Updated January 2025

Export Compliance Statement

Arcliance provides a controlled environment to manage restricted party screening, technical data controls, and export licensing obligations. This page summarizes our shared-responsibility model and key assurances.

Our Commitments

ITAR & EAR Alignment

Arcliance is designed for organizations regulated under 22 CFR (ITAR) and 15 CFR (EAR). We support classification workflows, license tracking, proviso management, and jurisdictional segregation of data subject to Part 734 and Part 744 controls.

Data Residency & Access Control

Customer data is hosted in segregated environments located in the United States by default. Logical access is granted only to screened U.S. Persons unless a customer requests a multinational support model with explicit written authorization.

Auditability

Immutable audit logs capture every access to controlled technical data, along with the associated user, IP address, device, and action. Logs are retained for a minimum of seven years to align with ITAR 122.5 and EAR 762.6.

Encryption & Key Management

All controlled data is encrypted at rest with AES-256 and transmitted over TLS 1.3 with Perfect Forward Secrecy. Keys are held in dedicated Hardware Security Modules that enforce split knowledge and quarterly rotation.

Secure Development Lifecycle

Product changes pass static analysis, dependency scanning, and peer review. Release pipelines run through FedRAMP Moderate-aligned CI/CD, and privileged operations require just-in-time access with MFA.

Customer Responsibilities

Classify products, software, and technology and maintain accurate ECCN/USML references.
Define access control policies that restrict ITAR data to U.S. Persons and monitor exceptions.
Provide end-use statements and license provisos so that workflow rules can enforce limitations.
Notify Arcliance of any suspected violations or government inquiries related to use of the platform.

Government Access & Transparency

Arcliance maintains a single-tenant log archive per customer. Government information requests are reviewed by our legal team, scoped to the minimum necessary data, and disclosed to affected customers unless prohibited by law. We have not received National Security Letters or orders under FISA Section 702.

Independent Assurance

Our control environment is being prepared for SOC 2 Type II and ISO 27001 audits (both in progress). Penetration tests are performed twice per year by CREST-accredited firms with experience validating ITAR cloud enclaves.

Contact

For signed compliance attestations, DDTC advisory opinions, or technology control plan mapping, contact compliance@arcliance.com. Provide your registration number, program scope, and any deadlines tied to government filings.