Hey folks, I'm working on building a live streaming platform in Quebec with a small team. We're using a modern tech stack including Next.js (on Vercel), Supabase with PostgreSQL, and LiveKit for our video infrastructure. Our clients have laid out some stringent security requirements, including role-based access control, data hardening, detailed audit logging, and encryption for data both at rest and in transit. The major challenge I'm facing is complying with Quebec's Law 25 on Data Residency.
Here's where we stand:
• Vercel: While it's fantastic for the frontend, they've indicated (through their AI responses and documentation) that even if we set our function region to Montreal (yul1), they can't assure us that metadata or transit data won't be processed in the US.
• Supabase: This option can be kept hosted on AWS Montreal, which seems like a solid choice for our core data.
• LiveKit: We're torn between using their cloud service or opting for self-hosting on a dedicated server in Canada to ensure our video streams stay within the country.
Any advice from those familiar with this environment or recommendations for Quebec-based businesses who can guide us on security compliance would be greatly appreciated!
5 Answers
Is your platform primarily focused on voice and video, or is there an element of real-time AI that you're planning to incorporate?
You can actually deploy Next.js using AWS instances. I’ve used AWS-Amplify for this before, but check if they allow data restrictions. Since Supabase permits that, it could be worthwhile to explore that option. Also, self-hosting Next.js is an option if you want more control!
Make sure you double-check the law—does it specify where data can transit, or just where it has to be stored? Given your limitations, it might be worth considering cloud providers like AWS or GCP that are more accommodating to legal requirements.
It sounds like you’ve chosen a pretty American-centric stack for a Quebec-first application. Vercel really can’t guarantee what you need regarding data residency, while Supabase is a bit easier to control. I seriously recommend self-hosting LiveKit to avoid relying on their promises. Also, it might be a good idea to consult with a lawyer before making any final choices—nobody wants to face a hefty fine.
There are plenty of alternatives for hosting Next.js beyond Vercel, which is known to be subpar. Plus, you can self-host Supabase if you'd rather not use their managed services. Not familiar with LiveKit myself, though!
It's definitely a voice and video setup!