Data Residency

Last Updated: June 15, 2025

Canadian Data Sovereignty

At RAN BIOLINKS CANADA LTD, we understand that data residency is a critical requirement for Canadian health authorities, public sector organizations, and regulated industries. MAESTRO IMS is designed from the ground up to ensure your data remains within Canadian borders, meeting the most stringent data sovereignty requirements.

All customer data — including inventory records, audit logs, user information, quality control records, and operational analytics — is stored and processed exclusively within Canada by default.

Primary Data Center: AWS ca-central-1

MAESTRO IMS is deployed on Amazon Web Services (AWS) in the ca-central-1 (Montreal, Quebec) region. This ensures:

  • Data Remains in Canada: All customer data at rest resides within Canadian data centers located in Montreal, Quebec
  • Canadian Jurisdiction: Data stored in ca-central-1 is subject to Canadian privacy laws and is not subject to foreign data access requests outside of Canadian legal processes
  • SOC 2 Certified Infrastructure: AWS ca-central-1 data centers maintain SOC 2 Type II, ISO 27001, and CSA STAR certifications
  • Physical Security: AWS data centers feature 24/7 physical security, biometric access controls, multi-factor authentication for facility access, and continuous video surveillance
  • Power and Connectivity: Redundant power supplies, backup generators, and multiple high-bandwidth network connections ensure continuous availability

What Data Stays in Canada

The following categories of data are stored exclusively within Canada (AWS ca-central-1):

  • Inventory Data: All stock records, item catalogs, stock levels, lot/batch tracking, expiry dates, and barcode scan data
  • Transaction Records: All stock transactions including receipts, issues, transfers, adjustments, and returns
  • Audit Logs: Immutable audit trail records covering all user actions and system events (retained for 7+ years)
  • Quality Control Records: QC inspection results, non-conformance event (NCE) records, and corrective action documentation
  • User Accounts: All user profile information, authentication credentials (hashed), role assignments, and access logs
  • Purchase Orders: Procurement records, supplier information, and receiving documentation
  • Reports and Analytics: Generated reports, dashboards, and analytics data
  • Documents and Attachments: All uploaded files, stored in AWS S3 within the ca-central-1 region
  • Backups: All database backups and point-in-time recovery data remain within Canadian AWS regions

Data Processing Architecture

Our platform architecture ensures that data processing — not just storage — occurs within Canada:

  • Application Servers: All Django application instances run on AWS compute resources in ca-central-1
  • Database: AWS RDS PostgreSQL primary database and read replicas are deployed in ca-central-1
  • Caching Layer: Redis cache clusters operate within ca-central-1
  • Task Processing: Celery background task workers (report generation, scheduled alerts, bulk operations) run on ca-central-1 compute resources
  • Object Storage: AWS S3 buckets for document and attachment storage are configured in ca-central-1
  • Encryption Keys: AWS KMS keys are created and managed within ca-central-1

Disaster Recovery Within Canada

Our disaster recovery strategy maintains Canadian data residency:

  • Cross-AZ Redundancy: Data is replicated across multiple Availability Zones within the ca-central-1 region for high availability
  • Backup Replication: Encrypted database backups can be replicated to ca-west-1 (Calgary, Alberta) — another Canadian AWS region — for geographic disaster recovery
  • No Cross-Border Replication: At no point does customer data leave Canadian borders for backup or disaster recovery purposes

Canadian Privacy Legislation Compliance

Our data residency architecture is designed to comply with Canadian federal and provincial privacy legislation:

PIPEDA (Federal)

The Personal Information Protection and Electronic Documents Act governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activities. MAESTRO IMS complies with all ten PIPEDA fair information principles:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, and Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

PIPA (British Columbia)

For organizations operating in British Columbia, the Personal Information Protection Act provides additional privacy protections. MAESTRO IMS complies with PIPA requirements for:

  • Collecting personal information only for reasonable purposes
  • Obtaining appropriate consent before collection
  • Protecting personal information with reasonable security safeguards
  • Providing individuals with access to their personal information upon request
  • Mandatory breach notification to the Office of the Information and Privacy Commissioner for BC

