, IT leads, and compliance teams managing SaaS environments.
Most Canadian organizations understand sovereignty risks. The problem is proof. When a regulator, procurement officer, or client asks how you manage cross-border data exposure, can you produce a defensible answer? A comprehensive guide to what’s required under Law 25, PIPEDA, and the CLOUD Act.
Read guide →Quebec's Law 25 requires Transfer Impact Assessments for every cross-border SaaS tool. Learn which tools are affected, what's required, and how to start documenting compliance.
Read guide →The US CLOUD Act gives American authorities the power to compel access to data held by US companies — regardless of where that data is stored. Here's what it means for Canadian organizations.
Read guide →Five specific ways the CLOUD Act undermines data sovereignty for Canadian organizations — and what to do about it. Covers compliance documentation, sector-specific exposure, contractual limitations, and migration options.
Read guide →Every cross-border data transfer requires a documented TIA under Law 25. Here's what a TIA must include, when one is triggered, and a practical framework for completing them.
Read guide →The CAI hasn't published a standard Transfer Impact Assessment template. We did. A complete, structured framework any Quebec organization can use to document cross-border SaaS compliance — covering jurisdictional assessment, CLOUD Act exposure, safeguards evaluation, and residual risk determination.
Access the template →Version française du modèle d'Évaluation des facteurs relatifs à la vie privée pour la conformité à la Loi 25. Un cadre structuré pour documenter les transferts transfrontaliers de données SaaS, l'exposition au CLOUD Act et les mesures de protection.
Accéder au modèle →A practical breakdown of which popular SaaS tools offer Canadian data residency, which don't, and why residency alone doesn't solve the compliance question.
Read guide →These two terms are used interchangeably — but they describe fundamentally different things. One is a server configuration; the other is a legal and corporate structure question.
Read guide →Both govern personal information — but Law 25 is significantly stricter on consent, cross-border transfers, penalties, and individual rights. A practical comparison for compliance teams.
Read guide →Government RFPs increasingly require demonstrated data sovereignty. Here's what procurement teams are asking for and how to document your compliance posture.
Read guide →A step-by-step guide to building the documented SaaS inventory that Law 25, PIPEDA, and procurement sovereignty reviews require. Covers jurisdiction mapping, CLOUD Act exposure, and defensible record-keeping.
Read guide →A practical checklist of the six documents Canadian organizations must maintain — and what happens when regulators, auditors, or procurement officers ask for them and you can't produce them.
Read guide →Your SaaS stack is US-controlled. Now what? A practical action guide covering exposure mapping, risk triage, documentation requirements, remediation options, and ongoing monitoring.
Read guide →The 2021 FIPPA amendment changed the rules. BC public bodies can now store data outside Canada — but must complete privacy impact assessments evaluating jurisdictional risk. Here's what the new framework means for your SaaS stack.
Read guide →The BC Privacy Commissioner hasn't published a SaaS-specific PIA template for jurisdictional risk. We did. A structured framework for BC public bodies to assess vendor jurisdiction, CLOUD Act exposure, and safeguards under the amended FIPPA.
Access the template →HarbourScan identifies jurisdictional risk across your entire SaaS stack — free, browser-based, in about 10 minutes.
Map Your Stack →Need a formal assessment? Get a Sovereignty Snapshot — $350 · Or book a scoping call →