Five questions to ask any 'Canadian' AI vendor

Not all "Canadian" AI vendors are created equal. When your organization's compliance depends on data sovereignty, you need to look beyond marketing claims and examine the technical and legal reality. These five questions will help you separate genuine Canadian AI sovereignty from repackaged foreign services with local hosting.

The stakes are real. Under Law 25 section 91, Quebec organizations face administrative monetary penalties up to 4% of global turnover or C$25 million for inadequate data protection. PIPEDA violations under sections 20-21 can result in Federal Court orders and reputational damage. Getting vendor due diligence wrong puts your compliance program at risk.

---

Question 1: Where is your company incorporated and who are your investors?

This foundational question reveals more than most vendors want to discuss. Many "Canadian" AI services are subsidiaries of US corporations or have American investors — exposing them to extraterritorial jurisdiction under the US CLOUD Act.

The CLOUD Act allows US authorities to compel any US company to produce data, regardless of where it's stored. Section 2713 specifically extends this reach to foreign subsidiaries and partnerships. If your AI vendor has US corporate parents or significant American investment, your Canadian data may be subject to foreign intelligence collection.

"Under the US CLOUD Act section 2713, any Canadian subsidiary of a US corporation remains subject to US legal process regardless of where personal data is physically stored or processed — making true data sovereignty impossible without Canadian-controlled corporate structures."

Ask specifically about the vendor's ownership structure. Look for terms like "wholly-owned Canadian corporation" or "no foreign investors." Platforms like Augure explicitly structure themselves to avoid these jurisdictional complications — incorporated in Canada with exclusively Canadian ownership and governance, ensuring no exposure to US extraterritorial laws.

Verify incorporation details through Corporations Canada or provincial corporate registries. This public information reveals the true corporate structure behind marketing claims.

---

Question 2: What specific technical controls do you have for Law 25 and PIPEDA compliance?

Compliance isn't just about where data sits — it's about how it's processed, retained, and protected throughout its lifecycle. Law 25 section 8 requires organizations to implement "security safeguards adapted to the sensitivity of the information."

Effective AI vendors build compliance controls into their architecture rather than retrofitting them later. Look for specific features like:

• Consent granularity: Can users control exactly what data is processed and for what purposes per PIPEDA Principle 1?
• Data minimization: Does the platform collect only necessary information under Law 25 section 11?
• Retention controls: Can you set automatic deletion policies aligned with PIPEDA Principle 5 retention requirements?
• Access logging: Complete audit trails for compliance reporting under Law 25 section 27?

PIPEDA Principle 7 requires safeguards appropriate to the sensitivity of information. Ask how the vendor implements encryption at rest and in transit, network segmentation, and access controls.

"Law 25 section 25 gives Quebec residents explicit rights to data portability — your AI vendor must provide complete datasets in structured, commonly used formats, making vendor lock-in a compliance violation if data export capabilities are inadequate."

Generic privacy policies aren't sufficient. You need technical documentation showing how Canadian privacy requirements are implemented in code and infrastructure.

---

Question 3: Can you provide evidence of 100% Canadian data residency?

Data residency goes beyond simply storing files on Canadian servers. In AI applications, "data" includes training datasets, model weights, inference logs, user interactions, and metadata. All of these components must remain within Canadian jurisdiction.

Many AI vendors use content delivery networks (CDNs) or load balancing that routes traffic through foreign data centers. Others rely on US-based model training infrastructure, meaning your sensitive prompts could be processed outside Canada even if results are stored domestically.

Ask for detailed data flow diagrams showing:

• Where model training occurs
• Geographic routing of user requests
• Location of backup and disaster recovery systems
• Third-party integrations that might process Canadian data abroad

The Canadian Centre for Cyber Security (CCCS) recommends maintaining "end-to-end Canadian control" over sensitive data processing. This means Canadian infrastructure operated by Canadian entities under Canadian law.

