Does Lavawall® host data in Canada?

Yes. Production data is currently hosted in AWS Montreal (ca-central-1). Lavawall® is migrating to dedicated servers in a secure hosting facility in Calgary, Alberta. Executable agent files are stored on Cloudflare's edge for performance but contain no client information.

How are PIPEDA, Alberta PIPA, BC PIPA, and Quebec Law 25 handled?

Bundled together as a single Canadian privacy framework. They overlap substantially in control expectations — bundling avoids charging four times for one privacy programme. The bundle counts as one framework in the Complete tier or as a single US$150/month framework add-on.

Does Lavawall® support CPCSC for Government of Canada contractors?

Yes. CPCSC is included in the framework set. The same evidence base satisfies CMMC 2.0 (US DoD) and CPCSC (Canadian Government of Canada) where they overlap.

Is support available in French?

Live chat and phone support are primarily English from Alberta and BC; written documentation availability in French is being expanded. For Quebec-specific contractual or compliance requirements, contact ThreeShield directly.

Best cybersecurity tools for Canadian MSPs (2026)

A Canadian MSP has a different procurement check-list than a US MSP. Privacy-law coverage spans federal PIPEDA plus the substantially similar provincial regimes (Alberta PIPA, BC PIPA, Quebec Law 25). Health authorities in BC and Alberta operate under their own HIA legislation. Securities firms operate under IIROC. Accounting firms operate under CPA Canada's technology guidance. And the new Canadian Program for Cyber Security Certification (CPCSC) is bringing CMMC-2.0-aligned controls to Canadian Government of Canada contractors.

On top of the framework breadth, Canadian MSPs typically want native CAD billing with proper GST/HST/PST/QST handling, Canadian-resident data hosting (or at minimum Canadian data sovereignty options), and bilingual (EN / FR) support reach.

Most popular MSP tools were built in the US for US compliance assumptions. Some have grown into Canada-friendly capabilities; others have not. This guide focuses on the Canadian-specific dimensions of the procurement decision.

What to look for

Canadian privacy framework coverage. Look for PIPEDA, Alberta PIPA, BC PIPA, and Quebec Law 25 as covered frameworks — ideally bundled together since they overlap substantially. Without bundling, you risk being charged four times for one privacy programme.
Canadian sectoral framework coverage. For health (BC HIA, Alberta HIA, Personal Health Information Protection Act analogues), securities (IIROC), critical infrastructure (NERC CIP for cross-border power utilities), and accounting (CPA Canada).
CPCSC alignment. For Government of Canada contractors, the CPCSC programme is rolling out NIST-SP-800-171-aligned controls in lockstep with CMMC 2.0. Look for explicit CPCSC framework support.
Canadian-resident data hosting. For health, securities, public-sector, and privacy-sensitive clients, Canadian-resident data hosting is a buying criterion — not a nice-to-have.
Native CAD billing with proper tax handling. GST 5%, HST 13–15% by province, PST 7% (BC) / 6% (SK) / 8% (MB), QST 9.975%. Look for tools that handle these natively rather than back-charging USD.
Bilingual (EN / FR) support and documentation. For Quebec clients particularly, French-language support and documentation availability matters.
Canadian-MSP-channel familiarity. Vendors with a Canadian presence understand Canadian Tire-vs-Lowe's-grade industry concerns, the geographic distribution of clients across provinces, and the procurement realities of public-sector contracts.

Options to evaluate

Lavawall®Canadian-built MSP cybersecurity, GRC, and analytics platform

Built and headquartered in Calgary, Alberta. Native CAD billing with GST/HST/PST/QST handling. Canadian-resident data hosting (currently AWS Montreal, migrating to dedicated Calgary servers). Bundles PIPEDA + Alberta PIPA + BC PIPA + Quebec Law 25 into a single privacy framework. Includes BC HIA, Alberta HIA, IIROC, CPA Canada, NERC CIP, and CPCSC alongside CMMC 2.0, NIST CSF, CIS, SOC 2, ISO 27001, HIPAA, PCI DSS, and Australian Essential Eight. Built by ThreeShield Information Security Corporation, a Canadian audit firm with CISSP and CISA staff.

