The names for some Assured Workloads control packages have changed. For information about the name change, seeControl package renaming notice.
Canada Data Boundary
This page describes the set of controls that are applied onCanada Data Boundary workloads in Assured Workloads. It providesdetailed information aboutdata residency,supported Google Cloud products and their API endpoints,and any applicablerestrictions or limitations onthose products. The following additional information applies toCanada Data Boundary:
- Data residency: The Canada Data Boundary control package sets datalocation controls to supportCanada-only regions. See theGoogle Cloud-wide organization policy constraints sectionfor more information.
- Support: Technical support services for Canada Data Boundary workloadsare available with Standard, Enhanced, or PremiumCloud Customer Care subscriptions. Canada Data Boundaryworkloads support cases are routed to global support personnel. If you requirea more restrictive support personnel control option, consider theCanada Data Boundary and Supportcontrol package instead.
- Pricing: The Canada Data Boundary control package is included inAssured Workloads'Free tier, which incurs no additional charges.SeeAssured Workloads pricing for moreinformation.
Supported products and API endpoints
Unless otherwise noted, users can access all supported products through the Google Cloud console.Restrictions or limitations that affect the features of a supported product, including those thatare enforced throughorganization policy constraint settings,are listed in the following table.
If a product is not listed, that product is unsupported and has not met the controlrequirements for Canada Data Boundary. Unsupported products are not recommended for usewithout due diligence and a thorough understanding of your responsibilities in theshared responsibility model.Before using an unsupported product, ensure that you are aware of and are willing to accept anyassociated risks involved, such as negative impacts to data residency or data sovereignty.
Unsupported products may share an API service endpoint with supported products,making them available to all users.| Supported product | API endpoints | Restrictions or limitations |
|---|---|---|
| Access Approval | accessapproval.googleapis.com | None |
| Access Context Manager | accesscontextmanager.googleapis.com | None |
| Access Transparency | accessapproval.googleapis.com | None |
| Agent Assist | dialogflow.googleapis.com | None |
| AlloyDB for PostgreSQL | alloydb.googleapis.com | None |
| Cloud Service Mesh | mesh.googleapis.commeshca.googleapis.commeshconfig.googleapis.com | None |
| Apigee | apigee.googleapis.com | None |
| App Hub | apphub.googleapis.com | None |
| Artifact Registry | artifactregistry.googleapis.com | None |
| AutoML Tables | automl.googleapis.com | None |
| Backup for GKE | gkebackup.googleapis.com | None |
| BigQuery | bigquery.googleapis.combigqueryconnection.googleapis.combigquerydatapolicy.googleapis.combigquerydatatransfer.googleapis.combigquerymigration.googleapis.combigqueryreservation.googleapis.combigquerystorage.googleapis.com | Affected features |
| Bigtable | bigtable.googleapis.combigtableadmin.googleapis.com | None |
| Binary Authorization | binaryauthorization.googleapis.com | None |
| Certificate Authority Service | privateca.googleapis.com | None |
| Certificate Manager | certificatemanager.googleapis.com | None |
| Cloud Asset Inventory | cloudasset.googleapis.com | None |
| Cloud Build | cloudbuild.googleapis.com | None |
| Cloud Composer | composer.googleapis.com | None |
| Cloud Domains | domains.googleapis.com | None |
| Cloud DNS | dns.googleapis.com | None |
| Cloud Data Fusion | datafusion.googleapis.com | None |
| Cloud Deploy | clouddeploy.googleapis.com | None |
| Cloud External Key Manager (Cloud EKM) | cloudkms.googleapis.com | None |
| Cloud HSM | cloudkms.googleapis.com | None |
| Cloud Interconnect | compute.googleapis.com | None |
| Cloud Key Management Service (Cloud KMS) | cloudkms.googleapis.com | None |
| Cloud Load Balancing | compute.googleapis.com | None |
| Cloud Logging | logging.googleapis.com | Affected features |
| Cloud Monitoring | monitoring.googleapis.com | None |
| Cloud NAT | compute.googleapis.com | None |
| Cloud OS Login API | oslogin.googleapis.com | None |
| Cloud Router | compute.googleapis.com | None |
| Cloud Run | run.googleapis.com | Affected features |
| Cloud Run functions | run.googleapis.com | None |
| Cloud SQL | sqladmin.googleapis.com | None |
| Cloud SQL for PostgreSQL | sqladmin.googleapis.com | None |
| Cloud Storage | storage.googleapis.com | None |
| Cloud Tasks | cloudtasks.googleapis.com | None |
| Cloud VPN | compute.googleapis.com | None |
| Cloud Vision API | vision.googleapis.com | None |
| Cloud Workstations | workstations.googleapis.com | None |
| Compliance Manager | cloudsecuritycompliance.googleapis.com | None |
| Compute Engine | compute.googleapis.com | Affected features andorganization policy constraints |
| Config Sync | anthosconfigmanagement.googleapis.com | None |
| Connect | gkeconnect.googleapis.com | None |
| Dialogflow CX | dialogflow.googleapis.com | None |
| Sensitive Data Protection | dlp.googleapis.com | None |
| Database Center | Not applicable | None |
| Dataflow | dataflow.googleapis.comdatapipelines.googleapis.com | None |
| Dataform | dataform.googleapis.com | None |
| Dataplex Universal Catalog | dataplex.googleapis.comdatalineage.googleapis.com | None |
