Export permits for cryptographic items

Bona fide Canadian and US Corporations export permit

Summary: This type of permit allows exports of hardware, executable software, and associated information and enhancements to any foreign consignee that is majority-owned by a Canadian- or US-based parent company. There are no reporting requirements.

Coverage

Bona fide Canadian and US Corporations export permits allow the export to “Canadian and American Corporations” (which are defined for the purpose of this permit as foreign consignees that are majority-owned by Canada- or US-based parent companies), except those in a list of negative countries by any means of the following:

  • Goods that incorporate cryptography that is controlled in Category 5, Part 2 of Group 1 of the Export Control List;
  • Executable code (object code) of those cryptographic goods;
  • Technical information which is the minimum necessary for the installation and operation of those cryptographic goods;
  • Maintenance releases and product upgrades which do not contain:
    • enhancements to the cryptographic component(s), module(s) or interface(s) or change the cryptographic functionality of those cryptographic goods; or
    • source code or pseudo-code of the cryptographic component(s), module(s) or interface(s).

Prohibitions

Bona fide Canadian and US Corporations export permits explicitly exclude, in the terms and conditions stated on each permit, exports:

  • to countries that are included in the Area Control List; that are subject to Canadian economic sanctions (including those implemented under the United Nations Act or the Special Economic Measures Act); that are excluded from the application of General Export Permit No. 12; and that are subject to sanctions under the Export and Import Permits Act;
    • As of June 2011, these countries are the following: Afghanistan, Belarus, Burma (Myanmar), Cote d'Ivoire, Cuba, Democratic Republic of the Congo, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya,North Korea, Pakistan, Rwanda, Sierra Leone, Somalia, Sudan, Syria, Zimbabwe.
  • for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons;
  • of technical information related to design, development or implementation of the crypto; and
  • of source code or pseudo-code, in any form, of the crypto.

Applications

Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using EXCOL and have not done so before. You should send an email to tie.reception@international.gc.ca and request that your EXCOL profile to be set to enable applications for multidestination cryptography permits.

Applications for Bona fide Canadian and US Corporations export permits must include the following:

  • complete application form (generally done through our online system EXCOL)
  • a completed cryptography and information security product questionnaire
  • technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, block diagrams, exploded view drawings, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit

Exporters of information securitygoods/technology and goods/technology employing cryptography should note the following guidelines on identifying items in an export permit application:

  • Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
  • Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
  • Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the EXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the EXCOL application form).
  • The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.

An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.

Compliance

After issuance of a Bona fide Canadian and US Corporations export permit, the exporter must:

  • comply with other terms and conditions that may be stated on an export permit. Exporters are obliged to comply with these conditions when they export under the authority of the permit. Exporters must review the terms and conditions upon receipt of the export permit and prior to exporting, and may contact the Export Controls Division (email tie.reception@international.gc.ca) for more information.
  • comply with provisions of the Export and Import Permits Act which require, inter alia, the keeping of records for at least six years after the end of the year to which they relate and that such records be provided upon demand to an officer of the Export Controls Division. Exporters using this permit must retain documentation, which may include contracts, invoices, requests for products, statements of work, specific correspondence, (if applicable) vendor/reseller/distributor agreements, an end-use statement (following the template provided for individual permits), and bills of lading, which demonstrate that the exporter has undertaken due diligence. The purpose of due diligence is to verify that the transaction adheres to the permit and its specific terms and conditions.