Kiteworks VP: Sovereignty Gap Fuels Channel Growth

David Byrnes is the vice president of global channels at Kiteworks, where he works at the intersection of data sovereignty, channel strategy, and cross-border compliance. 

The company recently shared findings from its 2026 Data Sovereignty report, showing where gaps remain for Canadian firms and how channel partners can meet those needs while expanding their own opportunities.

In this Q&A, he explains why the current threat environment is structural rather than educational, where the biggest gaps exist for mid-market organizations, and why channel partners are uniquely positioned to lead the conversation.

Canada’s data sovereignty trends reveal an enforcement gap

The report shows that Canadian organizations score well on PIPEDA awareness and compliance. So, what’s the problem?

The surface numbers look strong—44% of Canadian respondents say they’re very well informed, and 79% report full PIPEDA compliance. But awareness hasn’t translated into architectural readiness. 

Nearly one in four Canadian organizations experienced a sovereignty incident in the past 12 months, and 40% now identify changes to Canada–U.S. data-sharing arrangements as their top regulatory concern. 

The gap isn’t knowledge—it’s the distance between what their policies promise and what their infrastructure can enforce.

You’ve called the CLOUD Act a “structural” problem. What do you mean by that?

When a Canadian organization stores data with a U.S.-headquartered cloud provider, that data can be subject to U.S. government access requests—even if the server sits in Montreal. 

No contract or vendor assurance overrides a lawful government access request under foreign law. 

That’s not a compliance gap you can close with a policy update. It requires infrastructure that isn’t subject to foreign jurisdiction, combined with encryption key custody that stays exclusively under the Canadian organization’s control.

What does “provable sovereignty” look like in practice?

It comes down to three architectural requirements. First, data residency enforced at the infrastructure level through technical controls like geofencing—not just a contractual promise. 

Second, encryption key custody retained within Canadian jurisdiction, so that foreign legal compulsion hits a cryptographic dead end. 

And third, exportable evidence—immutable audit trails, residency logs, and compliance documentation that can be produced on demand for regulators.

Turning compliance into customer trust and market access

Why do you see this as a channel opportunity rather than a vendor play?

Sovereignty conversations don’t start with a product evaluation. They start when a CISO or general counsel asks a question their current infrastructure can’t answer—questions like whether they can prove data has never left Canadian jurisdiction, or what happens if a U.S. court order reaches their cloud provider. 

Those are advisory-rich, services-heavy problems. The data backs it up: 65% of Canadian organizations cite technical infrastructure changes as their top resource drain, followed by legal and compliance expertise at 56%.

The report highlights a significant gap between large enterprises and mid-market organizations. How significant is it?

Mid-market organizations are falling behind by 15 to 25 percentage points on virtually every sovereignty maturity measure. 

Large enterprises spend above C$5 million annually on sovereignty, but only 19% of organizations with 500 to 999 employees hit that tier. 

Meanwhile, these mid-market firms face the same PIPEDA obligations, the same CLOUD Act exposure, and increasingly serious provincial enforcement—Quebec’s Law 25 can impose penalties up to C$10 million or two percent of worldwide turnover. 

Same regulatory surface area but with a fraction of the budget.

Turning compliance into customer trust and market access

Where does AI fit into the sovereignty picture?

AI adds another layer of complexity. The report found that 37% of Canadian respondents keep all AI training data within Canada, while another 37% use a mixed approach based on data sensitivity. 

The problem is that a “mixed approach” is only defensible if the classifications are documented, auditable, and consistently enforced—and for most mid-market organizations, they’re not. 

Channel partners who can help customers formalize AI data localization policies before regulators come asking will own one of the highest-growth advisory practices in the market.

Is sovereignty purely a compliance cost, or is there a business case?

The business case is already clear in the data. Sixty-five percent of Canadian respondents associate sovereignty compliance with improved security posture, and 51% cite enhanced customer trust. 

More than half report that between 26% and 75% of their customers actively inquire about sovereignty practices. 

Sovereignty has become a customer-facing trust signal—channel partners who help organizations build and prove that posture aren’t selling a cost center, they’re selling market access and customer confidence.

What’s your advice for channel partners who want to lead with sovereignty?

Stop leading with the compliance checklist. The organizations that had incidents last year weren’t caught off guard by a regulation they hadn’t read—they were caught out by infrastructure that couldn’t enforce what their policies promised. 

The winning question isn’t “Are you PIPEDA-compliant?” It’s “Can you demonstrate where your data lives, who holds the keys, and what your exposure looks like if a foreign court order reaches your provider?” 

That question anchors a services engagement with no expiry date.