On August 18, 2025, Shared Services Canada — the department that buys and runs IT for most of the federal government — issued a request for information for something the Canadian market had mostly stopped believing it needed: a fully sovereign public cloud. Not a Canadian region of an American hyperscaler. A cloud where data is processed, transmitted, and stored exclusively in Canada, on infrastructure operated by suppliers fully owned and controlled by Canadian persons — and explicitly not by suppliers subject to foreign-government access laws.
That last clause is the whole story. It is the federal government, in a procurement document, drawing the exact line we built Canner on.
Why “in a Canadian region” stopped being enough
For a decade, “data residency” was the answer to every Canadian procurement question. Store the data in Toronto or Montreal and check the box. The problem is jurisdictional, not geographic. The US CLOUD Act lets US authorities compel any company under US jurisdiction to produce data in its “possession, custody, or control” — wherever that data physically sits. A US-parented provider, or a Canadian subsidiary under US control, can be ordered to hand over data held in a Canadian data centre.
Residency keeps the disk in Canada. It does not keep the data under Canadian law alone. Sovereignty — the thing the RFI actually asks for — requires the operating company itself to be Canadian. You can read the full mechanism on our sovereignty page.
The RFI is one signal in a larger shift
The sovereign-cloud RFI did not appear in a vacuum. Through 2025 and into 2026, Canadian data sovereignty moved from a niche compliance concern to a procurement and political priority:
Buy Canadian. The federal Buy Canadian procurement policy came into force in December 2025, treating supplier nationality as a first-class criterion for contracts above a set threshold.
The Digital Sovereignty Framework. The Government of Canada's 2024 framework already treated where a supplier is incorporated and controlled as a security question, not a paperwork one.
Trade friction as confirmation. When the United States' 2026 trade-barriers report flagged Canada's sovereign-cloud push and Buy Canadian policy as irritants, it confirmed the direction is real enough to be worth complaining about.
What a supplier actually has to be able to say
Strip the RFI down and a qualifying supplier has to be able to answer three questions affirmatively, in writing:
Who owns and controls you? Canadian persons, with no US parent, affiliate, or controlling foreign investor. Canner is 100% Canadian-owned and operated from Quebec.
Where does the data live and move?In Canada — compute, storage, and databases. Canner runs on Web Hosting Canada infrastructure in Montreal, on the Hydro-Québec grid, with no foreign edge network in the normal request path.
Are you subject to a foreign access law? No. A wholly-Canadian entity falls outside the CLOUD Act's reach — the point Canadian legal commentary converged on through 2025–2026.
Where Protected B fits — honestly
It would be easy to read an RFI like this and claim a Protected B badge. We won't. Protected B accreditation — the PBMM security profile, the GC Cloud Guardrails, a departmental risk assessment — is a serious, high-engagement program, and we'd rather be straight about it than market ahead of it. You can read what that program actually involves in our guide to the GC Cloud Guardrails.
What we will say is this: Protected B programs assume the foundation the RFI is asking for — Canadian operation, Canadian control, no foreign legal exposure — and then layer security controls on top. Most providers can bolt on the controls but can never satisfy the foundation, because their corporate parent lives in Delaware. Canner is built foundation-first, and we are positioning and planning toward the Protected-B-aligned controls on top of it. That ordering is the difference between a sovereignty story you can defend and one you can't.
If you're a Canadian vendor reading the same RFIs
You don't have to be Shared Services Canada to care about this. If you sell to government, to regulated sectors, or to enterprises that answer to them, the same question is coming down your sales pipeline: “Is your hosting subject to the CLOUD Act?” Building on a sovereign platform lets you answer it the same way the RFI wants answered — once, in writing, without an asterisk.
Canner provides the paperwork to back it up: a Data Processing Agreement built for PIPEDA and Quebec's Law 25, and a written data-residency attestation you can attach to a Privacy Impact Assessment — available on any plan, or included on the Enterprise plan.