Google Workspace vs Microsoft 365 vs ProtonMail for Canadian therapy practices
Canadian therapists asking “which email should I use?” are usually asking a different question: “which email won’t get me in trouble with PHIPA?” The answer is less satisfying than you’d hope. None of the three most common options checks every compliance box out of the gate. Each one has real strengths, real gaps, and trade-offs that matter differently depending on your practice size, technical comfort, and risk tolerance.
This post compares Google Workspace, Microsoft 365, and ProtonMail across the criteria that actually matter for PHIPA compliance. The goal isn’t to declare a winner. It’s to give you enough information to make a decision you can defend.
How to read this comparison
PHIPA (Ontario’s Personal Health Information Protection Act) requires health information custodians to implement “reasonable safeguards” when handling personal health information (PHI). Other provinces have comparable legislation: Alberta’s HIA, BC’s PIPA, and Quebec’s Law 25 each impose similar obligations. This comparison uses PHIPA as the reference framework because it’s the most commonly cited, but the criteria below (encryption, access logging, data residency, consent management) matter across all Canadian jurisdictions. Our PHIPA compliance guide for Gmail covers the Ontario legal framework in more detail.
The comparison below evaluates each provider against nine criteria. Some are hard requirements under PHIPA. Others are practical considerations that affect whether you’ll actually stick with the solution you choose.
Google Workspace
Google Workspace is what most therapists already use. It’s familiar, the suite is tightly integrated, and the learning curve is minimal. That familiarity is its biggest advantage and, paradoxically, its biggest risk: therapists assume that because Gmail “works,” it works for PHI. It doesn’t, not without configuration.
Strengths
Full productivity suite. Gmail, Calendar, Drive, Meet, Chat, Docs, Sheets, and Forms all work together. For a solo therapist or small group practice, this covers every operational need.
BAA available. Google offers a HIPAA Business Associate Amendment on Business Standard and above. While HIPAA is a US law, the BAA is the closest thing to a data processing agreement for health data in Google’s ecosystem. It commits Google to specific data handling obligations. Signing it takes two minutes and costs nothing. There’s a step by step walkthrough in our admin console guide.
Decent admin controls. The admin console lets you enforce 2FA, restrict file sharing, set TLS compliance rules, and manage user permissions. Most therapists never touch these settings, but they’re there. And because every client, referral partner, and colleague already uses Gmail, interoperability is never an issue.
Weaknesses
No Canadian data residency. Google Workspace data regions offer three choices: United States, Europe, or No Preference. Canada is not an option. Google’s own data region documentation confirms this. Your email, Drive files, and Calendar data will live on servers outside Canada. The CLOUD Act compounds this: it applies to US headquartered companies regardless of where data is physically stored, meaning data on Google’s servers is potentially accessible to US authorities whether it sits in the US or Europe. For context on why this matters, see our cross provincial privacy law comparison (coming soon).
No automatic email encryption. Gmail uses TLS for encryption in transit, but TLS only works if the receiving server also supports it. There’s no way to guarantee end to end encryption, and there’s no built in mechanism to automatically encrypt messages that contain PHI. Our Hushmail vs Gmail comparison covers the different encryption approaches and their limitations.
AI features process your email content by default. Smart Compose, Smart Reply, and Gemini all read your messages to generate suggestions and summaries. While the Information and Privacy Commissioner of Ontario (IPC)‘s January 2026 guidance focuses on AI scribes, its principle that consent is “generally required” for AI processing of health information is relevant to any feature that processes PHI. These features need to be disabled in the admin console, and doing so requires toggling multiple settings across different sections.
Google Workspace also has no built in mechanism for consent tracking (PHIPA requires documented consent for electronic communication of PHI) and no PHIPA specific audit trail. The admin console has some logging under Reporting > Audit and Investigation, but it doesn’t produce the structured, immutable records that regulatory bodies expect.
