Canada AI Cloud Residency Index: CLOUD Act Exposure by Provider
When a Canadian organization deploys an AI workload on a cloud platform, two questions shape every compliance conversation: does the provider have infrastructure in Canada, and does US law reach that data regardless of where it sits? This dataset maps 22 major AI and cloud providers against both dimensions — Canadian-region availability, US corporate control, CLOUD Act (18 U.S.C. § 2713) exposure level, and Quebec Law 25 posture — so practitioners can start from verified facts rather than marketing language.
The CLOUD Act grants US law enforcement the authority to compel any US-incorporated entity to produce data it possesses, has custody of, or controls — regardless of the country where the data is physically stored. A Canadian AWS region is still an AWS region. A Canadian Azure data centre is still operated by a US corporation. Physical location is a residency configuration; legal sovereignty is determined by corporate structure and applicable jurisdiction. These are not the same thing, and the distinction matters for Law 25 transfer impact assessments, procurement governance, and sovereign AI strategy.
For organizations building on Bitcoin, distributed compute, or local AI infrastructure — areas where data sovereignty is foundational, not optional — understanding which providers genuinely reduce jurisdictional exposure is prerequisite work. See also: running local LLMs in Canada, sovereign AI consulting, and the distributed compute hub.
Attribution: CLOUD Act — Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713 (2018). Quebec Law 25 — Act respecting the protection of personal information in the private sector, RSQ c P-39.1, as amended 2022–2024. Legal framing cross-referenced with BLG, Data Sovereignty and the CLOUD Act: What Canadian Organizations Should Know (April 2026).
Canada AI Cloud Residency Index — all 22 providers
Filter by Canadian region availability or CLOUD Act exposure level. Click any column header to sort.
| Provider ↕ | HQ Country ↕ | CA Region ↕ | US Controlled ↕ | CLOUD Act Exposure ↕ | Law 25 Posture Note | Policy / Source |
|---|---|---|---|---|---|---|
| Amazon Web Services (AWS) | United States | Yes | Yes | High | ca-central-1 (Montreal) & ca-west-1 (Calgary). Data residency ≠ CLOUD Act immunity. TIA required under Law 25. Government of Canada Protected B authorized. | CLOUD Act page |
| Microsoft Azure | United States | Yes | Yes | High | Canada Central (Toronto) & Canada East (Quebec City). Enterprise Data Residency commitments available. Microsoft confirmed US law supersedes residency commitments under valid CLOUD Act order. TIA required. | Canada privacy |
| Google Cloud Platform (GCP) | United States | Yes | Yes | High | northamerica-northeast1 (Montreal) & northeast2 (Toronto). Dedicated Law 25 compliance page published. CSE mitigation available. TIA required. | Law 25 page |
| Oracle Cloud Infrastructure (OCI) | United States | Yes | Yes | High | Toronto (ca-toronto-1) & Montreal (ca-montreal-1). Government of Canada Protected B Framework Agreement awarded. TIA required. | Privacy policy |
| IBM Cloud | United States | Yes | Yes | High | Toronto MZR live; Montreal MZR announced (H1 2025). watsonx AI available in Canadian MZRs. TIA required as US corporation; Canadian commitments may factor into TIA risk analysis. | Privacy policy |
| Cloudflare Workers AI | United States | No | Yes | High | No dedicated CA AI inference zone confirmed as of June 2026. Custom Regions announced March 2026 for routing but CA inference not documented. TIA required. | Privacy policy |
| OpenAI API | United States | No | Yes | High | No Canadian region. EU data residency for Enterprise only. OPC & provincial regulators found training practices violated Canadian privacy laws (2024 investigation). TIA required. | Privacy policy |
| Anthropic Claude API (direct) | United States | No | Yes | High | Direct API routes to US infra. CA-region inference achievable via AWS Bedrock (ca-central-1) — a separate delivery path. CLOUD Act applies to both entities. TIA required either path. | Privacy policy |
| CoreWeave | United States | Yes | Yes | High | CA-East-01 (Ontario) — dedicated access only, not self-serve. Bell SK campus (Cerebras & CoreWeave tenants) expected H1 2027. TIA required. | Trust center |
| OVHcloud (Canadian operations) | France | Yes | No | Low | Beauharnois QC (BHS1-BHS5+) & Cambridge ON (2025). French parent claims no CLOUD Act exposure; OVH US LLC may differ. Verify legal entity on your contract. CA residency possible if contracting via French entity. Note: Ontario court (2024) compelled data disclosure via Canadian judicial process. | Data protection |
| ThinkOn | Canada | Yes | No | None | Canadian-owned and operated. Claims full CLOUD Act exemption. No inter-jurisdictional TIA required for data in ThinkOn Canadian facilities. Verify specific AI service capabilities directly. | Sovereign cloud |
| Snowflake (Cortex AI) | United States | Yes | Yes | High | ca-central.aws (Montreal) & ca-west.aws (Calgary). Cortex AI LLM functions in select regions — verify CA availability at source. TIA required. | Privacy policy |
| Databricks | United States | Yes | Yes | High | Via AWS ca-central-1 and Azure Canada Central. Inherits CLOUD Act exposure of underlying US hyperscaler. TIA required. | Privacy notice |
