Residency Is Not Sovereignty. Microsoft Said So Under Oath.
A Microsoft executive told the French Senate, under oath, that it cannot stop US authorities from taking customer data held in Europe. The same is true for your data in Canada. Why Canadian soil does not put your data under Canadian law, and what does.
Residency Is Not Sovereignty. Microsoft Said So Under Oath.
A Microsoft executive told the French Senate, under oath, that it cannot stop US authorities from taking customer data held in Europe. The same is true for your data in Canada. Why Canadian soil does not put your data under Canadian law, and what does.
On June 10, 2025, a senior Microsoft executive sat before a French Senate inquiry and was asked a direct question under oath. Could he guarantee that French citizens' data, held in Microsoft's European data centres, would never be handed to US authorities without French authorization? His answer: "No, I cannot guarantee it."
This was sworn testimony in a parliamentary proceeding, not a marketing line, and it concerned data physically stored inside the European Union, which has some of the strictest data-protection law anywhere. The server location changed nothing. The company's home country decided the answer.
If that holds for French data in an EU data centre, it holds for your data in a Canadian one.
Residency and sovereignty are different things
Data residency is where the bytes physically sit. Pin your storage to Toronto or Montreal and you have Canadian residency. It is a real property. It governs latency, and it satisfies a contract that asks where the data lives.
Data sovereignty is which government's law decides who can reach the data. The Government of Canada defines it as Canada's right to control access to and disclosure of its digital information subject only to Canadian laws.
The US CLOUD Act, signed in 2018, lets US authorities compel any US-incorporated company to produce data it controls, wherever that data is stored. A US company holding your data in Canada gives you residency. It cannot give you sovereignty, because a valid US order reaches your bytes in Toronto without passing a Canadian court.
Microsoft says this in its own documentation now. A May 2026 answer states that because Microsoft is US-headquartered, the CLOUD Act may require it to respond to US authority requests even for data stored in a Canadian Azure datacenter, and it points customers at customer-controlled encryption as the mitigation.
This is your problem, in Canada, right now
The testimony was about France, but the law is about jurisdiction, so it lands on any country leaning on US providers. Canada leans hard. More than 80 percent of Canadian cloud services run on foreign, mostly US, infrastructure. The Department of National Defence runs Defence 365 on a US platform. A US order served on Microsoft, Amazon, or Google reaches a Canadian's data in a Canadian data centre, with no notice to that Canadian and no Canadian court involved.
It is a compliance exposure too. Under Quebec's Law 25, the strictest private-sector privacy law in the country, CLOUD Act exposure triggers a transfer assessment no matter where the data sits, because a foreign government can reach it without the Canadian organization knowing. Canadian residency does not clear that assessment. You document it as a mitigation. It does not stand in for the assessment.
An organization that moved to a Canadian region to meet a sovereignty requirement bought latency and a residency line item, and left the jurisdiction question untouched.
Whoever holds the keys controls the data
Microsoft's answer points at the one defence that holds: encryption with keys kept beyond the provider's reach. A provider that can read your data can be compelled to produce it. A provider that cannot read it has nothing to hand over.
That leaves two ways to close the gap, and they work together. One is to use a provider that is not a US company and has no US parent, so a CLOUD Act order has nowhere to land. The other is to encrypt your data before it leaves your machine, with keys only you hold, so no operator can read it, including the one you pay.
A US provider can only offer the second, layered over an exposure that does not go away. A provider outside US jurisdiction closes the first by existing. Do both and you no longer have to take the provider's word for it.
Where Storm Buckets fits
Storm Buckets is S3-compatible object storage, hosted in Canada and operated by a Canadian company with no US parent. US legal process has no hook into it the way it has into Microsoft, Amazon, and Google.
The honest limit: we are not claiming we cannot see your data. Our operators have root on the machines they run. What we claim is narrower and checkable. Storm is Canadian, the stack is open and auditable end to end, and if you need protection from Storm itself, you encrypt before upload and we never hold the keys. On an open stack that costs you nothing.
The engine under your bytes is Garage, open source, readable in full. We run the public version we document, we send fixes back upstream, and Storm Pulse, the agent that manages the nodes, is open source and installable today. Run the whole stack yourself and pay us nothing, or let a Canadian company that does only this run it for you. The way in is the way out, and you can read the source to confirm it.
Sign up for Storm Buckets
Object storage hosted in Canada, operated by a Canadian company, on a stack you can read and leave whenever you want. Exclusively Canadian jurisdiction, no US parent for a US court to serve. Founding Alpha testers start with a 100 GB grant kept for life.
100% Canadian Hosted.
Frequently asked questions
Does storing data in Canada protect it from US law?
No. Storing data in Canada gives you data residency, which controls where the data physically sits. It does not give you sovereignty. If the company holding your data is US-incorporated or has a US parent, the US CLOUD Act can compel it to produce that data regardless of which country the servers are in.
What is the CLOUD Act?
A US law, signed in 2018, that lets US authorities compel a company under US jurisdiction to hand over data it controls, even when that data is stored on servers outside the United States. It settled the earlier legal question of whether US companies could be forced to produce data held abroad. The answer is yes.
Did Microsoft admit it cannot guarantee data sovereignty?
Yes. In June 2025, Microsoft France's director of public and legal affairs testified under oath before a French Senate inquiry that he could not guarantee French citizens' data would never be transmitted to US authorities. The same admission appears in a letter to Scottish police authorities, where Microsoft advised that it cannot guarantee data sovereignty for Microsoft 365.
Is data in a Canadian Azure or AWS region CLOUD Act exposed?
Yes. Microsoft's own documentation states that because it is US-headquartered, the CLOUD Act may require it to respond to US authority requests even for data stored in a Canadian datacenter. The same applies to AWS and Google, which are also US companies.
Is this a Law 25 problem?
Yes. Under Quebec's Law 25, CLOUD Act exposure triggers a transfer assessment regardless of where the data is physically stored, because a foreign government can access it without the Canadian organization's knowledge. Canadian residency is a documented mitigation, not a substitute for the assessment.
How do I make my data sovereign?
Two things, together. Use a provider that is not subject to US jurisdiction, so there is no foreign hook to begin with. And encrypt your data before upload with keys you control, so the provider itself cannot read it. A Canadian-operated, open, auditable stack plus client-side encryption is the combination you can verify.