Parent Company
Atlassian Corporation (Delaware, US)
CLOUD Act Status
✗ Exposed
Canadian Data Residency
⚠ Available
Encryption
⚠ CMK Available (add-on)
TIA / PIA Required
Yes — Law 25 & POPA
Self-Hosted Option
Data Center available

Is Confluence CLOUD Act exposed for Canadian organizations?

Yes — but Confluence offers the same meaningful mitigations as Jira. Atlassian Corporation is incorporated in Delaware (since October 2022, when it redomiciled from the UK) and is fully subject to the CLOUD Act. However, Confluence offers Canadian data residency on all paid Cloud plans and Customer-managed keys (CMK) as a paid add-on — real sovereignty controls that most US-parented tools don't provide.

What makes Confluence's sovereignty story distinct from Jira is the type of data it stores. Confluence is a wiki and knowledge management platform. Organizations use it for internal documentation, HR policies, onboarding procedures, architecture diagrams, runbooks, meeting notes, strategic plans, and institutional knowledge. This is often more sensitive than project task data — it's the organization's internal playbook, containing policies, procedures, and strategic thinking that would be valuable to competitors or problematic if accessed by foreign governments.

For the Atlassian redomiciliation story, encryption details, and Marketplace app data residency gap, see our Jira sovereignty analysis — the corporate and infrastructure analysis is identical. This page focuses on what's unique to Confluence: the data sensitivity and wiki-specific sovereignty considerations.

Regulatory Analysis

CLOUD Act exposure — same as Jira

Atlassian Corporation is incorporated in Delaware and fully within CLOUD Act scope. Canadian data residency controls where Confluence pages sit at rest — not which government can compel Atlassian to produce them. For the full corporate jurisdiction analysis, see Jira → Regulatory Analysis.

🍁
Your Internal Docs
Policies, procedures, runbooks
under PIPEDA / Law 25
🏢
Atlassian Corporation
Delaware, USA (since 2022)
CDN residency available
⚖️
US Legal Process
CLOUD Act · Subpoena
Access despite CDN residency

Wiki data sensitivity — why Confluence matters

Confluence wikis often contain the most sensitive internal documentation an organization produces: HR policies and employee handbooks (with personal information), IT security runbooks (with infrastructure details), strategic plans and board materials, client-facing process documentation, architecture and system design documentation, incident response procedures, and onboarding guides with employee details. Unlike project management tools where data can be minimized (use IDs instead of names), wiki content is inherently detailed and comprehensive — that's the point.

Canadian data residency — available on all paid plans

Confluence Cloud supports data residency across 11 regions including Canada (Central) on Standard, Premium, and Enterprise plans at no additional cost. In-scope data — pages, spaces, comments, attachments — can be pinned to Canadian servers. This is the same data residency framework as Jira, including the same limitations: user account data is managed globally, some Analytics features have regional restrictions, and Marketplace apps may not follow the residency setting.

Quebec Law 25

Quebec organizations using Confluence must complete a Transfer Impact Assessment. The TIA should document: Atlassian's US incorporation and CLOUD Act status, the availability and configuration of Canadian data residency as a partial mitigation, and the sensitivity of documentation stored in Confluence. Upper Harbour provides compliance-ready TIA documentation starting at $99.

Alberta POPA

Alberta public bodies using Confluence must complete a PIA. Government wikis may contain particularly sensitive content — policy drafts, internal procedures, citizen-facing documentation. The availability of Canadian data residency is a meaningful mitigation to document. The PIA Research Tool generates these answers automatically.

Confluence Data Center — self-hosted option

Unlike Trello (cloud-only), Confluence offers a Data Center deployment option for self-hosting on your own infrastructure. This provides full data sovereignty — your wiki data stays on servers you control, in Canada. The trade-off: you manage your own servers, security, updates, and backups. Data Center is priced as an annual license starting at approximately $28,000/year for 500 users.

Confluence is one of 753 tools in the Upper Harbour Sovereignty Index. If you use Confluence, you likely also use Jira and possibly Trello. Make sure your data residency settings are consistent across all Atlassian products — Trello is the gap.

Map your entire SaaS stack to parent jurisdictions and CLOUD Act exposure in 10 minutes.
Map Your Stack →

Alternatives & Comparison

For organizations evaluating wiki and knowledge management tools through a sovereignty lens:

ToolOwnershipCLOUD ActCDN ResidencyCustomer Keys
ConfluenceUS (Atlassian)ExposedAvailable (11 regions)CMK add-on
NotionUSExposedNoNo
SharePointUS (Microsoft)ExposedAvailableCustomer Key
Google Sites/DocsUS (Alphabet)ExposedAvailableCMEK
BookStack (self-hosted)Your orgNot exposedFull controlFull control

Based on Upper Harbour Sovereignty Index data. March 2026.

