ITAR Compliance – Meet Your ITAR Export Requirements in the Cloud With SafeShare

The SafeShare solution for the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) helps customers leverage private and public Clouds for regulated business processes.

SafeShare for ITAR is a highly secure and easy-to-use file storage and sharing system that has been packaged specifically for International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) compliance.

With SafeShare for ITAR your company can comply with the ITAR and EAR, while also benefiting from the productivity, flexibility and cost efficiencies of working in the Cloud.

Because SafeShare for ITAR is a secure enterprise file sync and sharing solution deployed in ITAR-compliant Amazon Web Services (AWS) GovCloud it gives your business the ability to migrate ITAR regulated data to the Cloud without impacting on your employees’ ability to access and securely share sensitive information.

Does Your Company Need to Be ITAR Compliant?

If your company designs, handles, manufactures, sells or distributes goods or services covered under the USML, you are part of the Defence Industrial Base (DIB) supply chain and you will need to certify that you are operating in accordance with ITAR.

ITAR compliance was designed to prevent the disclosure or transfer of sensitive information to foreign nationals by regulating the export of any defence-related goods or services on the United States Munitions List (USML). This means only U.S. citizens can access items on the USML list.

Failure to comply with ITAR is a serious offence with possible civil fines as high as $500,000 per violation and criminal fines of up to $1,000,000 and 10 years in prison per violation.

Defence Articles Protected By ITAR 

The 21 categories of Defense Articles listed in the USML include:

  • Aircraft and Related Articles
  • Ammunition/Ordnance
  • Articles, Technical Data and Defense Services Not Otherwise Enumerated
  • Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
  • Directed Energy Weapons
  • Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
  • Firearms, Close Assault Weapons and Combat Shotguns
  • Fire Control, Laser, Imaging and Guidance Equipment
  • Gas Turbine Engines and Associated Equipment
  • Ground Vehicles
  • Guns and Armament
  • Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
  • Materials and Miscellaneous Articles
  • Military Electronics
  • Military Training Equipment and Training
  • Nuclear Weapons Related Articles
  • Personal Protective Equipment
  • Spacecraft and Related Articles
  • Submersible Vessels and Related Articles
  • Surface Vessels of War and Special Naval Equipment
  • Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment

Secure Your ITAR Controlled Data and Prove Compliance with SafeShare

SafeShare for ITAR allows you to secure your ITAR controlled data and prove compliance while at the same time coordinating with and sharing information with other organizations in the Defence Industrial Base (DIB) supply chain.

The 2020 amendment to ITAR means that your organization is now allowed to migrate ITAR regulated data to the Cloud without it being considered an export as long as it is:

  • Kept safe from being accessed by non-US citizens
  • Encrypted end-to-end 
  • Cryptographically secured

By using SafeShare for ITAR you will ensure you’re compliant with these most current regulations and able to prove your ITAR compliance while securing your sensitive ITAR-controlled data in the cloud.

US Sovereign Cloud Based

Unlike commercial cloud offerings (Office 365, Google Drive, Dropbox, and Box), SafeShare for ITAR is a secure, ITAR and EAR complaint cloud-based system with files stored in a US sovereign cloud.

Regardless of the size of your organization, you can use SafeShare for ITAR to seamlessly migrate your ITAR regulated data to the Cloud.

End-to-End Encryption

Every single file uploaded in SafeShare is individually encrypted at its source, complying with the strict definition of Cryptographic Security in ITAR and the EAR. 

End-to-end encryption ensures ITAR compliance by protecting files against accidental or malicious leakage. Even if your system is compromised your documents are protected from being read by anyone that you have not authorized – even your IT systems administrator cannot access your files or encryption keys.

Audit Trail to prove compliance

SafeShare for ITAR also protects your business when you are sharing schematics with other organizations in the supply chain. If there is a leak, all of the organizations, including yours, will be under investigation, and you will require a strong and secure audit trail to prove your innocence.

There is no other audit like SafeShare for ITAR.  Every step is securely logged for a full audit history with access logged against user ID and every unique encryption for a full audit history. 


SafeShare for ITAR is the only data protection software that provides access control governed by where in the world you are, blocking access from foreign countries.

You can restrict access to any location or country – just set the coordinates!

USA Geofence restriction

Two Factor Authentication

ITAR data security recommendations include best practices such as two factor identification that provides strong authentication of users and prevents breaches due to stolen passwords.

SafeShare for ITAR automatically and transparently secures files with end-to-end encryption, granular access controls, and multi-factor authentication. 

Zero Installation, Easy to Use and Easy to Share

SafeShare for ITAR has been designed to be intuitive and user friendly, saving you time and allowing you to focus on your business rather than worrying about how to correctly install and use the file sharing system.

You don’t need an IT department to run SafeShare for ITAR and you can access it anywhere, anytime from any device or web browser. You can easily grant access and securely share information with external users such as other organizations in the Defence Industrial Base (DIB) supply chain.

