Insights · Data sovereignty

Data residency vs. data sovereignty

“Residency” and “sovereignty” get used interchangeably, but the difference decides whether a US law can reach your data — even when it’s hosted in Canada.

The quick version

Residency is where your data sits; sovereignty is whose laws can reach it. A US-controlled provider hosting in Canada still answers to US law — the CLOUD Act in particular.

  • The CLOUD Act targets who controls the data, not where the servers sit.
  • Canadian regions (Azure Canada, AWS ca-central-1) settle residency, not sovereignty.
  • Canadian ownership of the provider is what most strengthens your position.

What does data residency mean?

Data residency refers to where your data is physically stored. When your workloads, backups and logging live in Canadian cloud regions — Microsoft Azure Canada Central (Toronto) and Canada East (Quebec City), or AWS ca-central-1 (Montreal) — your data resides in Canada. It’s a concrete, verifiable requirement: you can name the region, document it, and prove it.

Canadian residency is a good thing, and it’s usually the first question a client or auditor asks. But it only answers part of the problem. Knowing where your data lives doesn’t tell you who can legally compel access to it. For that, you look past the geography of the server to the jurisdiction of the organization that controls the data.

Why is sovereignty stronger than residency?

Data sovereignty is about control and jurisdiction: whose laws govern your data and who can be compelled to hand it over. That’s the whole distinction. The US CLOUD Act compels disclosure based on who controls the data, not where the servers sit. A US-based company can therefore be ordered to disclose data it holds, even when that data is physically stored on servers located in Canada.

In other words, keeping your data on Canadian soil only fully protects it when the organization that controls it answers to Canadian law. If your cloud provider or cybersecurity firm is headquartered in the US, hosting in a Canadian region doesn’t put your data beyond the reach of a foreign law. Residency is a question of location; sovereignty is a question of legal authority.

Why does a Canadian-owned provider matter?

It’s the provider’s Canadian ownership — not just a Canadian region — that most strengthens your position. The exposure is bigger than most assume. In Upper Harbour’s Canadian Technology Sovereignty Index, an analysis of 768 SaaS and cloud tools used by Canadian organizations, only 18% are fully Canadian-owned, while 54% are exposed to the US CLOUD Act. Choosing a Canadian-owned provider is how you move out of that 54%.

Let’s be precise about the scope. Canadian ownership and Canadian hosting reduce the risk that a foreign government can compel access to your data through legislation like the CLOUD Act; they don’t eliminate every conceivable risk. Large cloud infrastructure is often still supplied by global players, and sound architecture remains necessary. IT Sincennes is a Canadian-owned company based in Ottawa and Gatineau — not a Canadian branch of a US firm. The organization you contract with answers to Canadian law, and that’s what takes your contractual relationship out of the reach of a foreign statute.

How does this connect to Law 25 and PIPEDA?

The distinction between residency and sovereignty isn’t merely theoretical: it translates into a concrete obligation. Quebec’s Law 25 requires organizations to assess privacy risks before disclosing personal information outside Quebec and to ensure adequate protection. In practice, a cross-border transfer must be the subject of a privacy impact assessment (EFVP) before the data leaves the province.

Keeping data in Canadian regions simplifies that obligation. When a transfer outside Quebec is still necessary, the assessment must be deliberate, documented and defensible rather than accidental. The same logic applies federally: PIPEDA has long held an organization accountable for personal information entrusted to a third party, including one abroad. Understanding the difference between where your data lives and whose laws govern it is exactly what these regimes ask you to demonstrate.

At a glance

Residency and sovereignty, side by side

Data residency Data sovereignty
The question it answersWhere is your data physically stored?Whose laws govern your data — and who can compel access?
What decides itServer geography (e.g. Azure Canada Central/East, AWS ca-central-1)The jurisdiction of the organization that controls the data
Against the US CLOUD ActNo protection by itself — the law targets control, not locationA Canadian-owned provider answers to Canadian law
How to verify itName and document the hosting regionCheck the provider’s ownership and headquarters
Law 25 angleSimplifies the EFVP required before any transfer outside QuebecDecides whether a foreign regime can still reach the data
FAQ

Frequently asked questions

Are data residency and data sovereignty the same thing?

No. Data residency is about where your data is physically stored — for instance, in a Canadian Azure or AWS region. Data sovereignty is about whose laws govern it and who can be compelled to grant access. You can have Canadian residency without full sovereignty if the organization that controls the data answers to a foreign jurisdiction.

My US provider stores my data in Canada — isn’t that enough?

Not necessarily. The physical location of the server is only part of the picture. If the company that controls the data is US-based, legislation such as the CLOUD Act can compel it to disclose data it holds, even when those servers sit in Canada. Canadian ownership of the provider — not just a Canadian region — is what most strengthens your position.

What is the US CLOUD Act and why does it concern me?

The CLOUD Act is a US law that can compel a company under US jurisdiction to disclose data it holds, regardless of the country where that data is stored. It applies based on who controls the data, not where the servers are located. That’s why a US-owned provider hosting in a Canadian data centre can still be subject to it.

How does data sovereignty relate to Law 25?

Law 25 requires organizations to assess privacy risks before transferring personal information outside Quebec and to ensure adequate protection. Keeping data in Canadian regions simplifies that obligation, and where a transfer is needed you must document the assessment so it’s deliberate and defensible.

Continue reading

Want your data to stay in Canada?

Talk to a Canadian-owned firm that keeps your data in Canada — in Ottawa and Gatineau, in English or French.