Pricing (USD/user/month, flexible plan)
| Plan | Price (USD) | Data regions |
|---|---|---|
| Business Starter | $8.40 | No |
| Business Standard | $16.80 | Yes (US/Europe only) |
| Business Plus | $26.40 | Yes (US/Europe only) |
Google publishes USD pricing. At current exchange rates, expect roughly 15-20% more in CAD. While the BAA is technically available across paid Google Workspace editions, Business Starter lacks data region controls, Google Vault, and other compliance tooling that makes HIPAA alignment practical. If you’re running a health practice on Starter, upgrade to at least Standard before doing anything else.
Microsoft 365
Microsoft 365 is less common among solo therapists but widespread in larger practices, clinics, and healthcare organizations. Its biggest differentiator for Canadian compliance is something Google can’t match: Canadian data residency.
Strengths
Canadian data residency is available. Microsoft operates datacenters in Toronto and Quebec City. For Canadian tenants, Microsoft commits to storing core customer data at rest within Canada for Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. This is documented in Microsoft’s data residency commitments and represents a meaningful compliance advantage over Google Workspace. For therapists in provinces where cross border data storage is a concern, this matters.
Message encryption (OME) available on higher tiers. Microsoft Purview Message Encryption (formerly OME) lets you send encrypted emails to recipients outside your organization. Recipients open encrypted messages through a secure portal using a one time passcode or by signing in with a Microsoft account. This is natively included on Business Premium and E3/E5. Business Standard users can add it via an Azure Information Protection Plan 1 add-on, but it is not included out of the box.
Microsoft also provides a Data Processing Addendum that covers data processing obligations under various privacy frameworks. Combined with Canadian data residency, this gives you a stronger contractual foundation than Google’s BAA alone.
Purview compliance tools. Microsoft Purview (formerly Compliance Center) offers data loss prevention, sensitivity labels, retention policies, and eDiscovery. These tools are more mature than anything in Google’s admin console, though they come with complexity.
On the audit logging side, Microsoft 365 has unified logging across Exchange, SharePoint, Teams, and OneDrive. On higher tier plans, audit logs are retained for up to a year (or longer with add-ons). The logging is more detailed and more configurable than Google Workspace’s equivalent.
Weaknesses
Complex admin interface. Microsoft’s admin experience is split across multiple portals: the Microsoft 365 admin center, Exchange admin center, Azure Active Directory, Purview compliance portal, and Defender. Configuring everything correctly requires switching between these. For a solo therapist without IT support, this is a genuine barrier.
Encryption adds friction for recipients. When you send an encrypted email via OME, the recipient either needs a Microsoft account or must request a one time passcode. The passcode flow works, but it adds steps. Clients who are already anxious about technology may find this frustrating. The experience is not as smooth as regular email.
If you’ve used Gmail for years, switching to Outlook means relearning interface patterns, folder structures, and keyboard shortcuts. This is a practical consideration that affects whether your team actually adopts the switch or quietly reverts.
AI processing concerns. Microsoft Copilot processes content across Microsoft 365 apps, similar to Google’s Gemini. The same IPC consent principle applies: while the January 2026 guidance targets AI scribes specifically, any AI feature that processes PHI raises the same consent questions. Copilot is an add-on ($30 USD/user/month), so it’s not on by default, but if your organization enables it, you’ll need to address consent.
No built in consent tracking for PHIPA. Like Google Workspace, Microsoft 365 has no native mechanism for tracking client consent for electronic communication of PHI. Purview can enforce data policies, but consent management requires a separate solution.
Pricing (CAD/user/month, approximate)
| Plan | Price (CAD) | Message encryption | Canadian data residency |
|---|---|---|---|
| Business Basic | ~$8.10 | No | Yes |
| Business Standard | ~$17.00 | Add-on only | Yes |
| Business Premium | ~$29.80 | Yes (native) | Yes |
Pricing changes periodically; check Microsoft’s Canadian pricing page for current rates. Business Basic includes Canadian data residency but lacks message encryption. Business Premium includes native Microsoft Purview Message Encryption. Business Standard can add encryption via an Azure Information Protection Plan 1 add-on.