| Dataproc | dataproc-control.googleapis.comdataproc.googleapis.com | None |
| Document AI | documentai.googleapis.com | None |
| Essential Contacts | essentialcontacts.googleapis.com | None |
| Eventarc | eventarc.googleapis.com | None |
| Filestore | file.googleapis.com | None |
| Firebase Security Rules | firebaserules.googleapis.com | None |
| Firestore | firestore.googleapis.com | None |
| GKE Hub | gkehub.googleapis.com | None |
| GKE Identity Service | anthosidentityservice.googleapis.com | None |
| GKE Image streaming | containerfilesystem.googleapis.com | None |
| Generative AI on Vertex AI | aiplatform.googleapis.com | None |
| Google Cloud Armor | compute.googleapis.comnetworksecurity.googleapis.com | Affected features |
| Google Cloud Managed Service for Apache Kafka | managedkafka.googleapis.com | None |
| Google Cloud NetApp Volumes | netapp.googleapis.com | Affected features |
| Google Kubernetes Engine (GKE) | container.googleapis.comcontainersecurity.googleapis.com | None |
| Google Security Operations SIEM | chronicle.googleapis.comchronicleservicemanager.googleapis.com | None |
| Google Security Operations SOAR | Not applicable | None |
| Identity and Access Management (IAM) | iam.googleapis.com | None |
| Identity-Aware Proxy (IAP) | iap.googleapis.com | None |
| Infrastructure Manager | config.googleapis.com | None |
| Looker (Google Cloud core) | looker.googleapis.com | None |
| Memorystore for Redis | redis.googleapis.com | None |
| Network Connectivity Center | networkconnectivity.googleapis.com | None |
| Organization Policy Service | orgpolicy.googleapis.com | None |
| Persistent Disk | compute.googleapis.com | None |
| Personalized Service Health | servicehealth.googleapis.com | None |
| Pub/Sub | pubsub.googleapis.com | None |
| Resource Manager | cloudresourcemanager.googleapis.com | None |
| Secret Manager | secretmanager.googleapis.com | None |
| Secure Source Manager | securesourcemanager.googleapis.com | None |
| Serverless VPC Access | vpcaccess.googleapis.com | None |
| Speech-to-Text | speech.googleapis.com | None |
| Storage Transfer Service | storagetransfer.googleapis.com | None |
| Text-to-Speech | texttospeech.googleapis.com | None |
| Cloud Service Mesh | trafficdirector.googleapis.com | None |
| VM Manager | osconfig.googleapis.com | None |
| VPC Service Controls | accesscontextmanager.googleapis.com | None |
| Vertex AI Batch prediction | aiplatform.googleapis.com | None |
| Vertex AI Model Monitoring | aiplatform.googleapis.com | None |
| Vertex AI Model Registry | aiplatform.googleapis.com | None |
| Vertex AI Online prediction | aiplatform.googleapis.com | None |
| Vertex AI Pipelines | aiplatform.googleapis.com | None |
| Vertex AI Search | discoveryengine.googleapis.com | None |
| Vertex AI Training | aiplatform.googleapis.com | None |
| Virtual Private Cloud (VPC) | compute.googleapis.com | None |
| Web Risk | webrisk.googleapis.com | None |
Restrictions and limitations
The following sections describe Google Cloud-wide or product-specific restrictions or limitationsfor features, including any organization policy constraints that are set by default onCanada Data Boundary folders. Other applicable organization policy constraints —even ifnot set by default— can provide additional defense-in-depth to further protect yourorganization's Google Cloud resources.
We strongly recommend not changing the values of the required organizationpolicy constraints listed in the following sections. Doing so may undermine data residency. Whensuch a change has been made, the effects of the change are difficult or impossible to reverse.Ensure that you understand the ramifications of changing an organization policy constraint's valuebefore proceeding.Additionally, ensure that any automated mechanisms your organization usesto manage organization policies are updated to prevent these values from being changedunintentionally.
Google Cloud-wide
Google Cloud-wide organization policy constraints
The followingorganization policy constraints apply across Google Cloud.
| Organization policy constraint | Description |
|---|---|
gcp.resourceLocations | Set to the following locations in theallowedValues list:
Changing this value by making it less restrictive potentially undermines data residency by allowing data to be created or stored outside of a compliant data boundary. |
gcp.restrictServiceUsage | Set to allow allsupported products and API endpoints. Determines which services can be used by restricting runtime access to their resources. For more information, seeRestricting resource usage. |
gcp.restrictTLSVersion | Set to deny the following TLS versions:
|
BigQuery
Affected BigQuery features
| Feature | Description |
|---|---|
| Enabling BigQuery on a new folder | BigQuery is supported, but it isn't automatically enabled when you create a newAssured Workloads folder due to an internal configuration process. This process normallyfinishes in ten minutes, but can take much longer in some circumstances. To check whether theprocess is finished and to enable BigQuery, complete the following steps:
After the enablement process is completed, you can use BigQuery in your Assured Workloads folder. Gemini in BigQuery is not supported by Assured Workloads. |
| Unsupported features | The following BigQuery features are not supported and should not be used in the BigQuery CLI. It is your responsibility not to use them in BigQuery for Assured Workloads.
