Canada controlled goods

Controlled goods are primarily goods, including components and technical data that have military or national security significance, which are controlled domestically by the Government of Canada and defined in the Defence Production Act. An overview of controlled goods, how they're regulated, and the legal responsibilities associated with them is available at What are controlled goods. Individuals and organizations must register in the Controlled Goods Program (CGP) if they need to examine, possess, or transfer controlled goods.

Controlled goods and cloud services

Many organizations registered in the CGP manage controlled goods technical data in digital form and seek to apply the benefits of public cloud services for these workloads. On May 16, 2024 the Controlled Goods Directorate (CGD) published updated Guidance on using or providing cloud solutions for controlled goods data. The CGD cloud guidance outlines the shared responsibility to safeguard controlled goods data between a Cloud Service Provider (CSP) and CGP registrants who might consider utilizing cloud services.

Microsoft and controlled goods

Microsoft Canada Inc. is registered with the CGP for both traditional purposes, including consulting services, and online cloud services. To view a directory of organizations registered with the CGP, see: Find individuals and organizations registered in the Controlled Goods Program.

While there's no compliance certification for controlled goods, Microsoft's CGP registration includes an approved controlled goods security plan, describing alignment with the CGD cloud guidance for in-scope services. This article details considerations for CGP registrants when evaluating in-scope Microsoft Online Services for controlled goods workloads.

Microsoft in-scope cloud platforms & services

Microsoft offers a broad portfolio of commercial cloud services globally. Given varying product terms and capabilities and complex regulatory consideration, Microsoft recommends that customers consider evaluating only the following services for suitability to store and process controlled goods data:

• Canada Region Azure Core Services are comprised of those Azure Core Online Services identified in the Privacy & Security Terms in the Product Terms that are deployable within a Canada region (currently Canada Central or Canada East). To see Azure Core Services available in Canadian regions, see: Azure Products available by region .

• Canada Region Office Core Services are Exchange Online, SharePoint Online, OneDrive for Business, and Teams.

Any preview or prerelease versions of these services available to the customer for optional use prior to their general availability isn't in scope for this guidance.

Canada Region Azure Core Services and Canada Region Office Core Services are part of Microsoft's global cloud infrastructure. Some Canadian Defence Industrial Base customers may also be eligible to access Microsoft's U.S. government cloud offerings. Evaluation of these U.S.-based offerings in the context of controlled goods data is beyond the scope of this article.

Controlled goods and Microsoft Cloud Services

The Microsoft Cloud is a globally deployed and standardized set of Online Services that are available to customers to evaluate, procure, configure, and deploy to meet specific business requirements. When the customer's cloud tenant is configured correctly, it provides customers with enhanced flexibility, advanced capabilities, and improved security over traditional on premises technology deployments. Microsoft designs its Online Services so that Customer Data is secure and under the customer's control. Microsoft is generally unable to customize how it delivers its Online Services offerings to meet specific customer requirements.

Customers that choose to use cloud services bear ultimate responsibility for complying with controlled goods regulatory obligations and safeguarding controlled goods data that they choose to store in the cloud. Customer shared responsibility obligations include:

• Ensuring that their use of these services complies with applicable laws, including laws governing examining, possessing, or transferring controlled goods.
• Assessing whether a cloud service, including a feature or tool within a service, is appropriate for handling relevant categories of controlled goods, including data which might also be subject to controls under U.S. regulations such as the International Traffic in Arms Regulations (ITAR). This can include evaluating the adequacy of the cloud service provider's security responsibility safeguards, data residency (storage at rest) commitments, location of data processing, location of data transfers, third-party audits, and features or tools that might include human review of Customer Data (such as the review of the output of some AI services to prevent abuse).
• Evaluating and applying cloud security features to restrict access to controlled goods data that the customer stores in the cloud.
• Ensuring that controlled goods data isn't included in headers, document names, or file paths.
• Implementing the customer's own security controls and other measures to manage any residual risks relating to the unauthorized access to controlled goods data, including by ensuring that access to controlled goods data isn't provided to Microsoft personnel in a manner requiring them to examine, possess, or transfer controlled goods data, unless the customer decides that the individual is approved to examine controlled goods.

