What Is Data Residency and Why Does It Matter?
Data residency refers to the physical and legal jurisdiction in which your organisation’s data is stored and processed. For most websites and digital platforms, this is determined by where your hosting infrastructure is located — which country’s servers hold your data and, by extension, which country’s laws govern access to it.
For Canadian non-profits, healthcare providers, and public sector organisations, data residency is not a technical detail. It is a legal and governance question with real implications for privacy compliance, funder requirements, and the protection of the people you serve.
The Problem With Default Hosting Choices
Many popular website platforms — including Squarespace, Wix, and some WordPress hosting providers — default to US-based infrastructure. This means that data collected through your website, including donor information, beneficiary contact details, and program registration data, is stored on servers subject to US law.
This creates a specific risk for Canadian organisations: the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US law enforcement to compel US-based technology companies to disclose data stored on their servers, regardless of where the data subject lives. Data about Canadian citizens, stored on Canadian servers, is not subject to this authority.
Which Canadian Privacy Laws Apply
The applicable legislation depends on your organisation’s sector and province. Federal organisations and those engaged in commercial activities across provincial borders are subject to PIPEDA (Personal Information Protection and Electronic Documents Act). British Columbia organisations are subject to PIPA and FOIPPA. Alberta organisations are subject to Alberta’s PIPA. Ontario healthcare organisations are subject to PHIPA. Indigenous organisations have additional considerations under OCAP principles.
Most of these frameworks require that personal information be protected from unauthorised access and disclosure — requirements that are harder to demonstrate when your data is hosted in a foreign jurisdiction.
When Data Residency Is a Hard Requirement
For many Canadian non-profits, data residency is a preference rather than a hard legal requirement. But for specific categories of organisations, it is non-negotiable:
Healthcare providers handling personal health information. Public sector organisations subject to FOIPPA or federal information management policy. Indigenous organisations managing community data under OCAP principles. Non-profits receiving certain federal contracts or grants that specify Canadian data residency as a condition.
If your organisation falls into any of these categories, your web agency must be able to demonstrate that your hosting infrastructure is located within Canadian borders.
Canadian Hosting Options
Canadian-region hosting is available through several major providers: AWS Canada (Central) based in Montreal, Microsoft Azure Canada Central and Canada East, and Google Cloud’s Montréal region. Dedicated Canadian hosting providers including SiteGround Canada, Canadian Web Hosting, and CIRA’s .CA infrastructure are also options for organisations with specific sovereignty requirements.
What to Ask Your Web Agency
Before signing any web development contract, ask your agency: Where will our website and form submission data be hosted? Where will our CMS data be stored? Are any third-party services — analytics, CRM integrations, email platforms — storing data outside Canada? Can you provide written documentation of data residency for our compliance records?
Pragmatica builds compliance-first digital infrastructure for Canadian non-profits and healthcare organisations, including Canadian hosting configuration as standard for projects where data residency is required. Learn more about our compliance services.