Key finding: All major cloud wiki platforms are US-incorporated. Confluence offers the strongest sovereignty controls in this category (Canadian data residency + CMK + Data Center self-hosting option). Notion has the weakest posture (no residency, no CMEK). For maximum sovereignty, self-hosted open-source wikis (BookStack, Wiki.js) on Canadian infrastructure provide full control.

💬 Questions about Confluence and Canadian compliance?

We help organizations assess jurisdictional risk across their SaaS stack. Book a call or send us a message.

Book a Call → Email Us →

Technical Architecture

Data residency — same as Jira

Confluence Cloud data residency is identical to Jira's: 11 regions including Canada (Central), available on Standard, Premium, and Enterprise plans at no additional cost. In-scope data (pages, spaces, comments, attachments) can be pinned to the Canada (Central) AWS region. Same limitations apply: user account data is global, Analytics have regional restrictions, Marketplace apps must be individually assessed. See Jira → Technical Architecture for full details.

Encryption — CMK available

CMK (Customer-managed keys) is available for Confluence as a paid add-on, same as Jira. Keys hosted in your AWS KMS account. BYOK also supported with Canadian data residency — keys and data can both reside in Canada. See Jira → Encryption architecture for details.

What Confluence stores

Confluence wikis typically contain: internal policies and procedures, HR documentation (employee handbooks, benefits guides), IT runbooks and architecture documentation, meeting notes and decision records, strategic plans and OKRs, project documentation and post-mortems, onboarding guides with employee-specific information, and client-facing process documentation. This content is often more detailed and sensitive than what's stored in Jira or Trello — wikis are designed for comprehensive documentation.

Confluence AI and Atlassian Intelligence

Confluence includes AI-powered features through Atlassian Intelligence: smart summaries, AI-generated content, search-powered answers. These features process your wiki content through AI models. For sovereignty purposes, verify how AI processing interacts with your data residency settings — the same considerations apply as with Jira's AI features.

Data Center — self-hosted option

Confluence Data Center allows full self-hosting on your own infrastructure, including Canadian data centres. This provides complete data sovereignty at the cost of managing your own servers. Data Center remains supported and receives updates, though Atlassian has stated that Cloud is the primary focus for new features.

Mitigation Options

Confluence offers the same strong sovereignty controls as Jira — the best in its category:

  • Enable Canadian data residency (critical): Pin in-scope data to the Canada (Central) region. Available on all paid plans at no additional cost. This is the most important step.
  • Enable CMK or BYOK encryption (recommended): Host encryption keys in your own AWS KMS account with Canada selected. Provides cryptographic isolation and revocation capability.
  • Audit Marketplace apps: Each Confluence app must be individually assessed for data residency compliance. Prefer Forge-built apps over Connect apps.
  • Review content sensitivity: Confluence wikis accumulate sensitive documentation over time. Periodically review what's stored — some content may warrant additional protections or should be moved to a more sovereign platform.
  • Consider Data Center for most sensitive content: If your wiki contains highly classified or regulated information, Confluence Data Center on Canadian infrastructure provides full sovereignty control.
  • Align with Jira settings: Ensure your Confluence data residency matches your Jira settings. If Jira is pinned to Canada, Confluence should be too — they share the same admin console.

Bottom line: Confluence with Canadian data residency + CMK encryption is the strongest sovereignty posture available from any major cloud wiki platform. It is not equivalent to self-hosting — the CLOUD Act exposure remains — but it represents a defensible, documented position. For the most sensitive documentation, consider Confluence Data Center on Canadian infrastructure.

Frequently Asked Questions

Does Confluence offer Canadian data residency?

Yes. Confluence Cloud supports data residency in Canada (Central) and 10 other regions on Standard, Premium, and Enterprise plans at no additional cost. Pages, spaces, comments, and attachments can be pinned to Canadian servers.

Is Confluence subject to the US CLOUD Act?

Yes. Atlassian Corporation is incorporated in Delaware. Canadian data residency controls where data sits at rest but does not prevent a US legal order from compelling Atlassian to produce it. The CLOUD Act applies based on corporate jurisdiction, not data location.

How does Confluence compare to Trello for sovereignty?

Confluence is significantly better. It offers Canadian data residency on all paid plans, CMK encryption, and a self-hosted Data Center option. Trello (same parent company) has no data residency at all — all data is US-only with no residency controls.

What sensitive data does Confluence typically store?

Confluence wikis often contain internal policies, HR procedures, IT runbooks, architecture documentation, meeting notes, strategic plans, and onboarding guides — some of the most sensitive internal documentation an organization produces. This is often more sensitive than project task data in Jira or Trello.

Do I need a TIA for Confluence under Law 25?

Yes. Even with Canadian data residency enabled, Atlassian remains US-incorporated and CLOUD Act exposed. A TIA is required, but should document Canadian residency and CMK encryption as meaningful partial mitigations.

Methodology: This assessment is based on Confluence's corporate filings (via Atlassian SEC filings), vendor documentation, published DPA terms, and the Upper Harbour classification methodology. Data verified March 2026. Updated quarterly. Part of the Canadian Technology Sovereignty Index.