Requirement for cloud service providers to be registered in the Controlled Goods Program
Communiqué: April 9, 2021
Individuals and organizations registered in Public Services and Procurement Canada’s Controlled Goods Program are required to safeguard their controlled goods (including associated controlled goods technical data) from any unauthorized examination, possession, or transfer pursuant to the Defence Production Act and the Controlled Goods Regulations.
To provide storage for controlled goods data, cloud service providers must be registered in the Controlled Goods Program. Registration is required regardless of the technique or level of encryption used. When using cloud services, Program registrants are responsible for verifying that the service provider holds a valid Controlled Goods Program registration to store controlled goods data on their servers within Canada by referencing the list of individuals and organizations registered in the Controlled Goods Program.
If the cloud servers are located outside of Canada, registrants in the Controlled Goods Program should liaise with Global Affairs Canada for all matters related to export controls, as this service constitutes an export.
The transfer and/or storage of controlled goods data (including back-up technical data) with cloud service providers that do not hold a valid Controlled Goods Program registration constitutes an offence pursuant to Sections 37 and 44 of the Defence Production Act. In such cases, the following remedial step must be taken:
- Program registrants must remove all controlled goods data from the unauthorized cloud immediately and store them exclusively on their local secure servers, or with a cloud service provider registered in the Controlled Goods Program
Helpful reminders:
- A Program registrant’s security plan should always cover procedures regarding access to and the security of controlled goods data, whether they are stored on local networks, stand-alone desktops/laptops, flash drives, plug-and-play storage devices, backed-up offsite or remotely-accessed by company employees
- For more information about security plans and requirements, please check the Security Plan Guidelines on the Program’s website
Contact us
If you have any questions regarding this requirement, please contact the Controlled Goods Program.