AWS is not like other SaaS tools
Most tools in the Sovereignty Index are SaaS applications where the vendor controls the data. AWS is Infrastructure as a Service (IaaS) — you deploy your own applications, manage your own data, and control your own encryption. AWS provides the compute, storage, and networking; you determine what runs on it.
This means AWS's sovereignty profile is partially under your control. You choose the region (ca-central-1 for Canada). You choose whether to encrypt data and who holds the keys. You choose which services to use and how data flows between them. This is fundamentally different from a SaaS tool where the vendor makes these decisions for you.
ca-central-1: what Canadian region actually means
AWS operates the Canada (Central) region, also known as ca-central-1, located in Montréal. This region provides the full range of core AWS services with data at rest within Canada. A second Canadian region, ca-west-1 (Calgary), has also been launched, providing geographic redundancy within Canadian borders.
When you deploy resources in ca-central-1, the physical servers, storage, and networking infrastructure are in Canada. AWS does not move your data out of the region unless you configure cross-region replication or use a global service that requires it. This gives organizations meaningful control over data residency.
The CLOUD Act and infrastructure
Amazon.com Inc. is a US company, and AWS is subject to the CLOUD Act. A US legal order could compel AWS to provide access to data stored in ca-central-1. However, the practical implications differ from SaaS because of the shared responsibility model.
For SaaS tools, the vendor can directly read your data — it's their application. For AWS, the data on your servers is typically encrypted and managed by your application. If you use AWS KMS with customer-managed keys, or bring your own encryption, AWS's ability to produce intelligible data in response to a legal order is significantly limited.
This doesn't eliminate the CLOUD Act exposure — AWS can still be compelled to produce whatever it can access. But the practical exposure depends heavily on your encryption and key management architecture. An organization using customer-managed encryption on AWS has a materially different risk profile than one using default settings.
Services that behave differently
Not all AWS services operate within a single region. Some services are global by design: Route 53 (DNS), CloudFront (CDN), IAM (identity management), and certain aspects of AWS Organizations. Data processed by these global services may transit infrastructure outside ca-central-1.
Additionally, AWS AI services — SageMaker, Bedrock, Comprehend — may process data on infrastructure that is not co-located with your primary region. Organizations using AWS AI services for Canadian data should verify where model inference occurs and whether it constitutes a cross-border transfer.
The Canadian SaaS stack that runs on AWS
Many Canadian SaaS companies host their infrastructure on AWS ca-central-1. When a vendor tells you "data is stored in Canada," they often mean it's on AWS Montréal. This is legitimate Canadian data residency — but the CLOUD Act exposure still exists through AWS as the underlying infrastructure provider.
This creates a layered jurisdiction question: your data is held by a Canadian SaaS vendor, which is hosted on US-owned infrastructure, which is subject to US law. The practical risk is lower than direct US SaaS exposure — a CLOUD Act order would need to be directed at AWS specifically and navigate the encryption layers — but it is not zero. Organizations should document this layered exposure in their assessments.
Compliance requirements
The TIA for AWS should document: the specific region configuration (ca-central-1), encryption architecture and key management approach, which AWS services are in use and whether any are global, whether AI services process Canadian data, and the shared responsibility model's implications for data access. AWS provides extensive compliance documentation, including SOC reports and the AWS Artifact compliance portal, which can support your assessment.
Microsoft 365 (Azure) → · Google Workspace (GCP) → · Salesforce (Hyperforce on AWS) →
AWS is operated by Amazon.com Inc. (US-incorporated) and is subject to the CLOUD Act. BC public bodies hosting applications or data on AWS must complete a FIPPA privacy impact assessment for any sensitive personal information. AWS Canada (Montreal) region provides data residency, but CLOUD Act exposure remains through the US parent entity. Read the full FIPPA SaaS compliance guide → · Download PIA template →