FIPPA (British Columbia)

For public bodies in British Columbia, including health authorities, the Freedom of Information and Protection of Privacy Act imposes specific data residency requirements. MAESTRO IMS supports FIPPA compliance through:

  • Section 30.1 Compliance: Personal information is stored and accessed only within Canada, meeting FIPPA's prohibition on storage of personal information outside of Canada by public bodies
  • Access Controls: Technical controls ensure that personal information under the custody of a public body is not accessed from outside Canada
  • Contractual Safeguards: Our service agreements include provisions that support public bodies' obligations under FIPPA

Third-Party Services and Data Flow

We are transparent about how data flows through our platform and to third-party services:

Services That Process Data Within Canada

  • AWS Services: All core AWS services (RDS, S3, EC2, ElastiCache, KMS, CloudWatch, CloudTrail) operate within ca-central-1
  • Database Backups: Stored within Canadian AWS regions only

Integration Data Flows

When you configure integrations with external systems, data may flow to those systems according to your configuration:

  • PeopleSoft Integration: Export data (PO, invoice, receipt) flows to your organization's PeopleSoft instance at your designated endpoints
  • Azure AD (SSO): Authentication tokens are exchanged with Microsoft Azure AD. User profile data synchronized from Azure AD is stored in ca-central-1
  • Email Notifications: Notification emails (low-stock alerts, transfer approvals) are sent through email services. Email content is minimized to reduce data exposure

Customer Controls

MAESTRO IMS provides customers with controls over their data:

  • Data Export: Export your complete dataset at any time in CSV, Excel, or PDF formats
  • Access Logs: Review who has accessed your data and when through the audit log interface
  • Data Deletion: Request deletion of your data upon contract termination (subject to regulatory retention requirements for audit logs)
  • Integration Controls: Configure which integrations are active and what data flows to external systems

Contractual Commitments

Our data residency commitments are backed by contractual provisions:

  • Data Processing Agreement: Available upon request, documenting our data processing activities and commitments
  • Data Residency Clause: Our standard agreements include explicit commitments to Canadian data residency
  • Subprocessor Transparency: We maintain a list of subprocessors and will notify customers of any changes
  • Audit Rights: Customers may request evidence of our data residency practices and compliance

Multi-Cloud Readiness

While MAESTRO IMS is primarily deployed on AWS ca-central-1, our platform architecture supports deployment on other cloud providers with Canadian regions for organizations with multi-cloud mandates:

  • Microsoft Azure: Canada Central (Toronto) and Canada East (Quebec City) regions
  • Google Cloud Platform: northamerica-northeast1 (Montreal) and northamerica-northeast2 (Toronto) regions

Contact us if your organization requires deployment on an alternative cloud provider.

Frequently Asked Questions

Q: Does any customer data leave Canada?

A: No. By default, all customer data is stored, processed, and backed up exclusively within Canadian AWS regions. Data only leaves Canada if you explicitly configure an integration that sends data to an external system located outside Canada.

Q: How does this help us comply with FIPPA Section 30.1?

A: FIPPA Section 30.1 requires that personal information in the custody or control of a public body must be stored only in Canada and may only be accessed from within Canada. Our architecture ensures all data storage and processing occurs within Canada (AWS ca-central-1), and access controls can be configured to restrict access to Canadian-based users.

Q: Can we get a Data Processing Agreement (DPA)?

A: Yes. We provide Data Processing Agreements that document our data handling practices, subprocessors, and data residency commitments. Contact your account representative or email [email protected] to request a DPA.

Q: What happens to our data if we cancel our subscription?

A: Upon cancellation, you will have 90 days to export all your data. After this period, your data will be securely deleted from all systems, with the exception of immutable audit records that may need to be retained for regulatory compliance purposes.

Contact Us

If you have any questions about our data residency practices or need documentation for your compliance requirements, please contact us at:

RAN BIOLINKS CANADA LTD
10212 Yonge Street, 202, Richmond Hill, Ontario, Canada, L4C 3B6
Email: [email protected]