Your data stays in Canada. Period.
For Canadian mental health professionals, data residency isn't optional, it's a requirement. Grace hosts all health data in Canadian data centers, without exception.
No health data crosses the border. No US CLOUD Act exposure. Complete Canadian data sovereignty.
Montreal, Canada. Sovereign infrastructure.
Infrastructure
Where your data lives
Grace uses certified Canadian data centers to host all health data, with redundancy and disaster recovery mechanisms in place.
Montreal region
Primary hosting
Primary cloud infrastructure hosted in the Montreal, Quebec region. SOC 2 and ISO 27001 certified data centers.
End-to-end encryption
Fully Encrypted
All data is fully encrypted at rest and in transit. Encryption keys are automatically rotated.
Canadian backups
Canadian redundancy
Backups are stored in separate Canadian regions. Health data never leaves Canadian territory, even for disaster recovery.
Why Canadian data residency matters
For mental health professionals, where data lives isn't a technical question, it's a legal and ethical one.
PHIPA requirements
PHIPA requires that personal health information be stored in Canada, unless specific cross-border transfer conditions are met (including explicit consent and risk assessment). Grace's Canadian-only data residency satisfies this requirement by design.
By hosting data in Canada, Grace helps practices demonstrate they have taken reasonable steps to protect their clients' PHI in accordance with PHIPA requirements.
The US CLOUD Act risk
The US Clarifying Lawful Overseas Use of Data (CLOUD) Act allows US authorities to compel access to data stored by US companies, even if the data is physically hosted outside the United States.
This means that if your health data is stored by a US provider, it could be accessed by US authorities without your knowledge. Grace eliminates this risk by using Canadian infrastructure.
Professional colleges
Several Canadian mental health professional colleges recommend or require that personal health information be stored in Canada. Grace aligns with these recommendations by design.
Whether you're a psychotherapist, psychologist, social worker, or counsellor, Grace's Canadian data residency helps you meet your professional college's expectations.
Client trust
In mental health, trust is the foundation of the therapeutic relationship. Your clients expect their most sensitive information to be handled with the highest level of care.
Being able to tell your clients that their data stays in Canada, protected by Canadian privacy laws, strengthens trust in your practice.
Quebec's Law 25
Quebec's Law 25 requires a transfer risk assessment for any personal data leaving Quebec, including an assessment of the legal regime in the destination jurisdiction.
Grace's Canadian-only hosting approach means data does not leave the country, supporting compliance with these transfer assessment requirements.
Alberta's HIA
Alberta's Health Information Act (HIA) also has data residency expectations for health information custodians. Grace's Canadian data residency aligns with these expectations by design.
Federal vs. provincial distinction
Note: PIPEDA at the federal level does not require data to stay in Canada, it permits cross-border transfers with adequate safeguards. However, Ontario's PHIPA requires Canadian storage, and Quebec's Law 25 requires transfer assessments. Grace adopts the strictest standard by design, keeping all health data in Canada.
Data architecture
How your data is protected
From input to backup, every step of the data lifecycle is protected by multi-layered security measures.
Secure transmission
All data is securely encrypted in transit between your browser and our Canadian servers.
Canadian processing
Data is processed exclusively in Canadian data centers. No offshore processing.
Encrypted storage
Data at rest is fully encrypted. Encryption keys are automatically rotated.
Canadian backups
Encrypted backups are stored in separate Canadian regions for geographic redundancy.
Infrastructure and subprocessors
We carefully select our infrastructure partners, prioritizing providers with Canadian regions and recognized security certifications.
Cloud Hosting, Montreal Region
Primary infrastructure in SOC 2 and ISO 27001 certified data centers in Canada.
Database, Canadian Region
Encrypted databases with automatic backups in Canadian regions.
File Storage, Canadian Region
Clinical documents and files fully encrypted and stored in Canadian buckets.
Payment Processing
Payment processing is handled by a third-party provider bound by a data processing agreement.
Communications (Email & SMS)
Email and SMS delivery services are bound by data processing agreements.
Telehealth Video
Telehealth video infrastructure is provided by a third-party provider bound by a data processing agreement.
Insurance Claims
Insurance claims processing is handled by a Canadian provider.
For a complete list of our subprocessors, please refer to our Data Processing Agreement (DPA). View DPA
Your data deserves Canadian sovereignty.
See how Grace protects your clients' personal health information with 100% Canadian infrastructure.