In the context of operating Online Services, Microsoft isn't in constructive possession of controlled goods data. Microsoft personnel have no knowledge of the character of the data that customers chooses to upload to its Online Services. Microsoft also has no commercial means of understanding which of its customers are using or intending to use its Online Services to store and process controlled goods data.

Alignment with controlled goods guidance for cloud service providers

Online Services are standardized commercial off-the-shelf services that are provided to customers pursuant to Microsoft's volume licensing agreement. This agreement includes the Microsoft Products and Services Data Protection Addendum (DPA) and the Microsoft Product Terms (Product Terms).

Microsoft has designed and implemented the Canada Region Azure Core Services and the Canada Region Office Core Services to comply with internationally recognized security practices and policies. Many Microsoft Online Services have been assessed by the Canadian Centre for Cybersecurity through the Cloud service provider information technology security assessment process (ITSM.50.100) to the CCCS Medium Cloud Security Profile. Additionally, Microsoft commits to implement and maintain technical and organizational measures that comply with the requirements in ISO 27001, ISO 27002, and ISO 27018. In addition, each Canada Region Azure Core Service and Canada Region Office Core Service (with limited, published exceptions) also complies with the control standards and frameworks that form part of SSAE 18 SOC 1 Type II and SSAE 18 SOC 2 Type II. For more information, see the DPA and the Privacy & Security Terms in the Product Terms.

The CGD's security plan guidance offers the following important definitions:

• Access: To be in a position to examine, possess or transfer controlled goods.
• Examine: To consider in detail or subject to an analysis in order to discover essential features or meaning.
• Possess: Either actual possession, where the person has direct physical control over a controlled good at a given time, or constructive possession, where the person has the power and the intention at a given time to exercise control over a controlled good, directly or through another person or persons.
• Transfer: With respect to a controlled good, to dispose of it or disclose its content in any manner.

Having regard to the security controls and operational practices implemented for Canada Region Azure Core Services and Canada Region Office Core Services, Microsoft's understanding is that it doesn't access, examine, possess, or transfer controlled goods data while providing such services or related technical support.

Technical support

Microsoft Online Services are designed so that Microsoft doesn't have visibility into how or when a customer is using Online Services to store or process controlled goods data (or any other type of data). Microsoft personnel don't have default standing access to Customer Data in Online Services. In very limited support and engineering scenarios, Microsoft support or engineering personnel might require access to Customer Data. For those rare instances, Microsoft support or engineering personnel (who are typically located outside Canada) can be granted access to Customer Data under management oversight using temporary credentials via Just-in-Time (JIT) privileged access management systems. Using the restricted access workflow, access to Customer Data is carefully controlled, logged, and revoked when it's no longer needed. Even in these scenarios, Microsoft won't know if controlled goods workloads are implicated.

Microsoft's globally deployed support and engineering personnel aren't security assessed in accordance with the requirements of the Controlled Goods Regulations. Because of this, it's the responsibility of the customer to determine what data to process within Online Services or share with Microsoft during a support engagement. More broadly, it's the customer's responsibility to ensure that its use of Online Services doesn't result in these personnel examining controlled goods.

The CGP's guidance defines the term "Examine" as considering data in detail or subjecting it to an analysis to discover its essential features or meaning. This guidance suggests that incidental exposure to data that is transient in nature and doesn't result in considering it in detail or determining its essential meaning doesn't involve "examination" of a controlled good.

As an additional defence in depth risk mitigation measure, Microsoft recommends customers enable the Customer Lockbox feature with in-scope services. Customer Lockbox puts the customer in control of support workflows that require access to Customer Data by enabling the customer to approve or deny such elevated requests. More information about Customer Lockbox:

• Customer Lockbox for Microsoft Azure
• Microsoft Purview Customer Lockbox.

