Sample Output
Example of the structured sovereignty documentation HarbourScan produces — vendor jurisdiction register, integration pathway analysis, and risk classification by tool.
View sample assessment output ↗Many organizations assume their data is protected because it is stored in Canada. In practice, jurisdiction is determined not just by where data sits, but by who operates the platforms, controls the software, and governs the legal entity behind it. As sovereignty expectations rise across procurement, security, and policy environments, organizations increasingly need a documented picture of where their data actually flows — and what jurisdictional obligations attach to it.
Free for qualifying Canadian organizations. No credit card.
Pilot assessments are exploratory and designed to begin with minimal internal effort.
This isn't a niche legal concern. It's structural — built into how most SaaS tools are architected, funded, and legally obligated.
Most Canadian organizations have no idea how many of their SaaS vendors are U.S.-parent companies.
A tool can be marketed as "Canadian" or "hosted in Canada" and still be subject to U.S. law if its parent company, investors, or key infrastructure are American. Legal jurisdiction travels with ownership — not the server location.
"U.S. law requires providers to disclose data that is responsive to legal process — regardless of where it is stored."
"App-to-app integrations move 10× more data than users — and most organizations have limited structured visibility into those flows."
Federal and provincial procurement increasingly requires demonstrable data sovereignty. HarbourScan gives you the documentation to answer due diligence questionnaires with confidence — and win deals your competitors can't.
Understand which tools in your stack are likely tied to U.S. jurisdiction — and how much data flows through them. HarbourScan provides the structured documentation your organization needs to evaluate sovereignty risks on its own terms, without prescribing specific vendors or platforms. Sovereignty considerations increasingly appear in procurement reviews, security assessments, and board-level risk discussions — HarbourScan gives you the documented basis to engage those conversations confidently.
Integration layers move a large share of organizational data — across borders, through U.S.-parent vendors, and into foreign legal reach. HarbourScan maps observable SaaS tools, integrations, and vendor structures, supplemented by a short structured intake to complete the documentation record.
"Can you guarantee our data isn't exposed to a foreign jurisdiction?"
This question is appearing in procurement reviews, board-level risk discussions, and security assessments across Canada — and most organizations cannot answer it with documented evidence. HarbourScan's sovereignty analysis uses the same structured framework as its compliance assessments, so the findings are consistent, repeatable, and ready to present wherever they're needed. HarbourScan does not recommend specific vendors or cloud platforms; it provides the structured documentation organizations need to evaluate sovereignty risks and procurement options on their own terms.
We map your observable SaaS tools and app-to-app integrations through a structured intake process, building a complete inventory that forms the foundation for the assessment.
Identify where data is likely to travel across vendors and integration pathways, based on observable signals and structured intake inputs — documenting which vendors are subject to foreign legal jurisdiction and where contractual gaps exist.
Each vendor in your stack receives a sovereignty risk score reflecting vendor jurisdiction, parent-entity exposure, integration pathways, and documentation readiness. HarbourScan does not prescribe infrastructure choices — it provides the documented picture organizations need to navigate emerging sovereignty expectations on their own terms.
Audit-ready documentation for procurement, government clients, or your board — plus prioritized remediation guidance.
Each assessment produces a consistent set of outputs aligned to Canadian accountability requirements — built to support procurement responses, board briefings, and security questionnaires.
A documented assessment of your organization's SaaS environment, identifying jurisdictional exposure by vendor, parent entity, and integration pathway — with findings organized by risk classification and supported by regulatory references.
A structured table listing each assessed vendor, their jurisdiction of incorporation, ultimate parent entity, CLOUD Act applicability, and contractual documentation status — formatted for use in procurement due diligence and internal governance records.
A map of identified app-to-app data flows, documenting which integration pathways cross jurisdictional boundaries, what data categories are in scope, and where contractual or documentation gaps exist.
A prioritized checklist of documentation steps aligned to Canadian accountability requirements under PIPEDA and Law 25, including transfer impact assessments, data processing agreements, and governance policy updates — so organizations know exactly what to act on.
Example of the structured sovereignty documentation HarbourScan produces — vendor jurisdiction register, integration pathway analysis, and risk classification by tool.
View sample assessment output ↗HarbourScan produces a structured sovereignty assessment using observable data from your SaaS environment, vendor analysis, and a short structured intake process — typically completed within a week. The result is a documented picture of your jurisdictional exposure, organized by vendor, integration pathway, and risk classification, and ready to present in procurement reviews, security assessments, or board-level governance discussions.
HarbourScan is a documentation and decision-support tool — it does not recommend specific vendors or cloud platforms, but provides the structured evidence organizations need to evaluate their options with confidence. We are currently working with a limited number of Canadian organizations through our early-access pilot. If your organization is navigating sovereignty expectations in procurement, policy, or risk management, we'd welcome a conversation.
Free for qualifying Canadian organizations during the pilot period. No obligation. Findings remain confidential to your organization.
We are running a free pilot with a limited number of Canadian organizations. You receive a complete sovereignty assessment of your SaaS environment — at no cost. In return, you help us build the right product for the Canadian market.
Free for qualifying Canadian organizations. No credit card required.