Canada Luggage Depot - Secure SDLC
Data Residency and Subprocessor Controls

9. Data Residency and Subprocessor Controls #

9.1 Canada‑only residency (default) #

Personal Information and other Restricted Data processed by Applications must be stored and accessed in Canada by default (e.g., ca‑central). Administrative access to production data and consoles must also originate from Canada or from approved Canadian management networks. Vendors must design hosting, backups, telemetry, and support workflows to meet this default.

9.2 Cross‑border exceptions (when strictly necessary) #

Any cross‑border storage or access requires an approved exception prior to use. The exception must include:

  • A documented risk assessment and, where PI is involved, a DPIA addressing transfer mechanisms, lawful basis, and residual risk.

  • Technical safeguards (e.g., field‑level encryption with Canadian key custody, strict least‑privilege roles, geo/IP restrictions, comprehensive audit logging with PENDING: retention __ months ).

  • Contractual safeguards (data processing terms, audit rights, breach‑notification SLA, subprocessor flow‑down, return/ deletion commitments, termination for cause).

  • An expiry date for re‑validation and assigned owner.

    PENDING: Residency exception approval workflow and approver(s); prohibited jurisdictions list; DPIA template link

9.3 Subprocessor disclosure and approval #

Vendors must disclose all subprocessors that will store, process, or access CLD data and obtain CLD’s written approval prior to onboarding. Disclosures must include legal name, registered address, services provided, data categories handled, processing location(s), and security attestations (e.g., SOC 2 Type 2). Material changes (new subprocessor, new country, expanded scope) require advance notice.

PENDING: Notice lead time (e.g., __ days) and CLD approver (role/name)

9.4 Flow‑down of obligations #

Vendor contracts with subprocessors must flow down equivalent or stronger obligations, including: confidentiality; data residency constraints; encryption in transit and at rest; identity and MFA requirements; logging and retention; vulnerability management SLAs; annual SOC 2 Type 2 (or equivalent) with remediation plans; incident reporting and cooperation; deletion/return on termination; audit and inspection rights; and sub‑subprocessor controls. Subprocessor breach notification must meet or exceed the vendor’s notification obligations to CLD.

9.5 Access restriction and monitoring #

Subprocessors must implement strict least‑privilege access with MFA for administrative and data access, maintain tamper‑resistant audit trails for access and administrative actions, and support export of audit records upon CLD request. Access by non‑Canadian personnel to Restricted Data is prohibited unless covered by an approved cross‑border exception. Vendors must continuously monitor subprocessor security advisories and notify CLD of issues impacting CLD data or services, including proposed mitigations and timelines.

9.6 Evidence and reassessment #

Vendors must provide current subprocessor inventories and annual compliance artifacts (e.g., SOC 2 Type 2 reports or ISO 27001 certificate with SoA), plus corrective action plans for any deficiencies within 30 days. CLD may request additional evidence (policy excerpts, pen‑test executive summaries, scan attestations) when risk indicates. High‑risk subprocessors must be re‑assessed annually or upon material change.

9.7 Termination, return, and deletion #

Upon service termination or upon request, vendors and subprocessors must promptly return CLD data in a mutually agreed, machine‑readable format and securely delete remaining copies, including backups at the next scheduled cycle. Vendors must provide written deletion certification signed by an authorized officer and, where technically applicable, evidence of crypto‑shred (key destruction) or verified purge from storage tiers and replicas.

9.8 Audit and inspection #

CLD reserves the right to perform risk‑based audits or inspections of vendors and subprocessors within reasonable notice periods, including document reviews and (where applicable) facility or virtual walkthroughs, to verify compliance with this policy and contractual obligations. Findings must be addressed within agreed timelines and tracked to closure with a POA&M.

9.9 Exceptions #

Any deviation from the residency default or subprocessor controls requires a documented exception specifying scope, rationale, risk assessment, compensating controls, owner, approval, and expiry. PENDING: Exception approval workflow and template location