ERP · Ottawa

Your NetSuite tenant won't pass the SSC security review for a federal contract in Ottawa

The short answer

If you sell into Ontario's federal departments and Kanata North primes, a custom ERP (Enterprise Resource Planning) that can hold a Protected B data boundary and pass an ITSG-33 control review typically runs $90k to $260k over 4 to 8 months in Ottawa. NetSuite and SAP are not wrong because they're weak; they're wrong here because their multi-tenant data residency and audit-logging defaults don't map cleanly to Shared Services Canada hosting rules, and retrofitting that late costs more than building for it.

You run a 60-person firm in Ottawa doing project work for federal departments and a couple of Kanata North primes. NetSuite handles your books fine until a Public Services and Procurement Canada review asks where Protected B data lives, who can read it, and whether your audit trail is immutable. Suddenly the SaaS tenant you can't move into a Canadian sovereign-cloud boundary is a procurement blocker, not an accounting tool.

SAP and Microsoft Dynamics handle scale, but their connectors to your time-and-materials billing against government contract vehicles (supply arrangements, standing offers) need custom work anyway. You end up paying enterprise licensing AND custom dev, then still can't prove the data-handling chain a security assessor wants. The off-the-shelf ERP becomes the thing slowing down the contract you bought it to win.

What breaks first in Ottawa

  • NetSuite multi-tenant hosting can't demonstrate the Protected B data-residency boundary a federal security review requires
  • Time-and-materials billing against standing offers and supply arrangements needs custom modules SAP charges enterprise rates to build
  • Audit logs in off-the-shelf ERP aren't immutable enough to satisfy an ITSG-33 assessor
  • Bilingual (English-French) financial reporting under the Official Languages Act is an afterthought in US-built ERP

The fix: erp built for Ottawa, not rented

A custom ERP lets you draw the security boundary first and the features second. You host inside a boundary you control, generate the immutable audit trail an assessor will actually accept, and bake bilingual reporting and government contract-vehicle billing into the data model instead of bolting them on. For an Ottawa firm where one failed security review delays a seven-figure contract by a quarter, that control pays for itself on the first renewal.

What erp costs in Ottawa

Project scopeTypical costTimeline
Finance-only ERP with audit logging$90k to $150k4 to 5 months
Finance plus project costing and contract-vehicle billing$150k to $210k5 to 7 months
Full ERP with Protected B boundary and bilingual reporting$200k to $260k6 to 8 months
Cost by project scopeCost by project scopeFinance-only ERP with audit logging$90k to $150kFinance plus project costing and contract-vehicle billing$150k to $210kFull ERP with Protected B boundary and bilingual reporting$200k to $260k
Typical project cost bands. Source: Digital Heroes 2026 delivery benchmarks.

The capability list that earns its budget

What to build in
+Protected B data boundary with role-based access and field-level encryption
+Immutable audit log keyed to every record change, exportable for security assessment
+Government contract-vehicle billing: standing offers, supply arrangements, T&M and milestone
+Bilingual ledger, invoices, and reporting under the Official Languages Act
+GL, AP/AR, and project-cost accounting tuned for federal contractor cash flow and holdbacks
+API layer for clean links to CRM (Customer Relationship Management), project management software, and BI (Business Intelligence) dashboards

Ottawa ERP: the full scope

Everything an ERP build here can cover: cloud ERP, manufacturing ERP, distribution ERP, custom ERP modules, ERP API integration, ERP implementation and ERP integration.

Exactly what you get

A finance and operations backbone that draws its security boundary before its feature list. You get a GL, AP/AR, project-cost accounting tuned to federal contractor holdbacks, contract-vehicle billing for standing offers and supply arrangements, immutable audit logging an assessor will accept, and bilingual output baked into the data model. It connects cleanly to your CRM, project management software, and BI dashboards instead of forcing a second integration project.

How to choose a developer in Ottawa

Hire the firm that asks about your security review before your chart of accounts. The right Ottawa partner has shipped software through a federal procurement gate, can name the controls in ITSG-33 they implemented, and treats bilingual rendering as architecture rather than translation. Ask for a reference where their build passed a departmental security assessment on the first pass, and ask who owns patching after launch.

Red flags when hiring (and what to ask instead)
  • !They've never heard of ITSG-33 or Protected B; ask which federal security frameworks they've shipped against
  • !They quote a fixed price before scoping your contract-vehicle billing; ask how they'll handle standing offers
  • !They treat bilingual output as a translation pass at the end; ask to see French-first form rendering
  • !No story on immutable audit logging; ask exactly how record history is made tamper-evident
  • !They want to host wherever is cheapest; ask how they meet SSC data-residency expectations
Want these numbers scoped for your Ottawa operation?
Bring the messy version. You leave with a plan and a real number in 48 hours.
Talk to Digital Heroes

Most Ottawa teams pricing erp end up comparing notes on internal tools, shopify, inventory management too; the systems share one data spine.

Rohan Malhotra · Enterprise Software Consultant

Rohan advises mid-market and enterprise teams on ERP, CRM and custom software, and has led delivery on dozens of business-software builds.

Writes for Digital Heroes, shipping business software for 2,000+ brands across 55+ countries since 2017.

FAQ

Frequently asked questions

Can't I just host NetSuite in a Canadian data centre to pass review?

Data-centre location is only part of what a federal security review checks. Protected B handling also requires demonstrable access controls, immutable audit trails, and a data boundary you can attest to. NetSuite's multi-tenant architecture makes those attestations hard regardless of where the servers physically sit, which is why Ottawa contractors often build instead.

How long before a custom ERP can pass an ITSG-33 review?

Plan for 4 to 8 months of build plus a security assessment window. The build itself isn't the long pole; the assessment and any remediation are. Building the controls in from day one, rather than retrofitting, is what keeps that assessment from becoming a second project.

Do I need bilingual reporting if my team works in English?

If you produce financial documents that flow to a federal department or the public, the Official Languages Act expectations apply to the output, not your internal team. Building bilingual output in from the start costs far less than retrofitting every invoice and report template later.

What does a Protected B boundary actually cost to build?

It's the single biggest cost driver, often 30 to 40 percent of an Ottawa ERP build. The expense is in access control, encryption, audit logging, and the documentation a security assessor needs. It's also the reason off-the-shelf ERP fails here, so it's rarely optional for federal work.

Keep reading