The opportunity
In 2024–25, the Government of Canada awarded $66.9 billion in contracts for goods, services, and construction. $55.6 billion of that was awarded through Public Services and Procurement Canada (PSPC). The federal government’s Cloud First directive means SaaS is the preferred delivery model for new IT services. And the Buy Canadian Policy, implemented December 16, 2025, explicitly prioritizes Canadian suppliers and Canadian content.
For Canadian SaaS vendors, this is a structural shift. Being Canadian-incorporated with Canadian data hosting is no longer just a compliance checkbox — it’s a scoring advantage in procurement evaluations.
Step 1: Register on CanadaBuys
CanadaBuys is the Government of Canada’s official procurement platform. It replaced BuyandSell.gc.ca and is where all federal tender opportunities are posted. To bid on anything, you need to be registered.
Indigenous-owned businesses: If your company is fully or partially Indigenous-owned, you can join the Indigenous Business Directory for priority access to certain procurement streams.
Step 2: Understand the SaaS Supply Arrangement
The SaaS Supply Arrangement (SaaSSA) is the federal government’s dedicated procurement vehicle for SaaS products. It’s managed by PSPC and covers SaaS requirements up to Protected B classification — the most common security level for government applications handling sensitive personal or business information.
The SaaSSA uses a two-phase procurement process:
Phase 1: Pre-qualification
You respond to the ongoing Request for Supply Arrangement (RFSA) on CanadaBuys. PSPC evaluates your technical capabilities, financial standing, and security posture. If you meet all requirements, you’re issued a Supply Arrangement and added to the pool of pre-qualified SaaS suppliers.
Pre-qualification is ongoing — you can apply at any time, not just during specific windows.
Phase 2: Competitive bidding
When a federal department has a specific SaaS requirement, they solicit bids from the pre-qualified pool. Only SaaSSA holders can bid. A contract is awarded following the selection process defined in the SaaSSA procurement guidelines.
Key distinction: PSPC manages the SaaSSA for client-facing SaaS applications (CRM, HR, finance, case management). Shared Services Canada (SSC) manages procurement for infrastructure-related SaaS (cybersecurity, network management, workplace technology). Know which body governs your product category.
Step 3: Get your security clearances
This is where most vendors stall. Government SaaS procurement requires security clearances at multiple levels, and the process takes time. Start early.
For Protected B SaaS (the standard for most government applications handling sensitive data), you need:
- Designated Organization Screening — your company is assessed by PSPC’s Contract Security Program (CSP)
- Document Safeguarding Capabilities Screening — your ability to protect classified documents is evaluated
- Personnel Security Screenings — any staff with privileged access to government data must be individually cleared
- IT Security Assessment — the Canadian Centre for Cyber Security (CCCS) assesses your SaaS against GC Cloud Control Profiles, including Supply Chain Integrity (SCI) evaluation
If your company hasn’t previously held government security clearances, PSPC will sponsor you through the process. Contact the SaaSSA authority to initiate sponsorship.
Plan for time. The security assessment process can take months. The CCCS IT Security assessment alone involves three separate components: supply chain integrity, physical/personnel security, and cloud security controls. Don’t wait until you’ve found a specific opportunity to start — begin the clearance process in parallel with your RFSA submission.
Step 4: Meet the Protected B technical requirements
The GC Cloud Security Control Profile defines baseline security controls for SaaS handling Protected B information. The profile is based on ITSG-33 (the government’s IT security risk management framework) and aligns with international standards including FedRAMP, ISO 27001, and SOC 2.
Key requirements include:
- Multi-factor authentication (MFA) for all users handling Protected B data, with phishing-resistant methods (FIDO2, hardware tokens) preferred
- Encryption at rest and in transit — AES-256, TLS 1.2+
- Data residency in Canada — Protected B data must be stored and processed in Canadian data centres
- Role-based access control (RBAC) with least-privilege principles
- Audit logging and continuous monitoring
- Incident response procedures aligned with GC breach notification requirements
Step 5: Leverage the Buy Canadian advantage
The Buy Canadian Policy, implemented December 16, 2025, is the biggest structural shift in federal procurement in years. It explicitly prioritizes Canadian suppliers and Canadian content in strategic federal procurements.
For SaaS vendors, this means:
- Canadian-incorporated vendors receive priority in procurement scoring
- Canadian data residency is increasingly weighted in evaluation criteria
- CLOUD Act immunity — Canadian vendors eliminate the jurisdictional risk that US-incorporated competitors carry, simplifying the buyer’s security assessment
- The Small and Medium Business Procurement Program, launching by spring 2026, will create additional procurement opportunities specifically for Canadian SMBs
The sovereignty advantage
Here’s the practical reality: a Canadian SaaS vendor with Canadian data hosting has a structurally simpler compliance story than a US-incorporated competitor.
A US vendor selling to the Government of Canada must navigate the CLOUD Act exposure question in every procurement. Government buyers must document how they’re mitigating the risk that US authorities could compel data access. This adds complexity, risk, and cost to the procurement evaluation.
A Canadian vendor eliminates that question entirely. No CLOUD Act exposure. No Transfer Impact Assessment. No jurisdictional risk mitigation required. The compliance documentation is shorter, cleaner, and more defensible.
This isn’t just a theoretical advantage. Upper Harbour’s research on government SaaS stacks found that the majority of tools used by federal and provincial governments are US-owned and CLOUD Act exposed. The government’s own 2025 Digital Sovereignty Framework identifies this as a strategic risk. Canadian vendors who can document their sovereignty posture are positioning themselves on the right side of that policy direction.
Provincial procurement
Federal procurement is the largest market, but provincial and territorial governments have their own procurement platforms and processes. Key ones include:
- Ontario — Vendor of Record (VOR) arrangements, Ontario Education Collaborative Marketplace (OECM)
- Quebec — Centre d’acquisitions gouvernementales (CAG), with additional Law 25 compliance requirements for any tool handling personal information
- British Columbia — BC Bid, with FIPPA requirements that restrict certain data from being stored or accessed outside Canada
- Alberta — Alberta Purchasing Connection (APC), with PIPA/POPA requirements for privacy impact assessments
Each province has its own data residency expectations and privacy legislation. Canadian SaaS vendors who already meet federal requirements will find provincial procurement significantly easier to navigate.
Practical checklist
- Register on CanadaBuys with an SAP Business Network account
- Ensure you have a CRA business number
- Download and review the SaaSSA RFSA (ongoing qualification)
- Initiate security clearance through PSPC’s Contract Security Program
- Prepare for CCCS IT Security Assessment (Protected B Cloud Control Profile)
- Document your Canadian jurisdiction, data residency, and hosting architecture
- Prepare sovereignty documentation for RFP responses (Sovereign Badge, Competitor Report)
- Set up CanadaBuys tender notifications for your product category
- Research provincial procurement platforms for additional opportunities
- Budget for long sales cycles — government procurement moves slowly but contracts are large and stable