Cannabis buyer's guide
Security buyer's guide — cannabis production & retail
Health Canada's GPP requirements, 24/7 camera coverage, two-factor vault access, and the pitfalls we see most often in licensed producer deployments.
9 minute read
Cannabis sites are the most heavily regulated commercial security deployments we work on in Ontario — and the most often misquoted.
Health Canada's Good Production Practices prescribe camera coverage, retention, and access-log standards that go well beyond what a typical commercial integrator designs for. Getting this wrong jeopardizes the licence, not just the system.
Compliance at a glance
Four KPIs to benchmark.
- Continuous retention
- 365 days
- Vault 2FA
- Required
- Video-access correlation
- Searchable
- Camera coverage
- No blind spots
Priorities
What matters most, in order.
0124/7 video of every restricted area
No gaps. No blind spots. Not 'mostly'.
02Two-factor on every vault door
Credential plus biometric, with audit log.
031-year continuous retention
Tamper-evident, exportable on demand.
04Monitored alarm coverage
ULC-listed central station, tested quarterly.
Coverage obligations
Every restricted area — storage, destruction, secure transport staging, and production rooms — needs continuous video coverage at a resolution capable of identifying individuals. That's a specific framing and pixels-on-target standard, not a camera count.
Every exterior point of ingress needs its own camera and its own retention trail. For retail, every POS workstation and every cash-handling surface needs dedicated framing.
Retention is 365 days, continuous, tamper-evident, and exportable on Health Canada's request. On-prem storage must be segregated and access-controlled.
Access control architecture
Vault and destruction rooms require two-factor authentication (credential + PIN or biometric). Every access event must be logged, time-stamped, and retained with video cross-reference.
Named Responsible Person (NRP) and alternates must have unique, auditable credentials. Generic 'staff' cards or shared PINs fail audit immediately.
Visitor management must produce a continuous chain-of-custody log. A clipboard at reception doesn't meet the standard.
Alarm & monitoring
Intrusion detection must cover every perimeter opening and every restricted room interior. Bypass events must be logged and justified.
Monitoring goes to a ULC-listed central station with documented response procedures. Quarterly test-and-verify of every zone is a paper trail you'll want when the auditor arrives.
RFP / vendor checklist
Use this to evaluate any quote.
Coverage maps signed off by an NRP
Every restricted area shown with camera IDs, blind-spot analysis, and review/sign-off.
Retention policy documented
Written 365-day retention policy, storage architecture, and tamper-protection mechanism.
Two-factor access on vault & destruction
Deployed, tested, and logged. Not 'planned for phase 2'.
ULC monitoring contract
Active contract, listed certificate, and documented quarterly-test procedure.
Video-access cross-reference
Events in the access log playable from the VMS with a click.
Insurance-coordinated signage
Privacy and monitoring notices that satisfy PIPEDA and insurer requirements.
Red flags
Walk away if you see these.
Installer can't produce a Health Canada coverage map from a previous project.
Quote specifies cameras but not pixels-on-target for identification areas.
Storage sized for 'typical commercial' retention (30–90 days) instead of 365.
Access control quoted without a named credentialing policy.
Want this guide applied to your site?
A site walk + written recommendation against this checklist, usually within a week.