Selling software to the Government of Canada requires meeting specific cloud security requirements that are documented across multiple frameworks and not well-explained in any single public source.
The GC Cloud Guardrails were established in September 2019, became mandatory in May 2022, and are enforced by the Shared Services Canada Cloud Services Directorate. They represent the minimum set of cyber security controls that must be implemented before any department can use cloud services for government workloads. If you're a Canadian tech company that wants to sell to government, understanding these requirements is the first step.
What are the GC Cloud Guardrails?
The GC Cloud Guardrails are a set of baseline security configurations that departments must implement within the first 30 business days of getting access to a cloud account. They were created after the Government of Canada established supply contracts for Protected B cloud services with AWS Canada and Microsoft Azure in August 2019.
The guardrails cover 12 areas including identity management, multi-factor authentication, administrative privilege controls, encryption in transit and at rest, network security, logging and monitoring, and — critically for this discussion — data location.
The guardrails apply to all three cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). If you're building a PaaS or SaaS product and want government customers, the guardrails define what your platform needs to support.
The data residency requirement
The data location guardrail is where Canadian-owned infrastructure becomes a hard requirement, not just a preference.
Government data classified as Protected B — which includes most personal information, commercial confidential information, and internal government operational data — must be stored in a GC-approved Canadian data centre. "Approved" has specific criteria beyond simply being located in Canada.
The Direction on the Secure Use of Commercial Cloud Services (SPIN 2017-01) provides the framework. It requires departments to ensure that protected data remains within Canadian borders and that the cloud service provider's operations do not expose the data to foreign government access orders.
This is where the CLOUD Act becomes directly relevant to government procurement. A US-incorporated cloud provider operating a Canadian data centre is technically compliant with the physical residency requirement, but the department's risk assessment must account for the CLOUD Act's extraterritorial reach. In practice, this has led to increasing interest in Canadian-owned cloud alternatives for sensitive workloads. The full breakdown of why a Canadian region isn't Canadian jurisdiction is on the CLOUD Act post.
Protected B and the PBMM profile
Most government data that tech vendors would encounter is classified as Protected B. The cloud environment hosting this data must meet the Protected B, Medium Integrity, Medium Availability (PBMM) security profile.
The PBMM profile is defined in the Government of Canada Security Control Profile for Cloud-Based GC Services and maps to ITSG-33 (the GC's IT security risk management framework). In practical terms, it requires: encryption of data at rest and in transit using approved cryptographic standards, access controls with role-based permissions and multi-factor authentication, logging and monitoring of all administrative actions, network segmentation and perimeter security, vulnerability management and patch cadence, and incident response procedures with defined SLAs.
Meeting PBMM doesn't require any specific certification like SOC 2 or ISO 27001, but having these certifications significantly speeds up the procurement process because they provide independent evidence that your security controls are in place.
How to get on the procurement list
There are several pathways to selling to the Government of Canada:
ProServices is the government's primary procurement vehicle for professional services, including IT. Getting listed requires registering as a supplier on BuyandSell.gc.ca and responding to standing offers or supply arrangements.
SSC Approved Cloud Broker arrangements are how the government procures cloud services specifically. If your platform qualifies, you can be listed as an approved cloud option that departments can procure through SSC.
Standing Offers and Supply Arrangements (SOSA) are pre-established agreements that allow departments to purchase from approved vendors without running a full competitive procurement each time. Getting on a SOSA is a longer process but provides recurring revenue potential.
Direct procurement is possible for smaller contracts below certain thresholds, where departments have more flexibility in vendor selection.
Where Canner is on this journey
Transparency about status matters more than claims. Canner is a Canadian-incorporated deployment platform operating exclusively on Québec-based infrastructure. This means Canner satisfies the data location guardrail by architecture — there's no foreign jurisdiction exposure to account for in a department's risk assessment. The structural test for that claim is on the sovereignty page.
Canner currently provides: encryption in transit (TLS 1.3 via Caddy), encryption at rest for environment variables and credentials, tenant isolation between customer workloads, audit logging, and multi-factor authentication. The day-to-day mechanics are documented on the security page.
SOC 2 Type I certification is on our roadmap for 2027. Full PBMM compliance is a longer-term goal that requires additional investment in formal security assessment, documentation, and third-party audit.
We're not government-ready today. But the infrastructure decisions we've made from day one — Canadian incorporation, Canadian hosting, no foreign jurisdiction exposure — mean we won't have to re-architect when we are.
Frequently asked questions
Can a department use a US cloud provider for Protected B data?
Yes. AWS Canada and Microsoft Azure are both approved for Protected B workloads under GC supply contracts. However, the department's risk assessment must account for CLOUD Act exposure, and additional controls (customer-managed encryption keys, for example) may be required.
Does a vendor need SOC 2 to sell to the government?
No, but it helps significantly. SOC 2 provides independent evidence of security controls that reduces the burden of the department's own security assessment. Without it, departments must conduct a more thorough evaluation, which slows procurement.
What's the difference between the GC Cloud Guardrails and PBMM?
The guardrails are the minimum baseline that must be met in the first 30 days. PBMM is the full security profile for Protected B workloads. Think of the guardrails as the entrance exam and PBMM as the ongoing certification.