How is AWS different from SaaS for sovereignty?

AWS is IaaS. You control data, encryption, and key management. SaaS vendors hold the keys. Your sovereignty posture depends on your own architecture.

Is AWS Safe for Canadian Data? Sovereignty Analysis

Q: Is AWS subject to the CLOUD Act?

Structurally yes. But AWS is IaaS — you control encryption. With customer-managed keys, AWS cannot produce intelligible data. Zero enterprise content disclosures outside US since 2020.

Q: How many Canadian regions does AWS have?

Two: ca-central-1 (Montreal) and ca-west-1 (Calgary). In-country geographic redundancy without data leaving Canada.

Q: What about global AWS services?

Route 53, CloudFront, IAM, and AWS Organizations are global. Data processed by these may transit non-Canadian infrastructure.

Q: Do I need a TIA for AWS under Law 25?

Yes. But the TIA should reflect the IaaS shared responsibility model — a materially different assessment than SaaS tools.

Parent Company

Amazon.com Inc. (Delaware, US)

CLOUD Act Status

✗ Exposed (structurally)

Canadian Regions

✓ ca-central-1 + ca-west-1

Encryption

✓ Customer-Managed Keys

TIA / PIA Required

⚠ Depends on config

Service Type

IaaS — you control the data

Is AWS CLOUD Act exposed for Canadian organizations?

Structurally, yes. Amazon.com Inc. is incorporated in Delaware (NASDAQ: AMZN) and headquartered in Seattle. AWS, as a subsidiary, is subject to the CLOUD Act. But AWS's sovereignty profile is fundamentally different from SaaS tools — and treating it the same way is a compliance mistake in the other direction.

Most tools in the Sovereignty Index are SaaS applications where the vendor controls the data. AWS is Infrastructure-as-a-Service (IaaS) — you deploy your own applications, manage your own data, and control your own encryption. AWS provides the compute, storage, and networking; you determine what runs on it. This means AWS's sovereignty profile is partially under your control in ways that SaaS tools are not.

A critical transparency fact: AWS has disclosed zero enterprise or government content data stored outside the US to the US government since it began tracking this statistic in 2020. AWS attributes this to robust legal protections, DOJ guidance directing prosecutors to seek data from enterprises rather than providers, and the technical controls AWS offers to customers (particularly customer-managed encryption).

Regulatory Analysis

▾

Two Canadian regions

AWS operates two Canadian regions: ca-central-1 (Montréal) and ca-west-1 (Calgary). Together, these provide geographic redundancy entirely within Canadian borders — your data can failover between Canadian regions without ever leaving the country. When you deploy resources in ca-central-1, the physical servers, storage, and networking are in Canada. AWS does not move your data out of the region unless you configure cross-region replication or use a global service.

🍁

Your Applications

ca-central-1 (Montréal)
ca-west-1 (Calgary)

🏢

Amazon.com Inc.

Delaware, USA
BUT: you control encryption

🔐

Customer-Managed Keys

FIPS 140-3 Level 3 HSMs
AWS can't read your data

The shared responsibility model and CLOUD Act

For SaaS tools, the vendor can directly read your data — it's their application. For AWS, the data on your servers is typically encrypted and managed by your application. If you use AWS KMS with customer-managed keys, or bring your own encryption, AWS's ability to produce intelligible data in response to a legal order is significantly limited. AWS can only respond to legal requests where it has the technical ability to do so.

This doesn't eliminate the CLOUD Act exposure — AWS can still be compelled to produce whatever it can access (infrastructure metadata, billing data, access logs). But the practical exposure depends heavily on your encryption and key management architecture. An organization using customer-managed encryption on AWS has a materially different risk profile than one using default settings — or than one using a SaaS tool where the vendor holds all the keys.

Customer-managed encryption — FIPS 140-3

AWS KMS keys are protected by FIPS 140-3 Security Level 3 validated hardware security modules. Keys never leave KMS unencrypted. With customer-managed keys (CMK), you control the key lifecycle — creation, rotation, and deletion. You can also import your own key material or use AWS CloudHSM for dedicated, single-tenant hardware security modules. This is the strongest encryption posture available from any major cloud provider.

Services that behave differently

Not all AWS services operate within a single region. Some are global by design: Route 53 (DNS), CloudFront (CDN), IAM (identity management), AWS Organizations, and certain aspects of billing. Data processed by these global services may transit infrastructure outside ca-central-1. Additionally, AWS AI services — SageMaker, Bedrock, Comprehend — may process data on infrastructure not co-located with your primary region. Map which services you use and which are regional vs global.

The SaaS stack that runs on AWS

Many Canadian SaaS companies host on AWS ca-central-1. When a vendor says "data is stored in Canada," they often mean it's on AWS Montréal. This is legitimate Canadian data residency — but the CLOUD Act exposure exists through AWS as the underlying infrastructure provider. This creates a layered jurisdiction question that organizations should document in their TIAs. Tools like Hootsuite, FreshBooks, and Clio all run on public cloud infrastructure.

Quebec Law 25

The TIA for AWS should document: specific region configuration (ca-central-1 and/or ca-west-1), encryption architecture and key management approach, which services are in use and whether any are global, whether AI services process Canadian data, and the shared responsibility model's implications. AWS provides extensive compliance documentation via AWS Artifact. Upper Harbour provides compliance-ready TIA documentation starting at $99.