Dynamic Watermarking 

Documents that are restricted to ‘online view only’ for certain users can be configured to automatically insert a watermark when viewed. This watermark includes the user ID and time/location when the file was viewed and ensures that any forwarding of screen shots to other parties or unauthorised printing of schematics will identify the originating user . 

Identity Provider Integration

SafeShare for ITAR integrates with services such as Microsoft ADFS for identity management and authentication.

First Class US Based Support Team

Our US-based customer support is available 24/7 for quick responses to your questions and all Cocoon Data personnel involved in administering the SafeShare for ITAR environment are US citizens. 

Because every file in SafeShare for ITAR is secured with end-to-end encryption the Cocoon Data staff can neither view nor alter your technical data.

Meet Your ITAR Export Requirements in the Cloud With SafeShare

If your company is subject to ITAR compliance, SafeShare for ITAR allows you to seamlessly protect, store and share your sensitive ITAR Controlled data in the Cloud while still remaining ITAR compliant.

SafeShare for ITAR allows your business to achieve the productivity and cost efficiencies of the cloud while complying with the ITAR and the EAR. 

The advanced security capabilities of SafeShare for ITAR provide the controls businesses need to manage access to technical data while providing employees the simplest user experience to which they are accustomed. 

If your organization is planning on or is currently working on material defined within Part 121, the USML it is very likely you are required to be compliant with ITAR regulation 22 CRF 120-130.

Please refer to the Enumeration of Articles published by the Electronic Code of Federal Regulations (e-CFR) for the reference to materials.

Download Your Free Whitepaper 

ITAR and EAR Compliance in the Cloud

Find out how to create a ITAR and EAR compliant infrastructure for data.

  • Describes 4 main challenges
    • Most commercial cloud offerings are non ITAR compliant
    • Technical Data can be hard to define
    • Encryption of data in transit and at rest is not the same as End-to-End Encryption
    • Native permissions management capabilities are insufficent
  • Discover specfic controls SafeShare can address
Cover of Whitepaper on ITAR and EAR

“All in all our employees are really thrilled at how easy to use the site is in comparison with FTP sites they’ve had to use in the past.”

Senior Administrator
Advanced Functional Materials Company

“I would recommend SafeShare to any organization that needs to be in compliance with ITAR, and am confident the product and company will stand up to that reference.”

Cary Glover
Cast-Rite Corporation | US Defense Contractor


Cocoon Data maintains an ISO 27001 certification, adheres to NIST 800-171 guidelines and we are in the process of adopting CMMC prior to this new regulation going live. 

Data ownership by default is linked to the user that created the data. Each piece of data is encrypted with its own AES-256 bit key and the key is owned by the owner of the data.

All data is stored in AWS GovCloud.

All data is encrypted prior to transit in and out of SafeShare in GovCloud. Data at rest is encrypted with AES-256 bit encryption keys which are only accessible by the data owner (user). Each document is encrypted with its own unique AES-256 bit encryption key (100 documents have 100 unique keys. Our patented approach to encryption and policy association the data owner identity allows for more granular and secure controls then traditional volume encryption which only employs 1 encryption key and relies solely on policy to protect sensitive data.

All Cocoon Data engineering staff are required to pass a background check. Engineers that work on our GovCloud Operations Team have additional requirements such as being a US citizen and going through extensive training on ITAR regulation and security protocol for such regulated data.

All GovCloud operations follow strict security guidelines including, but not limited to, change control of all system configurations, internal audits, internal penetration testing, formal review processes, C3PAO audits and C3PAO penetration testing. In the event of a data breach we will employ our critical security response team to shut down the breach, gather forensic evidence and notify our customer base of such an incident.

All support is conducted in house. Most development is conducted in house. All development that is conducted by third parties is reviewed and audited prior to merge with any of our products.

All data is backed up for 35 days.

SafeShare is built on modern high availability cluster architecture that allows for a high degree of flexibility and uptime. All data is stored in a database independently from infrastructure. Backups are done daily and stored for 35 days. The following conditions are made:
a) Determine Process and System Criticality 
b) Identify Outage Impacts and Estimated Downtime
             i) Outage Impacts
             ii) Estimated Downtime
Maximum Tolerable Downtime (MTD)
                    2: Recovery Time Objective (RTO)
                    3: Recovery Point Objective (RPO)
c) Identify Recovery Priorities for System Resources
             i) Recovery Time Objective (RTO)

Cocoon Data requires all GovCloud engineers to sign an NDA requiring them to not divulge or disclose sensitive information about Cocoon Data, Cocoon Data clients or sensitive information about any party learned under their employment.

Cocoon Data updates and/or performs routine maintenance on SafeShare infrastructure at least quarterly. 

Please see Cocoon Data’s SLA documentation. 

(99.9%?, 95%?) Cocoon Data offers a minimum of 99.9% uptime of our SaaS offerings.