A Canadian AWS region does not make your hosting Canadian.
If the company operating the infrastructure is incorporated in the United States, US law applies — including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which compels American companies to produce data stored anywhere in the world in response to US law enforcement requests. The physical location of the server is not what determines jurisdiction. The legal domicile of the company operating it is.
This distinction matters for every Canadian company subject to PIPEDA, Law 25, or federal government procurement requirements. And based on how most Canadian tech companies are currently hosted, almost none of them have fully accounted for it.
What the CLOUD Act actually says
The CLOUD Act was enacted on March 23, 2018, amending the Stored Communications Act. The operative text is at 18 U.S.C. § 2713:
A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.
The key phrase is "regardless of whether such communication, record, or other information is located within or outside of the United States." This means selecting ca-central-1 on AWS, or choosing Vercel's "Canadian region," does not exempt your data from US legal process. The data is in a Canadian building, but it's under American law.
The Balsillie School's 2026 analysis confirms this directly: when Canadians use services provided by US-headquartered companies — Microsoft, Google, Amazon Web Services, Apple, Meta — their data is subject to CLOUD Act jurisdiction regardless of where it is physically stored.
How this applies to Vercel, Netlify, Railway, and Render
All four platforms are US-incorporated. All four are subject to the CLOUD Act. Here's what that means in practice:
Vercel is incorporated in Delaware. Even if your Next.js app deploys to a Canadian-proximate edge node, the company operating that infrastructure is American. A US warrant can compel Vercel to produce your application data, environment variables, database contents, and deployment logs.
Netlify is incorporated in Delaware. Same jurisdiction, same exposure.
Railway is a US company. Same.
Render is a US company. Same.
Selecting a "Canadian region" in any of these platforms changes the physical location of the bits. It does not change the legal jurisdiction governing access to those bits.
What PIPEDA and Law 25 actually require
Neither PIPEDA nor Law 25 explicitly prohibits hosting data outside Canada or using foreign-owned infrastructure. But both create significant liability exposure when foreign jurisdictions can access the data without the data subject's knowledge or consent.
Law 25 requires organizations to conduct a privacy impact assessment (PIA) before disclosing personal information outside Québec. Under sections 17 and 17.1, the assessment must evaluate whether the personal information will receive equivalent legal protection in the receiving jurisdiction. If your hosting provider is subject to the CLOUD Act, the answer is potentially no — because US authorities can compel access without notifying the data subject or the Canadian organization.
Law 25's penalties are substantial. The Commission d'accès à l'information du Québec (CAI) can impose administrative monetary penalties of up to CA$10 million or 2% of worldwide turnover, and courts can impose fines of up to CA$25 million or 4% of worldwide turnover for severe violations.
PIPEDA's accountability principle (Principle 4.1) requires organizations to ensure an equivalent level of protection when personal information is transferred to a third party for processing — including a hosting provider. If that provider is subject to foreign government access orders, the equivalence of protection is undermined.
What "sovereign hosting" actually means
For hosting to be genuinely sovereign, every link in the chain must be outside foreign jurisdiction:
The company must be Canadian-incorporated — not a Canadian subsidiary of an American parent. The infrastructure must be physically located in Canada. No parent company, subsidiary, or controlling entity can be subject to foreign data production orders. Operational staff with access to customer data must be in Canada. Backups and disaster recovery must remain within Canadian jurisdiction.
If any of these are missing, "Canadian hosting" is a marketing claim, not a legal reality. The sovereignty page breaks down the structural test in more detail, with citations for each requirement.
The 92% problem
A 2026 analysis by Policy Options found that 92% of developer operations tools used in Canada fall under foreign jurisdiction. There are almost no Canadian-owned alternatives in most categories — not because Canadian companies don't build software, but because the infrastructure layer has been almost entirely ceded to American platforms.
This is the gap Canner exists to fill. Canner is a deployment platform that is Canadian-incorporated, operates exclusively on Québec-based infrastructure, and is not subject to the CLOUD Act or any foreign data access law. When we say your data stays in Canada, we mean the legal entity controlling your data is Canadian — not just the building it's stored in. The specific technical practices that back this up live on the security page; the practical workflow for Canadian agencies whose clients ask about this is in the agency workflow post.
Frequently asked questions
Does selecting a Canadian region on AWS make my data PIPEDA compliant?
Selecting ca-central-1 ensures your data is physically stored in Canada, but the legal entity controlling the infrastructure (Amazon Web Services, Inc.) is US-incorporated and subject to the CLOUD Act. PIPEDA's accountability principle requires you to account for this in your privacy practices.
Is Vercel PIPEDA compliant?
Vercel is a US-incorporated company subject to the CLOUD Act. Using Vercel means your data — including environment variables, database contents, and application logs — is within reach of US legal process regardless of deployment region. Whether this is "compliant" depends on your specific data processing context and risk assessment, but it creates a jurisdiction gap that a PIA should address.
Can the US government actually access my data on AWS Canada?
Yes, if a valid warrant or subpoena is issued under the Stored Communications Act as amended by the CLOUD Act. AWS must comply regardless of where the data is stored.
What's the difference between data residency and data sovereignty?
Data residency means your data is physically stored in a specific country. Data sovereignty means the legal jurisdiction governing access to that data aligns with the country where it's stored. You can have Canadian data residency on AWS (the bits are in Montréal) without Canadian data sovereignty (the company is American). Sovereignty requires both physical residency and legal jurisdiction.