The five things buyers verify
When a procurement team evaluates your sovereignty posture, they’re checking five things. If you have clear, documented answers to all five, you move through evaluation faster than any competitor who makes them dig.
Build your proof package
The vendors who close fastest aren’t the ones with the best product. They’re the ones with the best documentation. Here’s what to build, in priority order.
1. Trust page
Every SaaS company selling to enterprise or government buyers in Canada needs a dedicated trust or security page on their website. This is not your privacy policy — it’s a sales asset that documents your security and sovereignty posture for procurement teams.
Your trust page should include:
- Jurisdiction statement. “[Company name] is incorporated in [province], Canada. We have no US subsidiaries, employees, or operations. We are not subject to the US CLOUD Act.”
- Hosting details. Cloud provider, region, specific data centre location. Example: “Customer data is hosted on AWS ca-central-1 (Montreal). Backups are stored in AWS ca-west-1 (Calgary). No data leaves Canada.”
- Encryption standards. AES-256 at rest, TLS 1.2+ in transit, key management approach.
- Security certifications. SOC 2 Type II, ISO 27001, or equivalent. Link to your audit report or letter of attestation.
- Subprocessor list. A table listing every third party that handles customer data, their jurisdiction, and their hosting location.
- Breach notification commitment. Response timeline and process, aligned with PIPEDA and Law 25 requirements.
- Sovereign Badge. Independent third-party verification of your sovereignty posture from Upper Harbour.
Make it linkable. Your trust page should have a clean URL (e.g., yourcompany.com/trust or yourcompany.com/security) that your sales team can include in proposals, RFP responses, and email signatures. Every time a buyer asks about your security posture, the answer should be a link.
2. Data Processing Agreement
Your DPA is the contractual foundation of your sovereignty story. It should explicitly commit to:
- Canadian data residency (if you offer it) with specific data types covered
- Purpose limitations on data processing
- Subprocessor disclosure and approval mechanisms
- Breach notification timelines (72 hours for Law 25 compliance)
- Data deletion and return procedures
- Audit rights for customers
Publish your DPA template on your website. Enterprise buyers will review it during evaluation — making it available upfront eliminates a back-and-forth cycle that can delay deals by weeks.
3. Security certifications
Certifications aren’t legally required under PIPEDA, but they’re increasingly expected in enterprise and government procurement. They signal that your security claims have been independently verified — which is exactly what procurement teams need.
- SOC 2 Type II — the most widely requested by enterprise buyers. Covers security, availability, processing integrity, confidentiality, and privacy. Type II means it’s been tested over a period, not just at a point in time.
- ISO 27001 — internationally recognized information security management standard. Valued for cross-border credibility.
- CCCS IT Security Assessment — required for government SaaS under the SaaS Supply Arrangement. Covers Protected B Cloud Control Profiles.
- CSA STAR — Cloud Security Alliance’s public registry of cloud security controls. Useful for enterprise buyers who want to compare vendors on a consistent framework.
If you don’t have certifications yet, say so honestly and document what you’re working toward. A vendor with a clear SOC 2 timeline is more credible than one who avoids the topic.
4. TIA-ready fact sheet
Quebec organizations under Law 25 must complete a Transfer Impact Assessment for every vendor that processes personal information outside Quebec. Your customers need specific information from you to complete their TIA. Don’t wait for them to ask — prepare it proactively.
Create a one-page fact sheet that answers the standard TIA questions:
- Vendor jurisdiction of incorporation
- Where personal information is stored and processed
- Applicable legal framework for data access (i.e., no CLOUD Act)
- Encryption standards and key management
- Contractual safeguards in your DPA
- Whether you have Canadian data residency available
If you’re Canadian-incorporated with Canadian hosting, this document should be short and clean: “No cross-border transfer. No TIA required. Data stays in Canada under Canadian law.” That’s a powerful one-liner that your competitors can’t match.
5. Independent verification
Self-attestation has limits. When you tell a procurement team you’re Canadian-owned and Canadian-hosted, they’ll verify it — which takes time. Independent third-party verification shortens this process.
An Upper Harbour Sovereign Badge independently confirms your Canadian jurisdiction, hosting location, and CLOUD Act status. It’s displayable on your website, includable in proposals, and referenceable in RFP responses. Procurement teams can cite it in their evaluation without conducting their own jurisdictional analysis.
For competitive positioning, a Competitor Sovereignty Report provides a side-by-side comparison of your sovereignty posture against up to three US competitors — formatted for RFP appendices and enterprise sales decks.
The proof hierarchy: Self-attestation (weakest) → Published documentation (trust page, DPA) → Security certifications (SOC 2, ISO 27001) → Independent third-party verification (Sovereign Badge) → Public registry listing (Sovereignty Index). Each layer adds credibility. The more layers you have, the faster deals close.
Common proof gaps
Even vendors who think they’re well-documented often miss these:
- Backup geography. Your primary data is in Canada, but where are your backups? If they replicate to a US region, you have cross-border exposure. Document backup locations explicitly.
- Subprocessor exposure. You’re Canadian, but your analytics tool is US-incorporated. Your support platform is US-hosted. Each subprocessor with foreign jurisdiction creates indirect exposure. Map and publish the full chain.
- Infrastructure layer. You host on AWS Canada — but AWS is a US company. For most buyers this is acceptable. For government and high-security buyers, it may not be. Be prepared to discuss the infrastructure layer question honestly.
- Employee access geography. Your servers are in Canada, but do any employees access data from outside Canada? Remote workers in the US could create jurisdictional questions. Document your access controls and employee locations.
Put it all together
Here’s your sovereignty proof stack, in the order you should build it:
- Trust page — publish it this week. This is the highest-leverage, lowest-cost action.
- DPA template — publish it on your website. Eliminates weeks of legal back-and-forth.
- TIA fact sheet — one page. Send it proactively to every Quebec prospect.
- Subprocessor list — publish and commit to updating it.
- Sovereign Badge — independent verification that scales across every deal.
- Security certification — SOC 2 Type II is the priority. Budget 3–6 months.
- Competitor Report — for your top 3 competitive scenarios. Use in RFPs.
- Sovereignty Index listing — free. Makes you visible to every procurement team searching for Canadian options.
Frequently asked questions
Five things: jurisdiction of incorporation, data hosting location and provider, CLOUD Act status, encryption and key management, and subprocessor jurisdictions. Having all five documented and published moves you through procurement faster.
Yes. Enterprise and government buyers expect it. Document hosting locations, encryption, jurisdiction, CLOUD Act status, certifications, subprocessor list, and breach notification commitments. Make it linkable for proposals and RFP responses.
SOC 2 Type II is most widely requested by enterprise buyers. ISO 27001 adds international credibility. For government sales, the CCCS IT Security Assessment is required for Protected B workloads. If you don’t have certifications yet, document your timeline.
An independent verification from Upper Harbour confirming your Canadian jurisdiction, hosting, and CLOUD Act status. Displayable on your website and proposals. Procurement teams can cite it without conducting their own jurisdictional analysis.
Backup geography (backups replicating to US regions), subprocessor exposure (US-incorporated analytics or support tools), infrastructure layer (hosting on US hyperscalers), and employee access geography (remote workers outside Canada).