Skip to main content

International Traffic in Arms Regulations (ITAR)

ITAR, the International Traffic in Arms Regulations, is a set of United States regulations governing the export and handling of defense-related articles, services, and technical data. It is administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC).

If you are a manufacturer, exporter, or broker of defense items listed on the United States Munitions List (USML), you must:

  • Be registered with DDTC,
  • Understand and abide by ITAR requirements, and
  • Self-certify that your systems and processes are compliant.

Unlike SOC 2 or ISO 27001, there is no formal ITAR certification offered by any third party.

One of ITAR's key restrictions is that covered materials must not be accessed by non-U.S. persons, unless a specific exemption or authorization exists.

Files.com's Role Under a Shared Responsibility Model

Files.com operates under a Shared Responsibility Model. This means:

  • Files.com is responsible for the infrastructure, platform, and security controls we provide.
  • Customers are responsible for how they configure and use Files.com to meet regulatory requirements such as ITAR.

You must carefully configure your Files.com environment to ensure ITAR compliance. We provide the tools—you are responsible for using them properly.

Using Files.com in an ITAR-Compliant Way

Files.com can be used in ITAR-compliant workflows when configured carefully, with the following key principles in mind:

No Long-Term Storage on Files.com

Files.com’s built-in storage is not ITAR-compliant. However, many customers use Files.com solely as a transfer and governance layer, with no data being stored long term on the platform.

To achieve this:

  • Mount an ITAR-compliant storage location (such as Amazon S3 in GovCloud) using Remote Server Mounts, or
  • Use the Files.com Agent installed on an environment you control and have validated as ITAR-compliant.

We strongly recommend Amazon GovCloud S3 as your backing storage due to its compliance guarantees and seamless integration with Files.com.

Folder and Site Configuration

Use Remote Server Mounts or Child Site storage overrides to ensure that no sensitive files are stored on Files.com servers. This ensures that your data resides only in an ITAR-compliant location under your control.

Additional Configuration Recommendations

SIEM Integration

Enable Files.com’s SIEM integration and export log data to your own compliant storage. This provides an auditable trail of access to all data passing through Files.com, satisfying traceability requirements.

Restrict to U.S. Access Only

Use the “Allowed/Disallowed Countries” feature to block all access from outside the United States based on IP geolocation. This is a helpful security layer, though not foolproof due to potential circumvention via VPNs or proxy services.

Disable Full-Access Support Tickets

Do not use Files.com’s "Full Access" support feature if you're handling ITAR-sensitive data. Files.com cannot guarantee that all support staff are U.S. persons. Restricting full-access support is critical to maintaining your ITAR compliance.

Organizational and Technical Controls at Files.com

Only a limited group of senior, U.S.-based full-time employees have access to production systems. These employees:

  • Are all considered U.S. persons under ITAR definitions,
  • Pass background, reference, and certification checks,
  • Sign binding confidentiality agreements,
  • Are subject to disciplinary action and termination for violations,
  • Must be employed for at least one year (unless approved by the CTO) before receiving "root" access, and
  • Have all system access fully logged.

Most Files.com staff do not have access to customer data, secrets, or credentials. This data is secured in production systems with access controls, and system secrets are managed using HashiCorp Vault.

Future Enhancements

We are actively exploring the following ITAR-specific platform improvements:

  • Direct support for GovCloud as a storage region, reducing manual configuration requirements
  • The ability to flag an account as “ITAR-enabled”, which would:
    • Disable Full Access Support by default
    • Apply additional restrictions automatically

Final Note: You Own the Configuration

As with any compliance framework, ITAR compliance with Files.com is possible—but only if you configure your environment correctly.

We provide the tools. You are responsible for using them in accordance with ITAR and other applicable regulations.

This article is not legal advice. Organizations handling ITAR-controlled data are solely responsible for ensuring that their use of Files.com complies with ITAR and all applicable regulations.

We strongly recommend consulting with your legal and compliance teams to assess your specific responsibilities under ITAR.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.