The SQDC website was built in longueil (can't remember the name of the agency now...) and it's hosted here in Montreal with iWeb.
Imperva is a layer between the browser and the server, which exists to handle load balancing, DDOS detection, and delivering website assets (images or files). They do the same thing as Cloudflare.
Imperva doesn't know anything beyond your IP, and even with that, they can't do anything.
They can't differentiate between logged in and logged out users. They don't see your purchases, your credit card numbers, your address, or even your name. Even if the SQDC was accidentally leaking that info to them, the connection is encrypted with SSL so if everything is done right, Imperva only sees a bunch of encrypted data (useless) plus the IP.
Unless there's a conspiracy here, there's nothing inherently wrong. It does look a bit sketchy, and for that reason only I would've used a Canadian service for this, but that's it. What matters is where the data is stored, and that's in Montreal on Canadian servers. I've worked with iWeb before, they're legit.
Also, there is already legal precedent that an IP doesn't equal a human. It could've been a family member, a friend, or an intruder on your network that was browsing the SQDC site. Even by American law, the IP address is not enough to determine the identity of an individual, even if your internet provider gives up your name to the Americans (COBBLER NEVADA, LLC, v. THOMAS GONZALES).