|
| BigQuery CLI | The BigQuery CLI is supported. |
| Google Cloud SDK | You must use Google Cloud SDK version 403.0.0 or newer to maintain data regionalization guarantees for technical data. To verify your current Google Cloud SDK version, rungcloud --version and thengcloud components update to update to the newest version. |
| Administrator controls | BigQuery will disable unsupported APIs but administrators with sufficient permissions to create an Assured Workloads folder can enable an unsupported API. If this occurs, you will be notified of potential non-compliance through theAssured Workloads monitoring dashboard. |
| Loading data | BigQuery Data Transfer Service connectors for Google Software as a Service (SaaS) apps, external cloud storage providers, and data warehouses are not supported. It is your responsibility not to use BigQuery Data Transfer Service connectors for Canada Data Boundary workloads. |
| Third-party transfers | BigQuery doesn't verify support for third-party transfers for the BigQuery Data Transfer Service. It is your responsibility to verify support when using any third-party transfer for the BigQuery Data Transfer Service. |
| Non-compliant BQML models | Externally-trained BQML models are not supported. |
| Query jobs | Query jobs should only be created within Assured Workloads folders. |
| Queries on datasets in other projects | BigQuery doesn't prevent Assured Workloads datasets from being queried from non-Assured Workloads projects. You should ensure that any query that has a read or a join on Assured Workloads data be placed in an Assured Workloads folder. You can specify afully-qualified table name for their query result usingprojectname.dataset.table in the BigQuery CLI. |
| Cloud Logging | BigQuery utilizes Cloud Logging for some of your log data. You should disable your_default logging buckets or restrict_default buckets to in-scope regions to maintain compliance using the following command:gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sinkFor more information, seeRegionalize your logs. |
Compute Engine
Affected Compute Engine features
| Feature | Description |
|---|---|
| Guest environment | It is possible for scripts, daemons, and binaries that are included with the guest environment to access unencrypted at-rest and in-use data. Depending on your VM configuration, updates to this software may be installed by default. SeeGuest environment for specific information about each package's contents, source code, and more. These components help you meet data sovereignty through internal security controls and processes. However, if you want additional control, you can also curate your own images or agents and optionally use the compute.trustedImageProjects organization policy constraint.For more information, seeBuilding a custom image. |
| OS policies in VM Manager | Inline scripts and binary output files within the OS policy files are not encrypted using customer-managed encryption keys (CMEK). Don't include any sensitive information in these files. Consider storing these scripts and output files in Cloud Storage buckets. For more information, seeExample OS policies. If you want to restrict the creation or modification of OS policy resources that use inline scripts or binary output files, enable the constraints/osconfig.restrictInlineScriptAndOutputFileUsage organization policy constraint.For more information, seeConstraints for OS Config. |
Compute Engine organization policy constraints
| Organization policy constraint | Description |
|---|---|
compute.disableGlobalCloudArmorPolicy | Set toTrue. Disables the creation of new globalGoogle Cloud Armor security policies and the addition or modification of rules to existing global Google Cloud Armor security policies. This constraint doesn't restrict the removal of rules or the ability to remove or change the description and listing of global Google Cloud Armor security policies. Regional Google Cloud Armor security policies are unaffected by this constraint. All global and regional security policies that exist prior to the enforcement of this constraint remain in effect. |
compute.restrictNonConfidentialComputing | (Optional) Value is not set. Set this value to provide additional defense-in-depth. For more information, see theConfidential VM documentation. |
compute.trustedImageProjects | (Optional) Value is not set. Set this value to provide additional defense-in-depth. Setting this value constrains image storage and disk instantiation to the specified list of projects. This value affects data sovereignty by preventing use of any unauthorized images or agents. |
Cloud Logging
Affected Cloud Logging features
To use Cloud Logging with Customer-managed encryption keys (CMEK), you must complete the steps in theEnable CMEK for an organization page in the Cloud Logging documentation.| Feature | Description |
|---|---|
| Log sinks | Filters shouldn't contain Customer Data. Log sinks include filters which are stored as configuration. Don't create filters that contain Customer Data. |
| Live tailing log entries | Filters shouldn't contain Customer Data. A live tailing session includes a filter which is stored as configuration. Tailing logs doesn't store any log entry data itself, but can query and transmit data across regions. Don't create filters that contain Customer Data. |
Google Cloud NetApp Volumes
Affected Google Cloud NetApp Volumes features
| Feature | Description |
|---|---|
| Supported service levels | Canada Data Boundary supports the following service levels:
|
What's next
- Learn how tocreate an Assured Workloads folder
- Learn about theCanada Data Boundary and Supportcontrol package
- UnderstandAssured Workloads pricing
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.