Alberta POPA & BC FIPPA

Public bodies using AWS must complete PIAs. Document Canadian region deployment and customer-managed encryption as strong mitigations. The dual Canadian regions (Montréal + Calgary) provide in-country DR — a significant advantage over single-region providers. The PIA Research Tool generates these answers automatically.

EU Sovereign Cloud — precedent for Canada?

AWS launched the European Sovereign Cloud on January 15, 2026 — a physically and logically separate infrastructure with a German legal entity, EU-citizen staff, and independent governance. No Canadian equivalent has been announced, but the EU model demonstrates AWS's willingness to create jurisdictionally isolated environments. Canadian organizations should monitor for similar offerings.

AWS is one of 753 tools in the Upper Harbour Sovereignty Index. Your infrastructure is one layer — the SaaS tools running on top (Slack, Salesforce, Zoom) may have weaker sovereignty controls. Map the full stack.

Map your entire SaaS stack to parent jurisdictions and CLOUD Act exposure in 10 minutes.

Map Your Stack →

Alternatives & Comparison

▾

Provider	Ownership	CLOUD Act	CDN Regions	Customer Keys
AWS	US (Amazon)	Exposed	Montréal + Calgary	KMS (FIPS 140-3)
Microsoft Azure	US (Microsoft)	Exposed	CDN Central + East	Key Vault
Google Cloud	US (Alphabet)	Exposed	Montréal	Cloud KMS / CMEK
TELUS Cloud	Canada	Not exposed	Rimouski + Kamloops	Varies
OVHcloud	France	Indirect	Beauharnois QC	Available

Based on Upper Harbour Sovereignty Index data. March 2026.

Key finding: All three major hyperscalers (AWS, Azure, GCP) are US-incorporated and CLOUD Act exposed. Among them, AWS offers the strongest Canadian coverage with two regions (Montréal + Calgary) providing in-country DR. For full sovereignty, TELUS Cloud (Canadian-owned, sovereign data centres) and OVHcloud (French-owned, Beauharnois QC) are not directly CLOUD Act exposed.

💬Questions about AWS and Canadian compliance?

We help organizations assess jurisdictional risk across their full SaaS and infrastructure stack. Book a call or send us a message.

Book a Call → Email Us →

Technical Architecture

▾

Canadian regions

ca-central-1 (Montréal) — the original Canadian region, full service portfolio. ca-west-1 (Calgary) — second Canadian region providing geographic redundancy within Canadian borders. Together, organizations can architect DR and high-availability entirely within Canada.

Encryption options

AWS KMS: customer-managed keys with FIPS 140-3 Level 3 HSMs. Keys never leave KMS unencrypted. AWS CloudHSM: dedicated single-tenant HSMs for the highest key management requirements. Server-side encryption (SSE) available with AWS-managed keys (SSE-S3), KMS keys (SSE-KMS), or customer-provided keys (SSE-C). Client-side encryption options available for maximum control.

Compliance certifications

SOC 1/2/3, ISO 27001/27017/27018, PCI DSS Level 1, FedRAMP (US), IRAP (Australia), C5 (Germany). AWS Artifact provides on-demand access to compliance reports. Canadian-specific: PBMM (Protected B, Medium Integrity, Medium Availability) certification for Canadian government workloads.

Transparency record

AWS publishes transparency reports. As of June 2025, zero disclosed enterprise or government content data stored outside the US to the US government since tracking began in 2020. DOJ Computer Crime and Intellectual Property Section guidance (2017) advises prosecutors to seek data from enterprises rather than cloud providers absent special circumstances.

Frequently Asked Questions

▾

Is AWS subject to the US CLOUD Act?

Yes, structurally. Amazon.com is Delaware-incorporated. But AWS is IaaS, not SaaS — you control the data and encryption. With customer-managed keys, AWS cannot produce intelligible data even under a legal order. Zero enterprise/government content disclosures outside the US since 2020.

How many Canadian regions does AWS have?

Two: ca-central-1 (Montréal) and ca-west-1 (Calgary). This provides in-country geographic redundancy — your data can failover between Canadian regions without leaving the country.

How is AWS different from SaaS tools for sovereignty?

AWS is Infrastructure-as-a-Service. You control the data, the encryption, and the key management. SaaS vendors hold the keys and can read your data. This shared responsibility model means your AWS sovereignty posture depends largely on your own architecture choices.

What about global AWS services?

Some services are global by design: Route 53, CloudFront, IAM, AWS Organizations. Data processed by these services may transit non-Canadian infrastructure. Map which services you use and document which are regional vs global in your TIA.

Do I need a TIA for AWS under Law 25?

Yes, if processing Quebec residents' personal information. However, the TIA should reflect the IaaS reality — document Canadian region deployment, customer-managed encryption, and the shared responsibility model. This is a materially different assessment than for a SaaS tool.

Methodology: This assessment is based on Amazon.com's SEC filings, AWS's published CLOUD Act documentation, transparency reports, Canadian region documentation, and the Upper Harbour classification methodology. Data verified March 2026. Updated quarterly. Part of the Canadian Technology Sovereignty Index.

AWS Canadian Data Sovereignty Analysis