| Cohere | Canada | No | No | Moderate | Canadian corporation (Toronto), not directly subject to CLOUD Act. No public Canadian data-residency option as of June 2026. Inference infra likely on US hyperscalers — infrastructure-layer CLOUD Act exposure. TIA recommended. | Privacy policy |
| DigitalOcean | United States | Yes | Yes | High | TOR1 (Toronto). GPU Droplets for AI available in select regions; verify TOR1 GPU availability. TIA required. | Privacy policy |
| Vultr | United States | Yes | Yes | High | Toronto location available. GPU Cloud for AI available. TIA required as US corporation. | Privacy policy |
| Hetzner Cloud | Germany | No | No | None | EU only (Germany, Finland, US-Virginia). Not subject to CLOUD Act. Data leaves Canada — Law 25 TIA required for cross-border transfer to EU/US jurisdiction. | Privacy policy |
| Nebius AI | Netherlands | No | No | None | EU (Amsterdam) & US (Oregon) only. Dutch company; not subject to CLOUD Act. Law 25 TIA required for cross-border transfer. | Privacy policy |
| Hugging Face (Inference Endpoints) | United States | No | Yes | High | No Canadian inference endpoint region confirmed. US and EU regions only. Deploys on AWS/Azure/GCP — adds hyperscaler CLOUD Act exposure. TIA required. | Privacy policy |
| Mistral AI (La Plateforme) | France | No | No | None | EU-only inference (France). French company; not subject to CLOUD Act via direct API. If deployed via Azure AI Foundry, Azure’s CLOUD Act exposure applies. Law 25 TIA required for transfer outside Canada. | Privacy policy |
| Scaleway | France | No | No | None | EU only (Paris, Amsterdam, Warsaw). French company (Iliad Group); not subject to CLOUD Act. Law 25 TIA required for transfer outside Canada. | Privacy policy |
| Cerebras Cloud | United States | No | Yes | High | No Canadian region currently. Bell Canada SK campus (Cerebras as tenant) expected earliest H1 2027. TIA required as US corporation. | Privacy policy |
22 providers. As of June 2026 — verify at source before relying on any row. NOT legal advice.
Frequently asked questions
What is the CLOUD Act and why does it matter for Canadian organizations?
The Clarifying Lawful Overseas Use of Data Act (18 U.S.C. § 2713, enacted 2018) empowers US law enforcement to compel any US-incorporated company to produce data that it possesses, has custody of, or controls — regardless of where that data is physically stored. A server in Montreal owned by a US company is, from a US legal perspective, still reachable under CLOUD Act process. This matters for Canadian organizations because it means choosing a US provider’s Canadian region reduces latency and may satisfy data residency requirements, but it does not remove the company from US legal jurisdiction. Legal framing sourced from BLG, Data Sovereignty and the CLOUD Act (April 2026). NOT legal advice — consult qualified privacy counsel.
Does choosing AWS Canada (ca-central-1) or Azure Canada Central protect data from CLOUD Act demands?
It satisfies the data residency requirement — the data is physically in Canada — but it does not eliminate CLOUD Act exposure. Both AWS and Microsoft have publicly acknowledged that a legally valid US government order takes precedence over their data residency commitments. This is not a theoretical risk: Microsoft’s own documentation and executive testimony confirm compliance with valid CLOUD Act orders. Physical location is one compliance dimension; legal jurisdiction is another. For organizations that need both, a non-US-incorporated provider operating Canadian infrastructure (such as a Canadian-owned sovereign cloud) is the only configuration that removes the CLOUD Act from the equation.
What is Quebec Law 25 and what does it require for AI/cloud deployments?
Law 25 (the Act respecting the protection of personal information in the private sector, RSQ c P-39.1, as amended 2022-2024) is Quebec’s comprehensive privacy law, fully in force since September 2023. It requires that before personal information is communicated outside Quebec, the organization must complete a privacy impact assessment (PIA / Transfer Impact Assessment) that evaluates the legal and regulatory framework of the destination jurisdiction. Critically, the existence of CLOUD Act exposure in the destination jurisdiction — even for a server physically in Canada — is directly relevant to that TIA because the legal framework governing data includes the laws that apply to the entity controlling the data, not only the laws of the country where a server sits. Law 25 penalties can reach C$25 million or 4% of worldwide turnover. NOT legal advice.
Which providers in this dataset have zero CLOUD Act exposure?
As of June 2026, six providers in this dataset carry “None” exposure: ThinkOn (Canadian-owned, Canadian-operated), Hetzner Cloud (German), Nebius AI (Dutch), Mistral AI (French, direct API), and Scaleway (French). OVHcloud is rated “Low” — not None — because while the French parent entity claims exemption, its US subsidiary (OVH US LLC) may be separately subject, and a 2024 Ontario court order showed Canadian judicial processes can compel disclosure from OVHcloud independently of the CLOUD Act. For None exposure with a Canadian data centre, ThinkOn is currently the only provider in this dataset meeting that standard.
