I can speak generally. Again, it's not my area of expertise, but I have some exposure to it as a security practitioner.
When we're talking about document safeguarding, it means that the vendor may be required to hold protected information within their physical premises or within their IT systems, which would be different from if they were working solely within a CBSA space where they may have access to systems of ours. However, when they control it, they need to have measures in place to protect it.