Why Data Residency Matters: The Hidden Risk of U.S. Storage in Microsoft Forms

Why Data Residency Matters: The Hidden Risk of U.S. Storage in Microsoft Forms—And Why Canadian Institutions Need an Alternative 

Data residency is no longer a background IT concern—it is one of the most pressing governance issues facing Canadian organizations today. As provinces strengthen privacy legislation and public expectations of data protection rise, Canadian institutions must scrutinize where their cloud data actually lives. Nowhere is this more urgent than in the everyday tools used for collecting personal information.  Tools like Microsoft Forms, may seem ideal.  However, despite what organizations assume, data is not stored in line with the tenant location. 

Microsoft Forms Data Is Stored in the United States 

According to Microsoft’s own documentation, Microsoft Forms stores form responses and metadata on servers located in the United States for all tenants outside the EU and Australia. 

 • Microsoft: Where Microsoft Forms data is stored → https://support.microsoft.com/en-us/office/where-your-microsoft-365-customer-data-is-stored-ed6726e1-149f-4995-9967-1c6a148d60a6 

 • Microsoft data storage architecture → https://learn.microsoft.com/en-us/microsoft-365/enterprise/o365-data-locations 

This means that Canadian tenants—including enterprises, municipalities, universities, and K–12 institutions—automatically send form data across the border, with no ability to change the storage region, regardless of whether that data includes student records, employee files, or identifiable citizen information. 

Cross-Border Transfer Heightens Surveillance and Privacy Risk 

Canada’s public has taken note of these risks. Canadians report concerns about data privacy when their information is stored in the United States, driven largely by the legal reach of American surveillance legislation. 

The USA PATRIOT Act grants U.S. authorities broad powers to access information stored on U.S. soil, and government agencies may obtain data simply by deeming activity suspicious. 

 • U.S. Department of Justice overview: https://it.ojp.gov/PrivacyLiberty/authorities/statutes/1285 

When Canadian public-sector data crosses the border, it becomes subject to this expanded surveillance environment—regardless of Canadian expectations, provincial policy, or institutional governance frameworks. 

Provincial Law: Clear Restrictions on Foreign Storage 

Several provinces explicitly regulate or prohibit the cross-border transfer of public-sector personal data: 

• British Columbia and Nova Scotia: public-sector privacy laws prohibit government institutions and Crown agents from storing any personal information outside Canada. 
•  • BC FIPPA → https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/96165_00 
•  • Nova Scotia FOIPOP → https://nslegislature.ca/sites/default/files/legc/statutes/freedom%20of%20information%20and%20protection%20of%20privacy.pdf 
• Quebec and Alberta: provincial privacy statutes restrict the ability of public bodies to transfer personal data internationally unless stringent protections are in place. 

 • Quebec Law 25 → https://www.quebec.ca/en/business-and-economy/personal-information-protection 

 • Alberta FOIP → https://www.alberta.ca/foip 

For municipalities, higher education institutions, and school boards, these legal constraints mean that using Microsoft Forms for student applications, HR intake, service requests, or citizen reporting may constitute a compliance violation. 

In short: using Microsoft Forms for sensitive intake in Canada exposes organizations to cross-border transfer risks that many provinces explicitly forbid. 

Microsoft Forms vs. Canadian Data Residency Requirements 

Requirement ; Microsoft Forms ; Result 

Local Canadian data storage ; ❌ Not supported ; Cross-border transfer is unavoidable 

Control over data residency ; ❌ No option to select ; Organizations cannot enforce governance 

Compliance with BC/NS data-localization laws ; ❌ High risk ; Potential statutory non-compliance 

Protection from U.S. surveillance ; ❌ Data stored on U.S. servers ; Subject to PATRIOT Act 

For Canadian institutions, this is not a minor gap—it is a structural governance issue. 

A Canadian-Compliant Alternative: SOS Intake 

Unlike Microsoft Forms, SOS Intake from SnapOn Software does not store your data in the United States. Intake forms are hosted directly within your Microsoft 365 tenant—meaning all records, file uploads, metadata, and submissions remain under your governance, within your SharePoint environment. 

✔ Data stays in Canada if your M365 tenant is Canadian 

 ✔ No cross-border transfer 

 ✔ No SnapOn Software servers storing or routing your content 

 ✔ Fully auditable under your existing governance model  

Because submissions flow directly into SharePoint, your organization retains: 

• Data residency control 
• Retention and disposal policies 
• File governance 
• Audit trails 
• Compliance alignment with provincial privacy law 

This avoids the data-sovereignty risks inherent when using Microsoft Forms while maintaining a familiar Microsoft-based workflow. 

Why This Matters for Canadian Schools, Universities, Municipalities, and Public Agencies 

Canadian institutions increasingly rely on online intake.  Common examples include student applications, HR onboarding, FOIPOP requests, public complaints, facility bookings, service requests, and program registrations. But many of these workflows involve personal or sensitive information.  In these cases, provincial law prohibits it from being stored outside the country. 

Using Microsoft Forms, no matter how convenient, means automatically routing this information to the U.S. 

Choosing SOS Intake means: 

• Sensitive data stays within your tenant 
• No cross-border data exposure 
• No conflict with BC, NS, QC, AB privacy requirements 
• No risk of U.S. federal surveillance obligations 
• No vendor-hosted storage 

For organizations that rely on Microsoft 365 and must meet strict Canadian privacy expectations, this is not only a governance improvement, it is a legal necessity. 

Conclusion 

Microsoft Forms works—until you're a Canadian public institution. Then its U.S. data residency becomes a compliance liability. Schools, municipalities, universities, and government agencies can't afford tools that conflict with Canadian privacy frameworks. Data sovereignty isn't optional anymore. SOS Intake delivers Canadian data residency for Canadian institutions.