Quebec, Loi 25, and why we built compliance-first
When American buyers ask "why is Manera in Quebec?", I give them the same answer in two parts.
Part 1: It's not a tax dodge
Manera Technologies Inc. is a federally-incorporated Canadian corporation registered in Quebec because that's where I live and run the company. There's no Cayman holding co, no Delaware flip. The corporate structure is one entity, one tax filing, one regulator.
What that means for buyers: - Your contract is with a Canadian C-corp under Canadian commercial law - Your invoice is in CAD or USD (your choice — we settle through Wise + Stripe) - Your data is stored in Cloudflare R2 with EU + Canada region pinning available
Part 2: Loi 25 makes us better, not slower
Quebec's Law 25 (formerly Bill 64) went into full force in September 2024. It's GDPR's stricter Quebec cousin, with five enforcement teeth:
1. **Privacy Officer** is mandatory and personally liable. (That's me.) 2. **Privacy Impact Assessment** required before any new product touches personal data. 3. **Breach disclosure** to the Commission within 72 hours. 4. **Data minimization** is a default — you must justify every field collected. 5. **Right to data portability + deletion** — and you can't hide behind retention pretext.
Compliance is not a feature we built. It's how the architecture had to work from day one. If we wanted to ship faster, we'd have moved to Delaware. We didn't.
What this means for AI-native buyers in 2026
The big AI infrastructure question of 2026 is *"where does the prompt go?"* Most US-based AI products today still send your prompts to OpenAI / Anthropic / xAI, which then send them through their own training pipelines unless you've signed an enterprise agreement specifically opting out.
Manera's stance: - **Anthropic is our LLM provider.** Anthropic's API terms (which govern our inference) bar training on API customer inputs by default — see [Anthropic's Commercial Terms](https://www.anthropic.com/legal/commercial-terms) + [Trust Center](https://trust.anthropic.com). - **Stripe is our billing provider.** PCI-DSS Level 1 — your card never touches our servers. - **Cloudflare is our edge + storage.** R2 region pinning available. WAF + DDoS at no extra cost. - **No model fine-tuning on customer data, ever.** We don't do retraining; we don't ask permission to.
Every flagship has a [DPA](/data-protection) (Article 28-style data processing agreement) on the data-protection page. Loi 25 + GDPR Article 28 + CCPA — same paper.
The SOC 2 roadmap
Honest accounting: we are **not** SOC 2 Type II as of 2026-05-04. We are pre-engagement.
Target timeline: - **Q3 2026**: engage audit firm (Vanta + Drata both offer the org tooling — we're choosing carefully) - **Q4 2026**: gap assessment + remediation - **Q1 2027**: Type I report - **Q3 2027**: Type II observation period closes - **Q4 2027**: Type II report ships
If you're a regulated buyer (bank, hospital, public-co), this is the honest answer. We do NOT claim SOC 2 in any pre-sales material until the report is real. We do offer: - DPA + technical & organizational measures (TOMs) document - Security questionnaire response (SIG Lite + CAIQ formats) - ISO 27001-aligned policies (not certified, but mapped) - Annual penetration test (third-party, redacted report on request)
Why Quebec is durable
Three reasons buyers tell me Quebec matters:
1. **Bilingual is non-negotiable for federal Canadian government, EU, and parts of Africa.** Manera ships EN + FR by default. Most US-only competitors have a French translation that reads like Google Translate output. Ours is mine.
2. **Quebec's hydropower grid is the cheapest renewable electricity in North America.** When we expand compute, we expand at <50% the carbon cost of US East-1.
3. **Loi 25 + GDPR + Bill 96 (French language) is a regulatory bundle most US founders won't tackle.** That's a moat, not a tax.
What we're explicitly NOT
- **Not "Canadian-only" in market reach.** We sell to US, UK, EU, AU, JP. Just incorporated in Canada. - **Not "we'll leave when revenue scales".** The corporate domicile is structural. - **Not "compliant by checkbox".** Every flagship's evidence pack is generated from actual telemetry, not a static document.
What I want buyers to do
If you're evaluating us against Bloomberg / CrowdStrike / Westlaw / Vanta — ask the incumbent for the equivalent of [/data-protection](/data-protection). See how long it takes them to send it. Compare.
— Kao