What is the difference between data residency and data sovereignty?

Data residency refers to where data is physically stored — the geographic location of the server. Data sovereignty refers to which country's laws have legal authority over that data. A Canadian data centre operated by a US company is Canadian residency under US sovereignty. The distinction matters because the CLOUD Act allows US authorities to compel access to data held by US companies regardless of server location.

Is data residency enough for Canadian compliance?

Data residency alone is not sufficient for full compliance. BC's FIPPA, for example, has shifted from a blanket residency mandate to requiring privacy impact assessments that evaluate jurisdictional risk for foreign-stored data. But even residency does not address jurisdictional exposure under the CLOUD Act, which is a separate risk that Law 25 TIA requirements and PIPEDA adequacy assessments are designed to evaluate.

Does using a Canadian data centre protect against the CLOUD Act?

No. The CLOUD Act applies based on the jurisdiction of the company, not the location of the server. If the data centre is operated by a US-incorporated company — which includes Microsoft Azure Canada, AWS ca-central-1, and Google Cloud Montréal — the data remains subject to US legal process.

How do I achieve data sovereignty in Canada?

True data sovereignty requires both Canadian data residency and a Canadian-controlled vendor — one not subject to foreign jurisdiction. This means using tools operated by Canadian-incorporated companies with no foreign parent. Upper Harbour's Sovereignty Index identifies 125 Canadian-controlled tools. For tools where Canadian alternatives don't exist, mitigations like customer-managed encryption can reduce practical risk.

Data Residency vs Data Sovereignty in Canada

The definitions

Data residency refers to the physical or geographic location where your data is stored. If your Microsoft 365 tenant is configured to store data in the Canada Central region (Toronto), your data has Canadian data residency. The bits are on servers in Canadian territory.

Data sovereignty refers to the legal jurisdiction that governs your data. It's determined not by where the data physically sits, but by who controls the platform, who the parent company is, and what laws apply to that entity. If your data is managed by a US-incorporated company, it is subject to US legal jurisdiction — regardless of where it's stored.

The Government of Canada's own definition draws this distinction clearly: data sovereignty is Canada's right to control access to and disclosure of its digital information subject only to Canadian laws, while data residency is simply the physical or geographical location of that information.

	Data Residency	Data Sovereignty
What it means	Where data is physically stored	Which country's laws govern the data
Determined by	Server location / data centre region	Parent company jurisdiction, corporate ownership chain
Can you configure it?	Often yes — many SaaS vendors offer region selection	Rarely — it's tied to corporate structure, not settings
CLOUD Act exposure	Still exposed if parent is US-incorporated	Not exposed if parent is Canadian-incorporated
Law 25 TIA required?	Yes — residency alone doesn't satisfy the legal framework assessment	Simplified — Canadian sovereignty reduces the assessment burden

Why the confusion exists

The confusion between residency and sovereignty is not accidental. Many SaaS vendors market "Canadian data residency" as a compliance solution, and for many organizations, it sounds like the problem is solved. Microsoft offers Canada Central and Canada East regions. AWS has ca-central-1 in Montreal and ca-west-1 in Calgary. Google Cloud has Montreal and Toronto regions. Configuring data residency in Canada is straightforward and increasingly common.

But the compliance question under Law 25 isn't just "where is my data stored?" It's "does the jurisdiction that governs my data provide adequate privacy protection?" And when the platform is operated by a US-incorporated company, the jurisdiction that governs it includes the United States — which means the CLOUD Act, FISA Section 702, and other US surveillance authorities are relevant to the legal framework assessment.

Residency is a geographic configuration. Sovereignty is a legal and corporate structure question. They operate on different axes entirely.

The marketing gap

When a vendor says "your data stays in Canada," they typically mean data residency — the physical storage location. They rarely mean data sovereignty — that the data is exclusively governed by Canadian law. Read the fine print on sub-processors, support access, and corporate ownership.

How this plays out in practice

Here are three common scenarios Canadian organizations encounter:

Scenario 1

Microsoft 365 with Canada Central data residency

Your data is physically stored in Toronto. But Microsoft Corporation is incorporated in Washington state, USA. A US court order can compel Microsoft to produce your data under the CLOUD Act — even though it's stored in Canada. You have Canadian data residency but not Canadian data sovereignty.

