Why this matters now
Under Law 25, Quebec organizations must document every cross-border transfer of personal information and assess its risk. Under PIPEDA, federal organizations must demonstrate accountability for how personal information is handled by third-party processors. Provincial privacy commissioners in BC, Alberta, and Ontario have signalled similar expectations.
Meanwhile, government procurement increasingly requires vendors to demonstrate data sovereignty awareness. RFPs now routinely ask where data is stored, who the parent company is, and whether the vendor is subject to foreign access laws like the US CLOUD Act.
The common thread: every framework now expects you to know your SaaS environment and be able to prove it. An undocumented stack is an indefensible stack.
What a defensible SaaS inventory actually contains
A spreadsheet of tool names is not an inventory. A defensible inventory is a structured record that maps each tool to its jurisdictional, legal, and data residency profile. For each SaaS tool in your environment, you need to document:
Vendor identity: The tool name, the parent company, and the parent's country of incorporation. This matters because a tool may operate under a Canadian brand while being owned by a US or European parent — which determines jurisdictional exposure.
Jurisdiction: The legal jurisdiction governing the parent entity. A tool owned by a US-incorporated company is subject to US law, including the CLOUD Act, regardless of where the data is stored.
CLOUD Act exposure: Whether the vendor's parent is subject to the CLOUD Act. This is binary: if the parent is a US company, it is exposed. If it's a subsidiary of a US company, it is exposed. This is the single most important jurisdictional risk factor for Canadian organizations.
Data residency: Where the tool actually stores data at rest. Some vendors offer Canadian data centres, some offer regional selection, and many store everything in the US by default.
Data categories processed: What types of personal information the tool handles — employee data, customer data, health records, financial information. This determines which regulatory frameworks apply.
Regulatory status: Whether a TIA or PIA is required, whether a DPA exists, and whether the tool has been assessed under the applicable provincial or federal framework.
Step 1: Enumerate your SaaS environment
Start by listing every SaaS tool your organization uses. This sounds simple, but most organizations significantly undercount. IT-sanctioned tools are easy to find, but shadow IT — tools adopted by individual departments without central approval — often accounts for 30-50% of the actual stack.
Sources to check: SSO/identity provider logs, expense reports and corporate card statements, browser extension audits, department-by-department surveys, and procurement records. The goal is a complete list, not a curated one.
Step 2: Map parent companies and jurisdictions
For each tool, identify the parent company and its country of incorporation. This is where many organizations get stuck — vendor websites don't always make ownership structures transparent, especially after acquisitions.
Upper Harbour's Sovereignty Index tracks parent companies, jurisdictions, CLOUD Act exposure, and data residency status for 715 tools commonly used by Canadian organizations. This step can be done manually, but the database significantly accelerates it.
Step 3: Assess CLOUD Act and cross-border exposure
With parent companies mapped, the CLOUD Act assessment is straightforward: any tool whose parent company is incorporated in the United States or is a subsidiary of a US-incorporated entity is CLOUD Act exposed. This means the US government can compel the vendor to produce data — including data stored in Canada — without notifying the Canadian data subject or organization.
Our government SaaS stack audit found that 67% of tools used by Canadian federal departments are CLOUD Act exposed. The private sector is no different.
Step 4: Document data residency
For each tool, determine where data is stored at rest. "Data residency" means the physical location of the servers holding your data. This is distinct from jurisdiction — a tool may store data in Canada but still be subject to US law if the parent is American.
Categories to track: Canadian data centre available, Canadian data centre in use, US-only storage, multi-region (user-selectable), and unknown. The last category — unknown — is more common than most organizations expect, and it represents a documentation gap that regulators notice.
Step 5: Classify regulatory requirements
Based on your province, sector, and the data categories each tool processes, determine which regulatory framework applies and what documentation is required. In Quebec, any cross-border transfer of personal information requires a TIA. In other provinces, a PIA may be required for tools processing sensitive categories. Federal organizations must comply with PIPEDA and Treasury Board directives.
For each tool, flag: TIA required (yes/no), PIA required (yes/no), DPA in place (yes/no), and compliance status (documented, in progress, not started).
Step 6: Produce the defensible record
The inventory itself is the deliverable. It should be structured as a single document — typically a spreadsheet or formal register — that can be produced on request. This is what regulators ask for. This is what procurement officers expect. This is what auditors review.
A defensible inventory is not a one-time exercise. As your SaaS environment changes — new tools adopted, vendors acquired, data centres relocated — the record must be maintained. This is why monitoring jurisdictional changes matters.
Tool name · Parent company · Parent jurisdiction · CLOUD Act status · Data residency location · Data categories processed · Regulatory framework · TIA/PIA status · DPA status · Last reviewed date
What happens if you don't have one
Without a documented inventory, your organization cannot demonstrate compliance with Law 25's transfer assessment requirements, cannot respond credibly to procurement sovereignty questionnaires, cannot produce records for a regulatory investigation, and cannot assess the impact of vendor acquisitions or jurisdictional changes on your data.
The risk is not theoretical. Quebec's Commission d'accès à l'information has enforcement authority under Law 25. Federal and provincial privacy commissioners conduct investigations. Government procurement processes increasingly disqualify vendors who cannot demonstrate sovereignty awareness.
Building the inventory is not optional. It is the minimum documentation requirement for operating a SaaS-dependent organization in Canada.