Requirement for cloud service providers to be registered in the Controlled Goods Program

Communiqué: April 9, 2021

Individuals and organizations registered in Public Services and Procurement Canada’s Controlled Goods Program are required to safeguard their controlled goods (including associated controlled goods technical data) from any unauthorized examination, possession, or transfer pursuant to the Defence Production Act and the Controlled Goods Regulations.

To provide storage for controlled goods data, cloud service providers must be registered in the Controlled Goods Program. Registration is required regardless of the technique or level of encryption used. When using cloud services, Program registrants are responsible for verifying that the service provider holds a valid Controlled Goods Program registration to store controlled goods data on their servers within Canada by referencing the list of individuals and organizations registered in the Controlled Goods Program.

If the cloud servers are located outside of Canada, registrants in the Controlled Goods Program should liaise with Global Affairs Canada for all matters related to export controls, as this service constitutes an export.

The transfer and/or storage of controlled goods data (including back-up technical data) with cloud service providers that do not hold a valid Controlled Goods Program registration constitutes an offence pursuant to Sections 37 and 44 of the Defence Production Act. In such cases, the following remedial step must be taken:

Helpful reminders:

Contact us

If you have any questions regarding this requirement, please contact the Controlled Goods Program.

Date modified: