Notice to exporters no 1159 – Guidance on the movement to and storage of controlled technology in the Cloud

Purpose

The purpose of this notice is to clarify instances when the use of cloud services constitutes a transfer of controlled technology within the meaning of the Export and Import Permits Act (EIPA) and an export permit is required.

Because this topic is technical, a list of frequently asked questions (FAQs) is included in this notice.

Disclaimer

This guidance exclusively concerns the EIPA and its regulations, and not other legislative frameworks, even where they relate to the export of goods or technology and use similar terms. These other frameworks, including the Nuclear Safety and Control Act, the Food and Drugs Act or other acts and regulations in Canada may operate under different principles and should be understood separately.

Many items controlled under the EIPA are also controlled under the Defence Production Act and Public Services and Procurement Canada’s Controlled Goods Program (CGP). For specific information on how to meet CGP requirements for controlled goods and data using cloud service providers based in Canada, consult Public Services and Procurement Canada’s Guidance on using or providing cloud solutions for controlled goods data.

Background

Industry increasingly relies on cloud computing solutions to store and share files. These services allow businesses and individuals to access data and services from anywhere, allowing them to develop more flexible business processes at lower cost.

At the same time, the growing adoption of cloud solutions can make it harder for businesses and individuals to understand how to comply with regulations governing the export of controlled technology. Given that cloud solutions involve storing data on servers that can be located all over the world, it is important to know when a controlled technology is being disclosed outside of Canada within the meaning of the EIPA and requires an export permit.

Applicable definitions

Under the EIPA:

Technology includes technical data, technical assistance and information necessary for the development, production or use of an article included in an Export Control List or a Brokering Control List

For clarity, in this guidance, the examples listed (technical data, technical assistance, and related information) are not exhaustive. Other forms of information may also be considered “technology” if they are specified on the Export Control List. This can include not only original files, but also telemetry or derived data (e.g., metadata, logs, disaster recovery snapshots) when they include controlled information.

Transfer means, in relation to technology, to dispose of it or disclose its content in any manner from a place in Canada to a place outside Canada.

For clarity, in this guidance, a transfer is the legal concept set out in the EIPA, and in the case of technology one of the ways it can occur is through disclosure. The term disclosure is used in the sections that follow to describe the circumstances in which a transfer takes place.

Interpretation: disclosure is based on access to controlled technology outside of Canada

It is a transfer if the content of a controlled technology is disclosed from a place inside Canada to a place outside of Canada. Global Affairs Canada interprets that controlled technology is disclosed if it is sent from Canada and stored in a foreign location in a way that creates a reasonable possibility that a person located outside of Canada would be in a position to examine that technology. This means that a transfer is not likely to occur when a controlled technology is sent from Canada and stored in a foreign location if there is not a reasonable possibility that a person outside of Canada would be in a position to access or examine that technology, and where no such access or examination in fact occurs.

For the purposes of this guidance, reasonable possibility means more than a mere possibility, but less than the standard of more likely than not. In other words, if there is more than a remote possibility that the controlled technology may be examined by a person outside of Canada in a usable form – either directly or because they hold decryption keys or access rights in a way that creates more than a remote possibility of access – the movement and storage of technology outside of Canada may be considered a “transfer” and require an exporter to apply for a permit. This determination does not require clear and definitive evidence or certainty that the technology has been or will be viewed outside of Canada; only whether there is a reasonable possibility that it could be viewed outside of Canada.

For greater certainty, when determining whether there is a transfer under the EIPA, the location of servers hosting controlled technology only matters if it affects the reasonable possibility that the technology could be disclosed outside Canada. The presence of servers or service providers in certain jurisdictions may increase this possibility — for example, where local law or practice makes unauthorized access more than a remote risk.

Some governments have legal regimes that allow them to compel access to information held on cloud servers. The mere fact that a cloud service provider is subject to a legal access regime does not, by itself, create a reasonable possibility of disclosure. In assessing risk, technology holders should consider:

the strength of the technical and organizational measures used by the Cloud Service Provider (CSP) to protect their data, and
whether meaningful legal safeguards exist, including opportunities for the provider or holder to be notified and to challenge or appeal a request for access by a foreign government.

Technology owners (e.g., companies or researchers) and Cloud Service Providers (CSPs) can adopt security practices to make the likelihood of disclosure remote such that no export permit is required. As an example, when technology holders adopt safeguards consistent with the Canadian Centre for Cyber Security’s Guidance on cloud security assessment and authorization GAC will generally consider that there is not a reasonable possibility that a person abroad could examine the technology and will not require an export permit. Other recognized security frameworks that offer equivalent safeguards may also be relied on to demonstrate that no permit is required, so long as they reduce the likelihood of foreign disclosure to the same or greater extent.

Examples:

In general, it is a transfer when:

A person located outside of Canada (such as IT personnel or a company employee) holds decryption keys or routine access rights that create more than a remote possibility the technology may be examined.
The technology is moved to a foreign location in a manner that is not sufficiently safeguarded from disclosure (such as without industry-standard strong encryption and identity and access management).
A cloud service provider creates an unencrypted disaster recovery snapshot that contains controlled technology, and that snapshot is stored on servers outside Canada where foreign administrators can access it.

