Why do common SaaS tools need PIAs in Alberta?
Every SaaS tool that collects, uses, or discloses personal information requires a Privacy Impact Assessment under POPA. Microsoft 365, Zoom, Slack, Google Workspace, Salesforce, and Dropbox are among the most widely used tools by Alberta public bodies — and every one of them is US-parented and subject to the CLOUD Act. The OIPC template specifically asks for this jurisdictional analysis in Section G (Service Providers) and Section H2 (Cloud Computing Risks).
What does the OIPC template ask about each SaaS tool?
Section G requires public bodies to identify each service provider's parent company, jurisdiction of incorporation, data residency options, and custody and control arrangements. Section H2 requires a risk assessment specifically for cloud computing, including Risk 7 which explicitly names the CLOUD Act and USA PATRIOT Act. For every US-parented tool, you must document that US authorities can compel the provider to produce data regardless of where it is stored.
Are Microsoft 365 and Teams CLOUD Act exposed?
Yes. Microsoft Corporation is incorporated in the United States and is subject to the CLOUD Act. While Microsoft offers Canadian data residency for Microsoft 365 and Teams, the parent entity remains under US jurisdiction. A valid US legal order can compel Microsoft to produce data stored in Canadian data centres. Your PIA must document this in Section G and assess it as a risk in Section H2, Risk 7.
Is Zoom CLOUD Act exposed?
Yes. Zoom Video Communications Inc. is incorporated in the United States. All data processed by Zoom is subject to the CLOUD Act regardless of where the meeting is hosted or recorded. Public bodies using Zoom for meetings that discuss personal information — student records, patient data, employee matters — must document this exposure in their PIA.
Are there Canadian alternatives?
Yes. Upper Harbour's Sovereignty Index tracks 132 Canadian-owned tools across productivity, communication, file storage, and other categories. Canadian alternatives are not subject to the CLOUD Act. However, migration is not always practical — which is why the PIA exists: to document the risk and demonstrate you've assessed it.
Generate your Section G and H2 answers automatically
Select Microsoft 365, Zoom, Slack, and every other tool your organization uses. Our PIA Research Tool generates pre-written answers for Sections F, G, and H2 from a 753-tool database. $199.
Start PIA Research Tool →Alberta POPA overview → · CLOUD Act & Canadian data → · Data residency vs sovereignty → · PIA Research Tool →
Frequently asked questions
Not necessarily. If multiple tools are part of the same project or deployment, they can be covered in a single PIA. However, each tool requires its own jurisdictional analysis in Section G.
No. The CLOUD Act applies based on the parent company's jurisdiction, not where data is stored. Microsoft hosting data in Canada does not prevent a US legal order compelling Microsoft to produce that data.
Google LLC (Alphabet Inc.) is incorporated in the United States and is subject to the CLOUD Act. The same analysis applies as Microsoft 365 and Zoom.