Skip to main content

Export Controls

Export control regulations are federal laws that prohibit the unlicensed export of items (which may include technology or technical data) that are of importance to national security, foreign policy, and economic objectives. In simple terms, an export is defined as any disclosure, transmission, or transfer of controlled items to any non-U.S. persons or physically out of the U.S.

These regulations can make data sharing difficult, especially for organizations leveraging cloud services, and penalties for non-compliance are severe. Through "carve-out" rulings in two major export regulations, EAR and ITAR, Virtru customers can safely store and share data in the cloud.

ITAR

The Department of State Directorate of Defense Trade Controls' International Traffic in Arms Regulations (22 CFR Subchapter M) governs the export and temporary import of defense articles and services as defined in the United States Munitions List (USML).

Activities that are not exports under ITAR

22 CFR § 120.54 of the ITAR defines activities that are not considered exports, reexports, retransfers, or temporary imports. Specifically where this applies to Virtru customers is:

(a) The following activities are not exports, reexports, retransfers, or temporary imports:

...

  (5) Sending, taking, or storing technical data that is:

   (i) Unclassified;

   (ii) Secured using end-to-end encryption;

   (iii) Secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128);

   (iv) Not intentionally sent to a person in or stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation; and

   (v) Not sent from a country proscribed in § 126.1 of this subchapter or the Russian Federation.

EAR

The Department of Commerce Bureau of Industry and Security's Export Administration Regulations (EAR) (15 CFR Subchapter C) governs the export and reexport of commodities, software, and technology. This can extend to commercial items that could also be used for conventional arms, weapons of mass destruction, terrorist activities, human rights abuses, or less sensitive military uses.

Activities that are not exports under EAR

15 CFR § 734.18 of the EAR defines activities that are not considered exports, reexports, or transfers. Specifically where this applies to Virtru customers is:

(a) Activities that are not exports, reexports, or transfers. The following activities are not exports, reexports, or transfers:

...

  (5) Sending, taking, or storing “technology” or “software” that is:

   (i) Unclassified;

   (ii) Secured using 'end-to-end encryption;'

   (iii) Secured using cryptographic modules (hardware or “software”) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by “software” implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and

   (iv) Not intentionally stored in a country listed in Country Group D:5 (see supplement no. 1 to part 740 of the EAR) or in the Russian Federation.

How Virtru Enables Compliance

Using Virtru's client-side encryption clients allows you to avoid export restrictions. Virtru's cloud infrastructure is hosted entirely in the U.S., uses encryption algorithms that comply with FIPS 140-2, is FedRAMP authorized at the moderate impact level, and adheres to the security controls defined by NIST SP 800-53. Most importantly, Virtru and other cloud service providers cannot access your protected data.