In general, it is not a transfer when:

A Canadian company moves the controlled technology from a server located in Canada and stores it in a server located in a foreign country using industry-standard strong encryption, provided that the encryption key is managed in a way that ensures there is no more than a remote possibility the technology could be examined by persons outside of Canada.
A foreign company moves controlled technology from a server located outside Canada and stores it in a server located in Canada using industry-standard strong encryption and then accesses their own data, provided that no persons located in Canada have access to the foreign uploaded technology (meaning that the technology can only be accessed from outside Canada and the Canadian CSP cannot examine the content on their server).
Controlled technology held in a sufficiently encrypted format on a server outside of Canada is momentarily decrypted through non-human intervention — such as to accomplish a software function (e.g., spell-check, translation, formatting), or for automated processing in AI/ML or GPU workloads — and held on a closed system (meaning no human access is possible) where all unencrypted copies are destroyed and no disclosure or further use occurs.

Shared responsibility to prevent unauthorized transfers:

When cloud services are used, both the owner of the controlled technology and the CSP have a degree of care and control of the technology. In practice, responsibilities follow a model of shared responsibility where CSPs secure the cloud infrastructure itself, while technology owners are responsible for how controlled technology is deployed, configured, and accessed within it. For example:

Technology owners are responsible for ensuring that their use of the cloud does not cause a transfer within the meaning of the EIPA. This includes due diligence in selecting a CSP with appropriate safeguards, as well as configuring and managing services (e.g., encryption keys, access controls, and data placement) in a way that prevents unintended disclosure.
CSPs are responsible for truthfully representing their security practices and for operating their platforms consistently with them. Where a CSP represents that they operate with appropriate safeguards for configuring and managing services it must maintain those safeguards in a way that avoids creating a reasonable possibility of foreign disclosure, and it must notify technology holders promptly if a disclosure has occurred or is likely to occur. CSPs also play a critical enabling role by providing tools such as encryption, identity and access management, network security, and logging that allow owners to meet their obligations under the EIPA.

Because functions are often shared, responsibility may overlap. For this reason, technology owners and CSPs are encouraged to work together to ensure that controlled technology is moved and stored securely and to reflect appropriate safeguards in contractual agreements. This process should include consideration of not only the CSP’s security policies and tools but also the policies and behaviour of foreign governments where the CSP is based.

Export permit requirements and options

Technology holders are responsible for obtaining an export permit from the Minister of Foreign Affairs before providing access to controlled technology to persons located outside Canada. In cases where there is uncertainty whether use of cloud services to move or store controlled technology would constitute a “transfer” under the EIPA, technology holders are encouraged to apply for an export permit.

Where applicable, certain permit types can offer flexibility to reduce the administrative burden of applying for and receiving an export permit for disclosures via the cloud. These may include instruments like multi-destination permits and General Export Permits.

However, technology holders should note that no export permits authorize unintended disclosures (e.g., security breaches). In cases of unauthorized disclosure, technology holders should refer to the section on disclosure of incidents and accidents below.

Disclosure of incidents and accidents

On occasion, responsible technology holders may discover that controlled technology has been handled in a way that does not fully meet the requirements of the EIPA. For example, a technology holder may become aware of a situation where controlled technology has or might have been decrypted and examined or where derived data (such as logs or snapshots) have or might have been made accessible – intentionally or unintentionally – by a person outside of Canada without being authorized by an export permit.

In situations like these, technology holders are encouraged to submit a Disclosure of Non-Compliance using the process set out in Section G.7. of the Export and Brokering Controls Handbook. Early disclosure helps mitigate potential impacts and demonstrates good faith in meeting compliance obligations.

Frequently asked questions

Q1: In cases where an export permit may be needed for transfers of technology using the cloud, who is responsible for applying for an export permit?

A1: As explained in the guidance, both cloud service users and cloud service providers (CSPs) share responsibility for the movement and storage of controlled technology in the cloud. The general responsibilities of each party are described under the heading “shared responsibility for non-disclosure”.

The appropriate applicant for an export permit will depend on the particular transaction. In general, the appropriate applicant is the person or organization who is responsible for the transfer that is the subject of the application. It is expected that in most cases this would be the cloud service user and not the CSP.

Parties should also note that export permits can only be issued to “Residents of Canada” as defined in the Export and Import Permits Act (EIPA), though a resident may apply for a permit while acting on behalf of a non-resident.

In cases where there is uncertainty, parties are encouraged to submit an export permit application.

Q2: Who is responsible for disclosing incidents and accidents that could lead to the disclosure of controlled technology?

A2: Global Affairs Canada (GAC) encourages all persons who may be aware of unauthorized disclosures (intentional or unintentional) to report them to GAC’s Export Controls Operations Division and, where there is evidence of theft, malicious activity, or other criminal conduct, to the RCMP.