"True data sovereignty under PIPEDA and Law 25 requires that all processing, storage, and transmission of Canadian personal information occurs within Canadian legal jurisdiction under Canadian corporate control — foreign data processing creates compliance gaps that no contractual safeguards can fully address."

Platforms like Augure specifically architect their infrastructure to ensure complete Canadian data residency — from model inference to persistent memory storage, all processing remains within Canadian borders under Canadian legal authority.

---

Question 4: How do you handle model training and what data sources do you use?

AI model training presents unique sovereignty challenges. Many Canadian AI services rely on models trained by foreign companies using datasets of unknown provenance. This creates potential compliance risks and dependency on foreign technical infrastructure.

Large language models trained on web-scraped data may contain personal information collected without consent, violating PIPEDA Principle 1. Ask vendors about their training data sources and whether they've conducted privacy impact assessments (PIAs) as required under Law 25 section 93.

Key questions for model governance:

• Was the model trained using Canadian data without explicit consent?
• Can the vendor guarantee training data doesn't include personal information of Canadian residents?
• What ongoing relationship exists with foreign model developers?
• How are model updates and improvements managed?

Some vendors license models from OpenAI, Google, or other US companies, creating ongoing dependencies that could compromise sovereignty. Others train models domestically using carefully curated datasets with clear provenance.

The Quebec Commission d'accès à l'information (CAI) has indicated that organizations using AI models trained on personal data without consent may violate Law 25's fundamental principles under sections 12-14, regardless of where the training occurred.

---

Question 5: What happens to data when our contract ends?

Data portability and deletion rights are fundamental requirements under both PIPEDA Principle 9 and Law 25 section 25, but many organizations overlook these provisions during vendor selection. Law 25 section 25 gives individuals explicit rights to data portability, which your AI vendor must support.

Effective vendor agreements specify:

• Export formats: Complete data export in structured, machine-readable formats per Law 25 section 25
• Deletion timelines: Certified destruction of all data copies within specified timeframes under PIPEDA Principle 5
• Verification procedures: Independent confirmation that deletion is complete
• Backup handling: How archived or backup copies are identified and destroyed

PIPEDA Principle 5 requires that personal information be retained only as long as necessary for identified purposes. Your AI vendor's retention policies must align with your own data governance requirements, not their business convenience.

"Under Law 25 section 12, Quebec organizations remain fully responsible for protecting personal information even when processed by third-party vendors — vendor data practices become direct compliance liability, making vendor selection a critical governance decision."

Ask for sample data processing agreements (DPAs) that specify these terms. Generic privacy policies don't create enforceable obligations for data handling after contract termination.

Consider vendors who provide granular control over data retention and deletion rather than requiring you to trust their internal processes. Organizations using Augure can control retention policies directly through the platform interface, maintaining compliance control rather than delegating it to vendor discretion.

---

Documentation and verification

Vendor due diligence requires documentation, not just verbal assurances. Request copies of:

• Corporate registration documents showing jurisdiction and ownership
• Privacy impact assessments for their AI systems per Law 25 section 93
• Technical architecture diagrams showing data flows
• Sample data processing agreements
• Compliance audit reports or certifications

Verify claims through independent sources where possible. Corporate registries, regulatory filings, and third-party security assessments provide objective validation of vendor representations.

Remember that vendor compliance becomes your compliance under PIPEDA section 4.1.3 and Law 25 section 12. The Quebec Commission d'accès à l'information holds organizations responsible for their vendors' data practices. Choose vendors whose compliance architecture supports your obligations rather than complicating them.

---

Making the sovereign choice

Canadian AI sovereignty isn't just about regulatory compliance — it's about maintaining control over your organization's most sensitive information. The right vendor questions help you identify platforms built for Canadian requirements rather than foreign services adapted for Canadian marketing.

When evaluating AI vendors, prioritize those who can demonstrate genuine Canadian sovereignty through corporate structure, technical architecture, and compliance design. Your organization's data deserves Canadian protection under Canadian law.

Discover how Augure provides complete AI sovereignty for Canadian organizations at augureai.ca.