Residency ✓ — Sovereignty ✗

Scenario 2

Clio (Canadian legal practice management)

Clio is headquartered in Vancouver and incorporated in Canada. Your data is stored on Canadian infrastructure. The parent company is not subject to the CLOUD Act. You have both Canadian data residency and Canadian data sovereignty.

Residency ✓ — Sovereignty ✓

Scenario 3

A Canadian company acquired by a US parent

The SaaS tool is marketed as Canadian and stores data in Canada. But last year, the company was acquired by a US corporation. The data hasn't moved, but the legal jurisdiction has changed. Through its US parent, the data is now within reach of the CLOUD Act. Residency unchanged — sovereignty lost.

Residency ✓ — Sovereignty ✗ (changed)

What Canadian law actually requires

Quebec — Law 25

Law 25 requires a Privacy Impact Assessment before personal information is communicated outside Quebec. The assessment must evaluate the legal framework of the receiving jurisdiction — not just the physical location of the servers. This means a TIA for a US-parented vendor must address the CLOUD Act and related US authorities, even if Canadian data residency is configured.

In other words, Law 25's requirements are anchored to sovereignty, not residency.

Federal — PIPEDA

PIPEDA doesn't mandate data localization or require formal TIAs. However, it does require organizations to ensure comparable levels of protection when transferring data to third-party processors. The Office of the Privacy Commissioner has indicated that organizations should assess the laws of foreign jurisdictions that may apply to their data — which again points to sovereignty, not just residency.

Provincial considerations

British Columbia's FIPPA historically required public bodies to store personal information exclusively in Canada. In 2021, this was amended — public bodies can now store data outside Canada but must complete a privacy impact assessment evaluating jurisdictional risk, including foreign government access laws. Alberta's PIPA includes provisions about cross-border transfers that require contractual safeguards. Each province has its own nuances, but the trend is clear: residency is often the minimum, sovereignty is increasingly the expectation.

The sovereignty spectrum

Not all sovereignty positions are binary. In practice, organizations operate on a spectrum:

Full sovereignty: Data stored on Canadian infrastructure, operated by a Canadian-incorporated company, with no foreign parent or subsidiary that could create jurisdictional exposure. All personnel with access to data are Canadian-based. This is the gold standard but limits your vendor options significantly.

Partial sovereignty with residency: Data stored in Canada on infrastructure operated by a foreign-incorporated company (e.g., AWS Canada region, Azure Canada). Canadian residency is achieved, but the operating company's foreign jurisdiction creates a sovereignty gap. Most Canadian organizations sit here today.

No sovereignty, no residency: Data stored outside Canada on infrastructure operated by a foreign company. No data residency configuration enabled. This is the default position for many SaaS tools that don't offer regional data storage options.

The practical question

Full data sovereignty for every tool in your stack may not be realistic — there simply aren't Canadian-headquartered alternatives for every SaaS category. The practical approach is to know where you sit on the spectrum for each tool, prioritize sovereignty for your most sensitive data, and document your rationale. That's what compliance actually requires.

What to do about it

Stop treating residency as sufficient. Configuring Canadian data residency is a good step, but it shouldn't be the end of your compliance analysis. It doesn't change the corporate jurisdiction of your vendor.

Map the ownership chain. For every SaaS tool, identify the parent company and its jurisdiction. A tool that looks Canadian may have been acquired by a US or European parent. The brand name doesn't tell you the jurisdiction — the corporate ownership chain does.

Prioritize by sensitivity. You don't need full sovereignty for every tool. But for legal files, health records, financial data, and employee records, the sovereignty question is more urgent. Make deliberate choices about where your most sensitive data goes.

Document your position. Whether you choose to stay with a US-parented vendor (with residency enabled and a completed TIA) or switch to a Canadian alternative, the key is having a documented rationale. Regulators want to see that you've assessed the risk — not necessarily that you've eliminated it.

Map your stack

HarbourScan shows you which tools in your stack have Canadian residency, which have Canadian sovereignty, and where the gaps are — across your entire SaaS environment. Free, browser-based, 10 minutes. Run your assessment →