ProtonMail
ProtonMail is the option therapists encounter when they search for “secure email.” It has a strong reputation in privacy circles, and that reputation is deserved. But “secure” and “PHIPA compliant” are not the same thing.
Strengths
End to end encryption by default. This is ProtonMail’s core selling point, and it’s real. Every email between ProtonMail users is encrypted end to end, meaning ProtonMail itself cannot read the contents. For emails to non ProtonMail users, you can send password protected messages that recipients open via a link. This is the strongest encryption model of the three providers.
Zero knowledge architecture. ProtonMail cannot access your mailbox contents, even if compelled by law enforcement. The encryption keys are held by the user, not the provider. This eliminates an entire category of risk that exists with both Google and Microsoft, where the provider holds the keys.
Swiss data residency. ProtonMail stores data in Switzerland, which has some of the strongest privacy laws in the world. Article 271 of the Swiss Criminal Code prohibits Swiss companies from directly providing data to foreign authorities. However, foreign governments can submit requests through Swiss mutual legal assistance treaties (MLATs), which are then evaluated by Swiss courts under Swiss law. While this isn’t Canadian data residency, the jurisdictional protections are substantially stronger than US based alternatives.
ProtonMail does not use AI or machine learning to process email content. No smart compose suggestions, no automated summaries, no content scanning of any kind. The IPC consent question doesn’t arise.
Privacy first ethos. ProtonMail’s business model is subscriptions, not advertising. There is no incentive to mine your data.
Weaknesses
No Canadian data residency. ProtonMail’s servers are in Switzerland. While Swiss privacy protections are strong, the data is not in Canada. For therapists whose regulatory framework emphasizes Canadian storage, this is a gap. The jurisdictional argument differs from US based providers (Switzerland has stronger protections than the US), but it’s still not Canadian soil.
Growing but still limited ecosystem. ProtonMail’s ecosystem has expanded. In addition to Proton Calendar, Proton Drive, and Proton VPN, Proton now offers Proton Docs (a Google Docs alternative with real time collaboration, launched July 2024), Proton Sheets (launched December 2025), and Proton Meet (end to end encrypted video conferencing, launched September 2025). However, these tools are newer and less mature than Google’s or Microsoft’s equivalents. If your practice relies on advanced spreadsheet features, presentation tools, or full featured video conferencing, you may still find gaps compared to Google Workspace or Microsoft 365.
Migration is painful. Switching to ProtonMail means getting a new email address (you can use a custom domain, but the migration process itself requires moving all existing email, reconfiguring contacts, and notifying every client and referral source). There is no import tool that makes this painless. For an established practice, this is a substantial operational cost.
ProtonMail does offer a HIPAA Business Associate Agreement (available at proton.me/legal/baa-model), and organizations can request a signed BAA by contacting legal@proton.me. This is a relatively recent addition. The BAA is US focused (HIPAA), though, and ProtonMail does not offer a Canadian specific data processing agreement for PHIPA.
Limited admin controls. Proton for Business includes basic user management, but the admin tools are minimal compared to Google Workspace or Microsoft 365. There are no data loss prevention rules, no content compliance policies, no conditional access controls.
No PHIPA specific features. ProtonMail doesn’t offer consent tracking, healthcare oriented audit logs, or regulatory compliance tools. Its strength is privacy, not regulatory compliance. These overlap, but they’re not identical.
Pricing (EUR or USD/user/month)
| Plan | Price | E2E encryption | Custom domain |
|---|---|---|---|
| Mail Plus (individual) | EUR 4.99 | Yes | Yes (1 domain) |
| Mail Essentials (business) | $6.99-7.99 | Yes | Yes |
| Mail Professional (business) | $9.99 | Yes | Yes |
| Proton Business Suite | $12.99 | Yes | Yes (full suite) |
Proton uses EUR for individual plans and USD for business plans. Check proton.me/business/plans for current pricing. The Business Suite includes email, calendar, drive, docs, sheets, meet, and VPN.