What is a Transfer Impact Assessment (TIA) and when is one required?
A Transfer Impact Assessment (also called a Privacy Impact Assessment in Law 25 language) is a documented evaluation of the privacy risks created by communicating personal information outside Quebec. Under Law 25, it is required before any such transfer. The assessment must consider: the sensitivity of the information, the adequacy of legal protections in the destination jurisdiction, and the security measures in place. CLOUD Act exposure is a factor in the “adequacy of legal protections” component — it is evidence that US law may be able to reach data controlled by a US entity even in a Canadian data centre. Many regulated-industry organizations now require TIAs for every SaaS and cloud tool in their stack. NOT legal advice.
What is the difference between data residency and data sovereignty?
Data residency is a configuration choice — where your data is physically stored. Data sovereignty is a legal condition — which jurisdiction’s laws actually govern access to that data, and who controls the entity that holds it. A Canadian AWS region gives you Canadian data residency but not Canadian data sovereignty, because AWS is a US corporation and US law governs its obligations. True data sovereignty requires that the entity controlling your data not be subject to foreign legal demands. Only providers that are incorporated outside the US and operate their own infrastructure without US-parent control can offer this in the cloud context.
Can I use AWS, Azure, or GCP for AI workloads in a Law 25-compliant way?
Yes, with the right controls and documentation in place. Law 25 does not prohibit transferring data outside Quebec — it requires that the transfer be assessed, documented, and protected. Steps typically include: choosing a Canadian region, completing a TIA, implementing contractual data processing agreements, applying technical controls (encryption with customer-managed keys where available), and reviewing the assessment when the provider’s legal posture changes. The TIA must honestly account for CLOUD Act exposure and reach a conclusion that adequate protections exist despite it. Many organizations in regulated industries have done this successfully. This is a summary of public guidance, not legal advice — work with privacy counsel for your specific situation.
Is there a fully Canadian-sovereign AI cloud option today?
ThinkOn is the only provider in this dataset that is Canadian-owned, Canadian-operated, and claims zero exposure to foreign data access laws. For AI workloads specifically, verify current AI service capabilities directly with ThinkOn, as their offering is managed-infrastructure-focused and AI-specific services should be confirmed. Canadian inference is also achievable through the government-approved paths (AWS Bedrock ca-central-1, Azure Canada Central, OCI Toronto/Montreal), but these remain US-controlled entities subject to CLOUD Act jurisdiction. The Canadian sovereign AI compute landscape is expanding: CoreWeave’s dedicated Ontario region and the future Bell Saskatchewan campus will add GPU capacity, though both are US entities. Organizations that need sovereign AI with no foreign jurisdictional exposure today need to architect around ThinkOn or self-hosted compute. For guidance on local LLM deployment, see the local LLMs in Canada hub and the sovereign AI consulting service.
Cite this dataset
D-Central Canada AI Cloud Residency & CLOUD Act Exposure Index
D-Central Technologies. Canada AI Cloud Residency & CLOUD Act Exposure Index. Version 1.0, June 2026. Published under Creative Commons Attribution 4.0 International (CC BY 4.0). https://d-central.tech/data/canada-ai-cloud-residency/
BibTeX
@misc{dcentral2026cloudresidency,
author = {{D-Central Technologies}},
title = {Canada {AI} Cloud Residency & {CLOUD} Act Exposure Index},
year = {2026},
month = {June},
version = {1.0},
url = {https://d-central.tech/data/canada-ai-cloud-residency/},
license = {CC BY 4.0},
note = {Informational only; NOT legal advice. Verify at source.}
}
License: Creative Commons Attribution 4.0 International (CC BY 4.0).
You may share and adapt this data for any purpose, including commercial use, provided you give appropriate credit to D-Central Technologies and indicate if changes were made.
Disclaimer: This dataset is informational only and does NOT constitute legal advice. As of June 2026; verify at source before procurement or compliance decisions.
Machine-readable downloads
- REST API (JSON): /wp-json/dc/v1/cloud-residency — supports
?ca_region=true,?us_controlled=false,?cloud_act_exposure=nonefilters - CSV: canada-ai-cloud-residency.csv
- JSON: canada-ai-cloud-residency.json
- Open Data Catalog: D-Central Open Data Catalog
Built on the shoulders of giants: this dataset stands on primary provider policy documentation, BLG’s CLOUD Act guidance, the Office of the Privacy Commissioner of Canada’s investigative findings, and the work of Canadian legal and technical practitioners who have publicly written about cloud sovereignty. D-Central makes no claim of superiority over primary legal sources — this is a synthesis for practitioners, not a substitute for legal advice.
Related products, repair, and setup paths
- immersion cooling hub
- home immersion cooling guide
- ASIC miners for immersion planning
- ASIC cooling parts
- airflow shroud before immersion
- compare miner specs in the database
- ASIC repair support
Last reviewed June 15, 2026.