In situations like these, cloud service users and/or CSPs are encouraged to submit a Disclosure of Non-Compliance using the process set out in Section G.7. of the Export and Brokering Controls Handbook.

Q3: Does this guidance apply differently to different controlled technologies?

A3: This guidance applies to all technology listed on the Export Control List.

Q4. Is it considered an export if I am travelling outside of Canada and have access to controlled technology stored in the cloud? If this is my situation, do I need an export permit?

A4. Under this guidance, an export takes place when controlled technology is treated in a way that creates a reasonable possibility that a person outside Canada could examine it. Global Affairs Canada considers there to be a reasonable possibility of disclosure if a cloud environment containing controlled technology is actually accessed outside Canada, or if a person outside Canada is provided with the means to access it. If you have access to a cloud environment containing controlled technology while travelling but do not use it and do not provide it to any other person, then your travel is not considered an export.

Travellers are expected to take reasonable precautions to protect controlled technology from disclosure, including the following:

Maintain exclusive control of devices, accounts, and credentials. Keep them in your possession, locked when unattended, and do not share passwords.
Use strong authentication and multi-factor authentication (MFA). Ensure that a stolen password alone cannot be used to access controlled data.
Be aware of destination-specific risks. Some jurisdictions present higher risks of device inspection or compelled disclosure; plan accordingly, including use of client-side encryption and travel-only devices where appropriate.
Do not share access with any person outside Canada. Granting access (e.g., by sharing login credentials, files etc.) constitutes an export under the EIPA and requires a permit.
Keep devices encrypted and physically secure. Use full-disk encryption, strong passphrases, and avoid leaving devices unattended.
Report and remediate promptly. Notify your organization’s security contact and reset passwords immediately if a device is lost or compromised; submit a voluntary disclosure of non-compliance to Global Affairs Canada if you have reason to believe a transfer has occurred.

If you intend to access a cloud environment containing controlled technology while abroad or share it with a person outside Canada, or if you have reason to believe that notwithstanding the precautions above, foreign administrators or service providers could view the technology, you must obtain a permit in advance.

In cases where there is uncertainty, parties are encouraged to submit an export permit application.

Q5: Does it constitute a “transfer” under the EIPA if controlled technology is temporarily stored outside Canada in an unencrypted form during automated processing?

A5: Possibly. Global Affairs Canada considers that a transfer takes place if there is a reasonable possibility that the technology could be examined by a person located outside Canada, even if there is no evidence that such access has occurred or will occur in the future.

To assist in assessing this, technology owners and CSPs should consider the following questions:

Is the data held in a form, or for a duration, that makes human access technically possible?
Does anyone have the ability to access or decrypt the data, including CSP administrators or contractors located outside Canada and if so, are there sufficient technical and process controls so that access outside of Canada is not reasonably possible?
Are there contractual or technical safeguards that preclude or strictly limit access from outside Canada?

In general, a transfer is likely where:

IT administrators or other staff located outside Canada hold decryption keys or have routine access rights that would allow them to view the data; and
The copy remains available long enough, or in such a manner, that more than a remote possibility of human access exists.

In general, a transfer is unlikely where:

The unencrypted copy is created solely for automated machine processing (e.g., to execute a function or algorithm) on a closed system where human access is technically precluded, no copies are made, and no further use occurs; and
Strong safeguards (e.g., encryption, access controls, monitoring) reduce the likelihood of examination by persons outside Canada to no more than a remote possibility.

Q6: If we use customer-managed encryption keys stored in Canada, does that eliminate the risk of a “transfer”?

A6: Customer-managed encryption keys (CMEKs) stored in Canada can significantly reduce the likelihood of foreign disclosure, but they do not by themselves eliminate the risk of a transfer.

Global Affairs Canada considers there to be a transfer if there is more than a remote possibility that a person outside Canada could examine the controlled technology. CMEKs reduce this likelihood only if they are managed so that decryption cannot be performed by persons outside Canada without the explicit authorization of the technology owner.

Technology owners should ensure that:

Encryption algorithms and key management practices meet recognized industry standards;
Key material is held and protected exclusively in Canada under the control of a Canadian resident; and
Key rotation, revocation, and access logging are implemented and reviewed.

CMEKs are most effective when combined with additional safeguards such as network segmentation, access controls, and monitoring to reduce the likelihood of foreign disclosure to no more than a remote possibility.

Q7: If a cloud service user moves their controlled technology into the stewardship of a new CSP does that require a new assessment?

A7: Yes. Any change that may affect where or how controlled technology is stored — including migration to a new CSP or using new services — should trigger a reassessment. Technology owners should verify that safeguards remain in place and that the likelihood of foreign disclosure continues to be no more than a remote possibility. If this cannot be demonstrated, an export permit may be required.

Contact us

For further information, please contact:

Strategic Export Control Bureau
Global Affairs Canada
111 Sussex Drive
Ottawa, Ontario K1A 0G2
Canada
Email: tie.reception@international.gc.ca

Date modified:: 2025-11-05

Language selection

Search