Note

In-scope Online Services generally support the Customer Lockbox feature with some exceptions. It's the responsibility of the customer to consider this during their evaluation of the suitability of Online Services for use with controlled goods workloads.

Limited Canadian based support

There might be limited scenarios where examination or possession of controlled goods is required to provide technical assistance during technology deployments or troubleshooting. If detailed examination is required, the customer should request a separate engagement with Microsoft Canada which includes an explicit contractual commitment to ensure that personnel with a need to examine controlled goods data are Canada-based and security assessed in accordance with the Controlled Goods Regulations. It's the customer's responsibility to establish this custom agreement directly with Microsoft Canada. Contact your Microsoft account team for more information.

Record keeping

Microsoft has no knowledge of the character or content of the data that customers might store or process within Online Services and no ability to receive notifications from customers related to the types of data they upload to Online Services. As a result, Microsoft has no commercial means of tracking which of its customers are using or intending to use its Online Services to store and process controlled goods data. Recordkeeping obligations remain solely with the customer when they choose to use Microsoft's Online Services.

Security incidents

Microsoft's security incident notification commitments for Online Services are documented in the DPA. Microsoft personnel don't have knowledge of the nature of any specific Customer Data that could have been affected by a security incident. It's the responsibility of the customer (or CGP registrant) to determine whether a specific security incident involved controlled goods data and report to the CGP as required in section 10(h) of the Regulations.

Frequently asked questions

Where are Microsoft Online Services support and engineering personnel located?

Microsoft operates support services for its commercial cloud offerings in many locations around the world to customers across different regions and countries.

What are the civic addresses of Microsoft's cloud datacenters in Canada?

Microsoft doesn't publicly disclose the civic addresses of its datacenters. We established this policy to help secure our datacenter facilities. Microsoft currently operates two cloud regions in Canada – Canada Central with sites located in Toronto and Canada East with sites located in Quebec City. We recommend customers reference the cloud region where their data is stored in place of physical addresses in their controlled goods security plans if required.

Where is data stored in Microsoft Online Services?

Data residency refers to the cloud geography or region where Customer Data is stored at rest. Use the following links to understand how you can determine current data residency and data residency commitments for in scope services:

• Microsoft 365 data residency overview
• Where your Microsoft 365 customer data is stored
• Data residency in Azure

Customers are responsible for evaluating whether a given cloud service enables data residency configuration (including any exceptions identified in the Product Terms or the Microsoft Trust Center). Not all Online Services allow for configuration of data storage in specific cloud regions.

Where is data processed in Microsoft Online Services?

Data processing involves computing operations that cloud services perform on Customer Data to provide required Online Services. It is the customer's responsibility to evaluate whether processing, storing, or transferring data outside Canada can occur within cloud services or as part of technical support and whether an export permit might be required.

For Canada Region Azure Core Services, Microsoft won't store or process Customer Data outside the customer-specified Geo without your authorization. Customers should review Data residency in Azure – More information on customer data location and evaluate the following:

• To maintain resiliency, Microsoft uses variable network paths that sometimes cross Geo boundaries, but replication of Customer Data between regions is always transmitted over encrypted network connections.
• Microsoft personnel (including subprocessors) located outside the Geo can remotely operate data processing systems in the Geo but won't access Customer Data without authorization by the customer.
• Certain services might not enable the customer to configure deployment in a particular Azure Region or major geographic area (Geo) or might perform limited processing or storage in other locations as detailed in the Microsoft Trust Center (which Microsoft might update from time to time, but Microsoft won't add exceptions for services no longer in Preview).
• If a customer administrator or user takes an action in the services that initiates a data transfer out of the Canadian Geo, Microsoft won't restrict such customer-initiated transfers from happening; doing so would disrupt normal business operations for the customer.