Best when: Canadian MSPs delivering cybersecurity, GRC, and compliance services across PIPEDA / Quebec Law 25 / BC PIPA / Alberta PIPA / health-authority / securities / public-sector clients.

NinjaOne / Datto RMM / ConnectWise / Atera / Kaseya VSA + US GRC stackUS-built MSP RMMs

Mature US-built MSP RMMs that have grown into Canada-friendly capabilities to varying degrees. Typically billed in USD; Canadian-resident data hosting varies by product. Privacy framework coverage typically requires layering a separate GRC platform on top.

Best when: MSPs whose client base is primarily US or whose Canadian clients have flexible data-residency requirements.

Microsoft Defender XDR + Microsoft PurviewNative Microsoft platform

Native Microsoft tools with Canadian data-residency options on appropriate Microsoft 365 / Azure SKUs. Canadian privacy framework coverage requires manual mapping by the MSP or a separate GRC tool.

Best when: Microsoft-centric MSPs serving E5-licensed enterprise clients.

Vanta or Drata + US-built MSP RMMUS-built single-tenant GRC + US-built RMM

Functional combination but not optimised for Canadian frameworks. PIPEDA and provincial privacy regimes typically require custom-control work; Canadian sectoral frameworks (BC HIA, Alberta HIA, IIROC, CPA Canada) are not standard.

Best when: Canadian SaaS companies whose primary GRC need is SOC 2 / ISO 27001 for enterprise procurement.

How Lavawall® fits

Lavawall® was built in Calgary, Alberta, by ThreeShield Information Security Corporation — a Canadian audit firm and MSP. The Canadian-specific dimensions are not retrofits; they were original requirements.

On the privacy side: PIPEDA, Alberta PIPA, BC PIPA, and Quebec Law 25 are bundled as a single privacy framework rather than being charged four times. The Canadian privacy bundle counts as one framework in the Complete tier or US$150/month per additional framework — so a Quebec MSP with Alberta and BC clients does not pay four privacy-framework fees.

On the sectoral side: BC HIA, Alberta HIA, IIROC, CPA Canada, and NERC CIP are first-class frameworks alongside CMMC 2.0, NIST CSF, CIS, SOC 2, ISO 27001, HIPAA, PCI DSS, and the Australian Essential Eight.

On the data-residency side: Lavawall® hosts data in Canada (currently AWS Montreal, migrating to dedicated Calgary servers in a secure hosting facility). Executable files for the Windows, macOS, and Linux agents are stored on Cloudflare's global edge but contain no client information.

On the billing side: Canadian customers are billed in CAD with applicable GST/HST/PST/QST automatically. US and other international customers are billed in USD. Customers can change the billing currency before their first invoice.

Frequently asked

Does Lavawall® host data in Canada?: Yes. Production data is currently hosted in AWS Montreal (ca-central-1). Lavawall® is migrating to dedicated servers in a secure hosting facility in Calgary, Alberta. Executable agent files are stored on Cloudflare's edge for performance but contain no client information.
How are PIPEDA, Alberta PIPA, BC PIPA, and Quebec Law 25 handled?: Bundled together as a single Canadian privacy framework. They overlap substantially in control expectations — bundling avoids charging four times for one privacy programme. The bundle counts as one framework in the Complete tier or as a single US$150/month framework add-on.
Does Lavawall® support CPCSC for Government of Canada contractors?: Yes. CPCSC is included in the framework set. The same evidence base satisfies CMMC 2.0 (US DoD) and CPCSC (Canadian Government of Canada) where they overlap.
Is support available in French?: Live chat and phone support are primarily English from Alberta and BC; written documentation availability in French is being expanded. For Quebec-specific contractual or compliance requirements, contact ThreeShield directly.