Is Notion subject to the CLOUD Act?

Yes. Delaware-incorporated. All data in US. No residency or customer encryption.

Does Notion AI create additional risk?

Yes. Content is sent to third-party AI providers, creating layered US jurisdiction exposure.

Is Notion Safe for Canadian Data? Sovereignty Analysis

Q: Does Notion offer Canadian data residency?

No. All data stored in the US. No region selection on any plan.

Parent Company

Notion Labs Inc. (Delaware, US)

CLOUD Act Status

✗ Exposed

Canadian Data Residency

✗ Not Available

Encryption

✗ Vendor-Managed Only

TIA / PIA Required

Yes — Law 25 & POPA

Notion AI

3rd-party AI processing

Is Notion CLOUD Act exposed for Canadian organizations?

Yes. Notion Labs Inc. is incorporated in Delaware and headquartered in San Francisco. All data is stored in the United States with no data residency options, no region selection capability, and no customer-managed encryption. Notion can access all workspace content — and can be compelled to produce it under US legal process.

This places Notion alongside Slack and Dropbox in the category of full US jurisdictional exposure with no technical mitigation options beyond restricting what data enters the tool.

Regulatory Analysis

▾

CLOUD Act exposure

Notion Labs is Delaware-incorporated and fully within CLOUD Act scope. All workspace content — documents, databases, wikis, project boards — is accessible under valid US legal process.

Notion AI — layered jurisdiction

Notion AI provides writing assistance, summarization, and search across workspace content. When Notion AI processes a page, it sends content to AI models (including providers like OpenAI and Anthropic) for processing. This creates a layered jurisdictional question: data stored by Notion (US) is processed by AI providers (also US) on infrastructure operated by yet another US cloud provider. Each layer is CLOUD Act exposed. Notion AI can be disabled at the workspace level.

Guest access amplifies exposure

Notion allows external guests to access specific pages and databases. When a Canadian organization shares Notion pages with clients, partners, or contractors, the shared content — along with the guest's email address and access logs — flows through US infrastructure. Under Law 25, guest access involving Quebec residents' personal information constitutes a cross-border transfer.

Quebec Law 25

Quebec organizations must complete a TIA. Document: US incorporation, CLOUD Act status, US-only storage, no customer encryption, and whether Notion AI is enabled. Upper Harbour provides compliance-ready TIA documentation starting at $99.

Cumulative intelligence value

Organizations that rely heavily on Notion for internal documentation should consider the cumulative intelligence value of their workspace. A single Notion page may be low-sensitivity, but a complete Notion workspace — policies, strategy docs, meeting notes, project boards, client databases — represents a comprehensive picture of how your organization operates. The sovereignty assessment should account for this aggregate risk.

Notion is one of 753 tools in the Upper Harbour Sovereignty Index. Map your full stack.

Map your entire SaaS stack to parent jurisdictions and CLOUD Act exposure in 10 minutes.

Map Your Stack →

Alternatives & Comparison

▾

Tool	Ownership	CLOUD Act	CDN Residency	Customer Keys
Notion	US (Delaware)	Exposed	No	No
Confluence	US (Atlassian)	Exposed	Available (11 regions)	CMK add-on
Coda	US	Exposed	No	No
BookStack (self-hosted)	Your org	Not exposed	Full control	Full control

Based on Upper Harbour Sovereignty Index data. March 2026.

Key finding: Notion has the weakest sovereignty posture of any major productivity/wiki platform. Confluence offers Canadian data residency and CMK encryption — a materially better option for sovereignty-conscious organizations. For maximum control, self-hosted wikis (BookStack, Wiki.js) on Canadian infrastructure provide full sovereignty.

💬Questions about Notion and Canadian compliance?

We help organizations assess jurisdictional risk across their SaaS stack. Book a call or send us a message.

Book a Call → Email Us →

Frequently Asked Questions

▾

Is Notion subject to the US CLOUD Act?

Yes. Notion Labs Inc. is Delaware-incorporated. All workspace content is subject to US legal process. No data residency or customer encryption options are available.

Does Notion offer Canadian data residency?

No. All Notion data is stored in the United States. No region selection or data residency capability exists on any plan tier.

Does Notion AI create additional sovereignty risk?

Yes. Notion AI sends workspace content to third-party AI providers (OpenAI, Anthropic) for processing — creating a layered jurisdictional exposure. Each layer is US-based and CLOUD Act exposed. Notion AI can be disabled at the workspace level.

How does Notion compare to Confluence for sovereignty?

Confluence is significantly better — it offers Canadian data residency on all paid plans and CMK encryption as an add-on. Notion offers neither. Both are US-incorporated.

Do I need a TIA for Notion under Law 25?

Yes. US-incorporated, US-only storage, no customer encryption. A TIA is required for any Quebec organization using Notion with personal information.

Methodology: This assessment is based on Notion Labs' corporate records, vendor documentation, and the Upper Harbour classification methodology. Data verified March 2026. Updated quarterly. Part of the Canadian Technology Sovereignty Index.

Notion Canadian Data Sovereignty Analysis