For Canada Region Office Core Services, data is typically processed closest to where the data is stored, but some operations might process Customer Data in Azure commercial cloud geographies outside of Canada. To see a complete list of these countries/regions, see: Azure geographies.

What are the considerations with use of generative AI solutions with controlled goods?

Microsoft's generative AI solutions, including Azure OpenAI Service and Copilot services and capabilities, don't use your organization's data to train foundation models without your permission. Your data isn't available to OpenAI or used to train OpenAI models. Your data remains private when using Azure OpenAI Service and Copilots and is governed by our applicable privacy and contractual commitments, including the commitments we make in the Microsoft's Data Protection Addendum, Microsoft's Product Terms, and the Microsoft Privacy Statement.  

With Microsoft's commitment to Responsible AI, Azure OpenAI services employ abuse monitoring processes including human review to detect and mitigate instances of recurring content and/or behaviors that suggest use of the service in a manner that might violate the Code of Conduct or other applicable product terms. Customers should evaluate how data is handled using the resources available at Azure OpenAI Data, Privacy, and Security and how they can apply to obtain an exemption from abuse monitoring and human review.

For more information on Data, Privacy, and Security for Microsoft Copilot for Microsoft 365, see: Data, Privacy, and Security for Microsoft 365 Copilot.

What export authorizations are required when using controlled goods with Microsoft Online Services?

Customers should seek guidance from Global Affairs Canada (or other regulators) regarding any export authorizations that can be required when evaluating Microsoft Canada Region Azure Core Services and Canada Region Office Core Services, including but not limited to scenarios where data storage, network data in transit, data processing, or transfers can occur outside of Canada.

Microsoft does not accept liability or responsibility for being added as a party to any export license application without our express consent. For more information, see the Microsoft Exporting FAQ.

What other security and privacy features can be useful when configuring an in-scope Online Service for use with controlled goods?

It's the customer's responsibility to ensure that its use of Online Services doesn't result in unauthorized individuals, including Microsoft Online Services personnel, examining, possessing, or transferring controlled goods. This can involve, for example, the Customer evaluating and adopting security features available within specific Online Services. Relevant features include:

• Customer Lockbox: Microsoft recommends customers enable the Customer Lockbox feature with in-scope services as an additional defence in depth risk mitigation measure. Customer Lockbox puts the customer in control of support workflows that require access to Customer Data by enabling the customer to approve or deny such elevated requests. For more information about Customer Lockbox, see:
  • Customer Lockbox for Microsoft Azure
  • Microsoft Purview Customer Lockbox.
• Microsoft Purview Information Protection: Sensitivity labels from Microsoft Purview Information Protection let you classify and protect your organization's data, while making sure that user productivity and their ability to collaborate isn't hindered. Microsoft recommends customers deploy and configure appropriate sensitivity labels and associated data protection policies for controlled goods data in Office Core Services.
• Microsoft Purview Double Key Encryption (DKE): Office Apps (Outlook, Word, Excel, and PowerPoint on Windows) support the use of Double Key Encryption, providing an end-to-end encryption configuration option. Office documents and the body of emails are encrypted by the Office client applications using a key management service and key that is under the customer's control. Where content is encrypted using DKE, the overall functionality of Microsoft 365 Core Services, including many customer-configured security features, can be reduced since the Microsoft cloud infrastructure doesn't have access to your private key and can't perform cloud processing on the encrypted data. For example, this limits some functionality such as cloud-based Data Loss Prevention (DLP), use of Office Web Apps and coauthoring. By extension, customer data encrypted with DKE in the cloud is never accessible in unencrypted form to Microsoft support or engineering personnel. DKE must be deployed with Microsoft Purview Information Protection for service encryption and use of sensitivity labels on content.
• Azure Confidential Computing: Confidential computing on Azure enhances security across various aspects of the compute cloud infrastructure and adheres to the industry's definition of confidential computing. While existing encryption protects data at rest and data in transit, confidential computing protects or encrypts data while in use during processing or computation in memory using new hardware-based trusted execution environments in Azure. Azure's confidential computing offerings go beyond operational safeguards and memory protection, to provide workload isolation with hardware-rooted trust. The confidential computing threat model aims to remove or reduce the ability for a cloud provider operator and other actors in the tenant's domain to access code and data while it's being executed. When used with data encryption at rest and in transit, confidential computing eliminates the single largest barrier of encryption - encryption while in use - by protecting sensitive or highly regulated data sets and application workloads in a secure public cloud platform.
• Azure Key Vault: Azure Key Vault Managed HSM (Hardware Security Module) is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. It's one of several key management solutions in Azure.

