What Canadian Data Residency Actually Means for Your CMS Contract

TL;DR

Canadian data residency shows up in every insurance RFP. But "we offer it" and "it's contractually guaranteed" are not the same thing. Here's what actually matters:

Why it's required

• OSFI B-13 and B-10 set expectations around data governance, residency, and cloud portability
• PIPEDA and Quebec's Law 25 treat cross-border data transfers as requiring specific safeguards
• The U.S. CLOUD Act means a U.S. vendor can be compelled to hand over your data even if it's stored in Canada

The four questions to ask any vendor — in writing

• Is Canadian data residency in the contract, or just a configuration option?
• Where does data go during backups and disaster recovery?
• Who are the subprocessors, where are they located, and what are their certifications?
• What are the data return and deletion terms when you leave?

How the major CMS vendors stack up

• Contentful: U.S.-based, no standard Canadian data residency offering
• Adobe AEM and Sitecore: Canadian hosting requires separate negotiation
• Agility CMS: Canadian-headquartered, hosted on Azure Canada Central by default, Canadian data residency in the standard contract, backups stay within Canadian Azure regions, and not subject to the U.S. CLOUD Act

The bottom line

Vendors who can answer these questions before your assessment starts will save you weeks. Vendors who can't will cost you months.

Canadian data residency has become a standard requirement in insurance technology procurement. You'll see it listed in RFP requirements, vendor questionnaires, and OSFI B-10 vendor risk assessments. Most vendors will tell you they offer it.

What they won't always tell you is that offering Canadian data residency and contractually guaranteeing it are two different things. And in a regulated industry where your privacy officer, CISO, and legal team all need to sign off on vendor arrangements, the difference matters.

Why Canadian Data Residency Matters to Insurers

The requirement for Canadian data residency in insurance technology isn't arbitrary. It comes from three overlapping sources of obligation:

OSFI's technology risk expectations. OSFI Guideline B-13, which governs technology and cyber risk management for federally regulated financial institutions, sets expectations around data governance, residency, and the insurer's ability to maintain control over data even when managed by a third party. Combined with B-10's cloud portability requirements, OSFI expects insurers to know where their data is, who can access it, and how it can be retrieved if the vendor relationship ends.

PIPEDA and provincial privacy law. Canada's federal privacy law, PIPEDA, governs how personal information is collected, used, and disclosed. Conservative interpretations of PIPEDA — especially by privacy officers in regulated industries — treat cross-border data transfers as requiring specific safeguards. Quebec's Law 25 goes further, adding requirements for privacy impact assessments before personal information is transferred outside Quebec. For insurers with Quebec operations, this means US-hosted platforms create immediate compliance friction.

The U.S. CLOUD Act. The U.S. Clarifying Lawful Overseas Use of Data Act allows U.S. law enforcement to compel American companies to produce data stored anywhere in the world. For Canadian insurers working with US-based vendors, even data stored in Canadian data centers may be subject to US government access if the vendor is a US company. This is a board-level concern at many Canadian financial institutions, and it's why "Canadian-headquartered vendor with Canadian data centers" is a meaningfully different position than "US vendor with a Canadian data center option."

What "Canadian Data Residency" Actually Means in Practice

When a vendor tells you they offer Canadian data residency, you need to ask four follow-up questions:

1. Is it in the contract? A vendor can offer Canadian hosting as a configuration option while their standard contract makes no guarantees about where your data lives. Your legal team needs to see an explicit contractual commitment — not just a sales deck claim — that your data is hosted in Canada and will not be transferred outside Canada without your consent.

2. Where is the data during backups and disaster recovery? This is where many vendors lose the thread. Primary data may be hosted in Canada, but backups replicated to a US region for disaster recovery means your data leaves Canada regularly. Your privacy team will ask this question. Make sure you have a clear answer from your vendor before the assessment starts.

3. Where are your subprocessors located? Your CMS vendor uses third-party services: CDN providers, analytics tools, support platforms, monitoring software. Any of these that process or store your data are subprocessors under OSFI B-10. If those subprocessors are US-based, your privacy officer may view that as a cross-border transfer that requires assessment. Ask your vendor for a complete subprocessor list with their locations and their own compliance certifications.

4. What happens to your data if you leave? B-10 explicitly requires that vendors support data portability and exit assistance. Make sure your contract specifies that you can export all your content in a standard format, that the vendor will assist with the transition, and that data is deleted from vendor systems within a defined period after termination.

What Contentful, Adobe AEM, and Sitecore Offer vs. What Agility CMS Offers

Looking at the Agility CMS platform comparison, the data residency picture across major CMS vendors is materially different:

• Contentful is a US-based company with US-primary hosting. Canadian data residency is not a standard offering.
• Adobe AEM is configurable for Canadian hosting, but this typically requires negotiation and is not included in standard contract terms.
• Sitecore on XM Cloud does not offer Canadian data residency as a standard option — it requires separate negotiation.
• Agility CMS is a Canadian-headquartered company with primary deployment on Azure Canada Central in Toronto. Canadian data residency is in the standard contract, not a negotiated add-on. Backups are replicated within Canadian Azure regions. Our full data flow documentation is available through our Trust Center before the assessment starts.

As a Canadian company, Agility CMS is also not subject to the US CLOUD Act — a distinction that matters to privacy officers and general counsel at Canadian insurers who have worked through the implications of US vendor arrangements.

What to Ask Your Current or Prospective CMS Vendor

Before your privacy officer, CISO, or legal team starts their review, get clear answers to these questions in writing:

• Is Canadian data residency guaranteed in the contract, or is it a configuration option?
• Where is data stored during backups and disaster recovery?
• What is the complete list of subprocessors, their locations, and their compliance certifications?
• What are the data return and deletion terms on contract termination?
• Is the vendor a Canadian company or a US company with a Canadian data center?
• Has the vendor completed a vendor risk assessment for any Canadian federally regulated financial institution?

Vendors who can answer all of these questions clearly, with documentation, before your assessment starts are vendors whose arrangements will survive your compliance review. Vendors who need weeks to assemble this information will cost you months of procurement time.

Agility CMS's security and compliance documentation and Trust Center are designed to answer every one of these questions before you ask — because we've been through this process with Canadian insurers and financial institutions already, including Scotiabank, whose security team has conducted independent audits of Agility CMS every year since 2008 and passed each one.

Visit the Trust Center · See Security Documentation · Book a Demo