Side by side comparison
| Criterion | Google Workspace | Microsoft 365 | ProtonMail |
|---|---|---|---|
| Canadian data residency | No (US or Europe only) | Yes (Toronto, Quebec City) | No (Switzerland) |
| Encryption in transit | TLS | TLS | TLS + end to end |
| Encryption at rest | Provider managed keys | Provider managed keys | Zero knowledge (user keys) |
| End to end encryption | No | OME (portal based) | Yes, by default |
| BAA/DPA | BAA (HIPAA) | DPA | BAA (HIPAA) |
| PHIPA specific features | None | None | None |
| Audit logging | Basic | Detailed, configurable | Minimal |
| AI data processing | On by default (can disable) | Copilot is add-on (off by default) | None |
| Ecosystem completeness | Full suite | Full suite | Growing suite (email, calendar, drive, docs, sheets, meet) |
| Migration difficulty | Low (most common) | Medium | High |
| Pricing (mid tier) | $16.80 USD/mo | ~$17.00 CAD/mo | $9.99 USD/mo |
Bold entries indicate a meaningful advantage within that row.
The honest take
No single option satisfies every PHIPA requirement out of the box. Not one. Each provider made architectural decisions that prioritize different things, and those decisions create different compliance gaps.
Google Workspace is the most practical choice for most therapists. The ecosystem is complete, the learning curve is low, and the admin console (once configured) provides reasonable baseline controls. But it has the most compliance gaps: no Canadian data residency, no automatic encryption, AI features that require manual disabling, and no consent tracking. That’s a long list. If you’re already on Google Workspace, the admin console security guide and the AI features guide will close the gaps that configuration alone can address.
Microsoft 365 has the strongest compliance story of the three. Canadian data residency is a genuine, documented commitment. Message encryption exists. Purview offers compliance tools that Google and ProtonMail can’t match. The trade-off is complexity. Setting up Microsoft 365 correctly for a health practice requires working across multiple admin portals, and the learning curve is steeper if your team is coming from Gmail. For larger practices with IT support, Microsoft 365 is worth serious consideration. For solo therapists who handle their own tech, the admin burden is real.
ProtonMail has the best encryption and the strongest privacy posture. Zero knowledge architecture and end to end encryption eliminate risks that the other two providers carry. Proton now offers a HIPAA BAA and has expanded its ecosystem with Docs, Sheets, and Meet. But encryption is only one dimension of PHIPA compliance. The newer ecosystem is less mature, the migration path is still painful, and the absence of audit logging or consent tracking mean that ProtonMail solves the encryption and privacy problem well while leaving others unaddressed. It’s a stronger choice than it was a year ago, but it’s still an incomplete choice for full regulatory compliance.
What this means for your practice
The right choice depends on what you can accept and what you can supplement.
If your priority is staying with what you know, Google Workspace is the starting point. You’ll need to add a compliance layer, but you won’t need to change how you work day to day.
Canadian data residency narrows the field to one option: Microsoft 365. That matters for compliance with provincial health privacy laws, and no other provider can match it.
ProtonMail gives you the strongest encryption. Just know that you’ll be building the rest of your compliance program around it, using separate tools for scheduling, video calls, document storage, and audit logging.
Most therapists will end up choosing based on practicality: what they already use, what their clients expect, and what they can realistically manage alongside clinical work. That’s a reasonable approach, as long as you document the trade-offs you accepted and the steps you took to mitigate them.
Closing the remaining gaps
Whichever provider you choose, gaps remain. None of the three offers PHIPA consent tracking. None produces the kind of audit trail that regulatory bodies expect. Google and Microsoft both have AI processing concerns (though Microsoft’s Copilot is at least opt in rather than on by default). ProtonMail now offers a BAA but still lacks audit logging and consent tools.
Compliance gaps like consent tracking and audit trails require separate tools regardless of which provider you pick. Curio is building this layer for Google Workspace. Other solutions target Microsoft 365 or work across providers.
But the first step isn’t choosing a tool. It’s understanding what your current setup does and doesn’t cover. Pick the provider that fits your practice, configure it properly, and document your reasoning. That documentation, showing that you assessed the risks and made a deliberate choice, is itself a meaningful compliance step.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
