Canadian Data Center Use
Signority Inc., a ten-year-old 100% Canadian owned and operated eSignature solution company, with 100% Canadian employees, stores its customer data within Canadian data centres.
More specifically, Signority eSignature Platform data is stored within the Amazon Web Services (AWS) Cloud, Canada (Central) Region, located in the Montréal area, which consists of three Availability Zones (AZ). Each AZ consists of one or more discrete data centres, each with its own redundant power, networking, and connectivity, and each housed in separate highly secure facilities. This overall data centre cluster design provides highly resilient primary and backup data centres for the Signority eSignature Platform.
The Canadian AWS data centres that Signority Inc. uses are similarly used by many other organizations including Air Canada, the National Hockey League (NHL), Aviva Insurance, The Globe and Mail, the National Bank, the Government of Ontario and the Government of Canada.
Hosting Data in the United States?
If a Canadian organization permits its data to be hosted within U.S. data centres, such as with a U.S. based eSignature solutions company, the data will be subject to the full force of US laws and regulations, such as the Foreign Intelligence Surveillance (FISA) Act, Patriot Act, the USA Freedom Act, the Stored Communications Act, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and numerous others – even if the data belongs to a Canadian resident.
The U.S. Cloud Act and Impact on Canadian Data Residency
The U.S. CLOUD Act allows U.S. federal law enforcement agencies to compel U.S. based technology companies (e.g. Amazon) – via warrant or subpoena – to provide requested data stored on servers regardless of whether the data is stored in the U.S. or on foreign (i.e. Canadian) soil. However, it is important to note that the law also provides mechanisms for the companies or the courts to reject or challenge these if they believe the request violates the privacy rights of the foreign country (i.e. Canada) that the data is stored in. The CLOUD Act does not provide U.S. law enforcement agencies unlimited or unfettered access to data, but rather only in two specific circumstances: (1) with the customer’s consent or (2) with a warrant issued by a U.S. court in accordance with criminal procedures. For a warrant to be issued, a U.S. court must have probable cause to believe that a crime has been committed. Regardless, Amazon does not disclose customer information in response to any government demands unless required to do so to comply with a legally valid and binding order. Unless prohibited from doing so or there is clear indication of illegal conduct in connection with the use of Amazon products or services, Amazon notifies and consults with its customers before disclosing content information.
Amazon is transparent about the lawful access requests that it receives. In the first half of 2021, Amazon Web Services (AWS) received 632 lawful access requests from numerous countries (390 of these from the U.S.), not including National Security Letters or FISA requests. Of this total, the vast majority or 620 were related to simpler “non-content” requests (i.e. basic subscriber information such as name, address, email address, billing information, and date of account creation, certain retail purchase history, and AWS service usage information). Only 12 out of 632 were related to more detailed “content” requests. And of these, none (0) resulted in the disclosure to the U.S. government of enterprise content data located outside the U.S.
In summary, there are strong and balanced data protection laws as well as limited U.S. lawful access measures in place when organizations store their data within Canadian data centres. It is easier to assure Canadians that their data is safe from U.S. law enforcement agency access if Canadian data stays in Canada.