Practical guidance on Alberta's POPA, Law 25, the CLOUD Act, Transfer Impact Assessments, and data sovereignty — written for privacy officers, IT leads, and compliance teams managing SaaS environments.
Most Canadian organizations understand sovereignty risks. The problem is proof. When a regulator, procurement officer, or client asks how you manage cross-border data exposure, can you produce a defensible answer? A comprehensive guide to what’s required under Law 25, PIPEDA, and the CLOUD Act.
Read guide →Every Canadian-owned SaaS tool in our Sovereignty Index, organized by category. No CLOUD Act exposure, no foreign jurisdiction. Searchable, filterable, and updated as the index grows.
Browse the directory →Quebec's Law 25 requires Transfer Impact Assessments for every cross-border SaaS tool. Learn which tools are affected, what's required, and how to start documenting compliance.
Read guide →The US CLOUD Act gives American authorities the power to compel access to data held by US companies — regardless of where that data is stored. Here's what it means for Canadian organizations.
Read guide →Five specific ways the CLOUD Act undermines data sovereignty for Canadian organizations — and what to do about it. Covers compliance documentation, sector-specific exposure, contractual limitations, and migration options.
Read guide →Every cross-border data transfer requires a documented TIA under Law 25. Here's what a TIA must include, when one is triggered, and a practical framework for completing them.
Read guide →The CAI hasn't published a standard Transfer Impact Assessment template. We did. A complete, structured framework any Quebec organization can use to document cross-border SaaS compliance — covering jurisdictional assessment, CLOUD Act exposure, safeguards evaluation, and residual risk determination.
Access the template →Version française du modèle d'Évaluation des facteurs relatifs à la vie privée pour la conformité à la Loi 25. Un cadre structuré pour documenter les transferts transfrontaliers de données SaaS, l'exposition au CLOUD Act et les mesures de protection.
Accéder au modèle →A practical breakdown of which popular SaaS tools offer Canadian data residency, which don't, and why residency alone doesn't solve the compliance question.
Read guide →These two terms are used interchangeably — but they describe fundamentally different things. One is a server configuration; the other is a legal and corporate structure question.
Read guide →Both govern personal information — but Law 25 is significantly stricter on consent, cross-border transfers, penalties, and individual rights. A practical comparison for compliance teams.
Read guide →Government RFPs increasingly require demonstrated data sovereignty. Here's what procurement teams are asking for and how to document your compliance posture.
Read guide →A step-by-step guide to building the documented SaaS inventory that Law 25, PIPEDA, and procurement sovereignty reviews require. Covers jurisdiction mapping, CLOUD Act exposure, and defensible record-keeping.
Read guide →A practical checklist of the six documents Canadian organizations must maintain — and what happens when regulators, auditors, or procurement officers ask for them and you can't produce them.
Read guide →Your SaaS stack is US-controlled. Now what? A practical action guide covering exposure mapping, risk triage, documentation requirements, remediation options, and ongoing monitoring.
Read guide →The 2021 FIPPA amendment changed the rules. BC public bodies can now store data outside Canada — but must complete privacy impact assessments evaluating jurisdictional risk. Here's what the new framework means for your SaaS stack.
Read guide →The BC Privacy Commissioner hasn't published a SaaS-specific PIA template for jurisdictional risk. We did. A structured framework for BC public bodies to assess vendor jurisdiction, CLOUD Act exposure, and safeguards under the amended FIPPA.
Access the template →Alberta's Protection of Privacy Act requires public bodies to complete PIAs using a mandatory OIPC template. The OIPC reviews your submission.
The OIPC released a mandatory PIA template. Alberta is the only province requiring template submission to a regulator. What public bodies need to do.
Read guide →Select your SaaS tools from our 753-tool database. Get pre-written answers for Sections F, G, and H2 of the mandatory OIPC template. $199.
Start PIA Research Tool →When a PIA is required, which PIAs must be submitted to the OIPC, and what happens if you don't complete one.
Read guide →How to address CLOUD Act exposure in the OIPC template. The template explicitly names it in Risk 7. Step-by-step guidance.
Read guide →How to complete the OIPC template for the most common SaaS tools. CLOUD Act analysis for each vendor.
Read guide →Every Alberta public body must implement a Privacy Management Program by June 2026. PIAs are a core component.
Read guide →Compare the three provinces' requirements. Alberta is the hardest — mandatory template and regulator submission.
Read guide →From Edmonton to small towns — how municipalities complete PIAs for SaaS tools under POPA.
Read guide →Student data is highly sensitive under POPA. How school boards and charter schools complete PIAs.
Read guide →Research data, student records, and complex SaaS environments — PIA guidance for post-secondary institutions.
Read guide →Patient data under both POPA and HIA. How health authorities address CLOUD Act exposure in PIAs.
Read guide →Law enforcement data, body-worn cameras, and evidence management — PIA guidance for municipal police.
Read guide →Enterprise SaaS deployments, data matching, and common programs — PIA guidance for provincial government.
Read guide →HarbourScan identifies jurisdictional risk across your entire SaaS stack — free, browser-based, in about 10 minutes.
Map Your Stack →Need compliance documentation? TIA and PIA reports from $99 →