What are the considerations related to Office Connected Services?

Microsoft Office consists of client software applications and Connected Experiences designed to enable you to create, communicate, and collaborate more effectively. Working with others on a document stored on OneDrive or translating the contents of a Word document into a different language are examples of connected experiences. Some Connected Experiences, known as Optional Connected Experiences, that can be accessed when using the Office Apps reach out to the internet (or to other Microsoft Online Services) to perform their function.

Some Office Connected Experiences analyze customer content in Office Apps to provide you with design recommendations, editing suggestions, data insights, and similar features. Analyzing content in this manner is another form of data processing and can occur in Azure commercial cloud geographies outside of Canada.

Customers should include Office Connected Experiences as part of their evaluation of controlled goods and Microsoft Online Services including the ability to control use of experiences that analyze content for documents that have specific sensitivity labels applied.

What are the common limitations of end-to-end encryption with cloud services?

End-to-end encryption, or E2EE, typically implies that content is encrypted before it's sent to the cloud and decrypted only by the intended recipient when it's received from the cloud. With E2EE, only the two endpoint systems are involved in encrypting and decrypting the data. If the cloud services infrastructure doesn't have controlled access to the encryption key to decrypt the data, the ability to perform processing of that data is limited. For example, cloud-based malware scanning, enforcing cloud-based Data Loss Prevention (DLP) rules on content, and multi-user document editing wouldn't function if the cloud services provider couldn't decrypt the data to perform the required processing.

Microsoft Double Key Encryption provides an end-to-end encryption configuration option intended for use with a subset of Office 365 data that is subject to the strictest data protection requirements. Deployment requirements need to be reviewed carefully when evaluating this capability.

Note

The end-to-end encryption term can have other interpretations including in the context of a defined security boundary. It's the customer's responsibility to evaluate and configure encryption options available within Online Services.

What resources are available to help implement a secure cloud configuration that enforces my organizational security policies?

Microsoft publishes extensive information on how to architect, configure, and operate secure cloud tenant configurations. The Microsoft Cloud Adoption Framework for Azure provides a helpful starting point for IaaS and PaaS workloads. The Zero Trust deployment plan with Microsoft 365 provides guidance on building Zero Trust security with Microsoft 365.

What if controlled goods data is also subject to other export control regulations?

Customers are responsible for determining whether Microsoft services (including Online Services, technical support, and professional services) are appropriate for storage or processing of information subject to any specific law or regulation and for using the Microsoft services in a manner consistent with legal and regulatory obligations. Although scenarios involving controlled goods data that is subject to non-Canadian export control regulations are outside the scope of this article, the information in the Resources section might be helpful to customers.

Resources

• Controlled goods: Examining, possessing or transferring
• Guidance on using or providing cloud solutions for controlled goods data
• Blog: Azure export controls white paper updates
• Microsoft Azure - Export Controls White Paper
• Office 365 - Export Controls White Paper
• Exporting Microsoft Products - FAQ
• International Traffic in Arms Regulations (ITAR) - Microsoft Compliance
• US Export Administration Regulations (EAR) - Microsoft Compliance