Cannabis buyer's guide
Security buyer's guide: cannabis production and retail
Health Canada's GPP requirements, 24/7 camera coverage, two-factor vault access, and the pitfalls we see most often in licensed producer deployments.
9 minute read
Cannabis sites are the most heavily regulated commercial security deployments we work on in Ontario, and the most often misquoted.
Health Canada's Good Production Practices prescribe camera coverage, retention, and access-log standards that go well beyond what a typical commercial integrator designs for. Getting this wrong jeopardizes the licence, not just the system.
Compliance at a glance
Four KPIs to benchmark.
- Continuous retention
- 365 days
- Vault 2FA
- Required
- Video-access correlation
- Searchable
- Camera coverage
- No blind spots
Priorities
What matters most, in order.
0124/7 video of every restricted area
No gaps. No blind spots. Not 'mostly'.
02Two-factor on every vault door
Credential plus biometric, with audit log.
031-year continuous retention
Tamper-evident, exportable on demand.
04Monitored alarm coverage
ULC-listed central station, tested quarterly.
Coverage obligations
Every restricted area (storage, destruction, secure transport staging, and production rooms) needs continuous video coverage at a resolution capable of identifying individuals. That's a specific framing and pixels-on-target standard, not a camera count.
Every exterior point of ingress needs its own camera and its own retention trail. For retail, every POS workstation and every cash-handling surface needs dedicated framing.
Retention is 365 days, continuous, tamper-evident, and exportable on Health Canada's request. On-prem storage must be segregated and access-controlled.
Access control architecture
Vault and destruction rooms require two-factor authentication (credential + PIN or biometric). Every access event must be logged, time-stamped, and retained with video cross-reference.
Named Responsible Person (NRP) and alternates must have unique, auditable credentials. Generic 'staff' cards or shared PINs fail audit immediately.
Visitor management must produce a continuous chain-of-custody log. A clipboard at reception doesn't meet the standard.
Alarm & monitoring
Intrusion detection must cover every perimeter opening and every restricted room interior. Bypass events must be logged and justified.
Monitoring goes to a ULC-listed central station with documented response procedures. Quarterly test-and-verify of every zone is a paper trail you'll want when the auditor arrives.
RFP / vendor checklist
Use this to evaluate any quote.
Coverage maps signed off by an NRP
Every restricted area shown with camera IDs, blind-spot analysis, and review/sign-off.
Retention policy documented
Written 365-day retention policy, storage architecture, and tamper-protection mechanism.
Two-factor access on vault & destruction
Deployed, tested, and logged. Not 'planned for phase 2'.
ULC monitoring contract
Active contract, listed certificate, and documented quarterly-test procedure.
Video-access cross-reference
Events in the access log playable from the VMS with a click.
Insurance-coordinated signage
Privacy and monitoring notices that satisfy PIPEDA and insurer requirements.
Red flags
Walk away if you see these.
Installer can't produce a Health Canada coverage map from a previous project.
Quote specifies cameras but not pixels-on-target for identification areas.
Storage sized for 'typical commercial' retention (30–90 days) instead of 365.
Access control quoted without a named credentialing policy.
Want this guide applied to your site?
A site walk + written recommendation against this checklist, usually within a week.