Skip to main content

International Traffic in Arms Regulations (ITAR)

ITAR is the International Traffic in Arms Regulations, which is a set of United States regulations that control the export and import of defense-related articles and services on the United States Munitions List (USML) and related technical data. The US Department of State's Directorate of Defense Trade Controls (DDTC) administers ITAR.

ITAR requires, in relevant part, that covered material (items listed on the USML) only be shared with U.S. persons absent special authorization or exemption.

Unlike SOC 2, there is no formal ITAR certification. If you're a manufacturer, exporter, and broker of defense articles, services, and related technologies as defined on the USML, you must be registered with DDTC, must understand and abide by ITAR, and must self-certify that you operate in accordance with ITAR.

Achieving ITAR Compliance When Using Files.com

ITAR compliance with Files.com is possible, but it requires that you carefully configure your site.

ITAR-Compliant Long-Term Storage

Files.com's built-in storage is not ITAR compliant. However, we have several customers who are able to use Files.com transfer data subject to ITAR.

This is done by configuring your site so that no data is stored on Files.com itself, and Files.com is only used as a transfer and governance layer on top of that data.

You do that, you can either use a trusted cloud provider that is ITAR compliant for storage, such as Amazon GovCloud S3, or you can install the Files.com Agent on an ITAR compliant environment that you control. If you are using a cloud provider, we strongly recommend Amazon S3 in Amazon GovCloud because our environment is highly optimized for working with S3.

You will then need to configure the relevant folders and/or Child Sites to mount that ITAR compliant storage as its storage. This can be done with our Remote Server Mount capability.

SIEM Integration

You should enable Files.com's SIEM integration and store an external copy of all log data generated by the Files.com system. This provides an additional audit trail you can use to prove the full history of access to any files subject to ITAR.

Allowed Countries

Use the "Allowed/disallowed countries" capability of Files.com to restrict user access to the United States. This capability uses commercial IP geolocation services to disallow access from IP addresses not in the United States.

Please note that this protection can be circumvented by VPNs, and should be consider just one layer of a defense-in-layers approach.

Do Not Create Any Full Access Support Tickets

To maintain ITAR compliance, do not use the feature of our Support tab which grants access to your site or files to Files.com's support representatives. We are unable to guarantee that all of our support reps are USA based.

Comprehensive Technical and Organizational Controls

Files.com is committed to excellence in all aspects of our company and our platform. We have invested heavily in our internal controls and internal processes around security and compliance, and we published the details of our programs' technical and organizational controls on our Compliance page.

SOC 2 Certified

We conduct a SOC 2 audit annually, with an audit period start date of April 1, and our SOC 2 auditor is Kirkpatrick Price.

In addition to this engagement, Files.com has successfully accomplished several prior SOC 2 engagements with Kirkpatrick Price.

We are happy to provide our customers or prospects with our SOC 2 report, or a Bridge Letter if needed.

US-Based Trusted Employees

Most Files.com staff do not have access to passwords, file contents, passwords to remote servers, or other secure data. This data is stored safely in our production systems. Only trusted, senior Files.com Engineering and Infrastructure staff have "root" access to production systems that could allow them to access this information more directly.

These staff are all full-time USA-based employees, passed background/references/certification checks, and have all signed agreements to honor the Files.com Privacy Policy, and are subject to termination and other penalties in the event of any inappropriate actions.

Additionally, unless otherwise approved by the CTO, staff will be employed by Files.com for at least one year before being given "root" access to production systems. Any direct access to servers is logged.

Possible Future Files.com Enhancements

Files.com is considering adding future direct support for GovCloud, which would save the manual integration requirements for long term storage. Additionally, we are considering adding the ability to "flag" your account as ITAR enabled. This would trigger a guarantee that your Support Tickets are never able to grant Full access to your site.

Shared Responsibility Model

As with any compliance framework, and consistent with our Shared Responsibility Model, you are responsible for properly setting up your account to meet ITAR requirements and all other applicable laws and regulations. You should consult with your legal advisors for questions regarding regulatory compliance.

Get Instant Access to Files.com

The button below will take you to our Free Trial signup page. Click on the white "Start My Free Trial" button, then fill out the short form on the next page. Your account will be activated instantly. You can dive in and start yourself or let us help. The choice is yours.