Request Demo
Your Access Controls Weren't Built for Export Compliance
Traditional role-based IT permissions don't know who's a foreign national. DLP doesn't check export classifications. Every day, controlled technical data is one file share away from an unlicensed deemed export.
Get StartedBook a Demo

Three Ways EAR Exposure Hides in Plain Sight

You know EAR applies broadly, but here's where most companies discover — too late — that they've been in violation all along:

Broader Than You Think
The Commerce Control List (CCL) spans 10 categories of items, from electronics and computers to materials processing and propulsion. Even items classified as EAR99, the lowest control level, require a license if destined for embargoed countries, restricted end-users, or prohibited end-uses.
The "Deemed Export" Trap
Sharing controlled technology with a foreign national inside the U.S. is legally the same as exporting it to their home country. If your engineering team includes foreign nationals with access to controlled technical data, you may be making unlicensed "deemed exports" right now without knowing it.
Enforcement Is Escalating
BIS has appointed its first-ever Chief of Corporate Enforcement, removed penalty caps, and the Commerce Secretary has signaled a "dramatic increase" in enforcement. The $140M Cadence and $300M Seagate penalties aren't outliers; they're the new baseline.
The "Deemed Export" Rule Could Be Your Biggest Exposure
Under the EAR, releasing controlled technology to a foreign person in the United States is treated as an export to that person's home country. This means your diverse, global workforce - which is one of your greatest strengths - is also your greatest compliance risk.
Most organizations rely on policies and training to manage this. But policies don't enforce themselves. And right now, your IT systems grant access based on job role, not nationality. There's no technical barrier between a foreign national employee and a controlled file.
Foreign national engineer opens controlled CAD files
IT permissions allow access based on role, not nationality. This constitutes an unlicensed deemed export, and you may never know it happened.
Remote worker abroad accesses controlled source code
VPN provides network access with no export classification check. This is an actual export, not just a deemed export, carrying even heavier penalties.
Controlled specs shared in a cross-functional Slack or Teams channel
Anyone in the channel can read the file. If foreign nationals are members, you've made an unlicensed release. Every member from a restricted country is a separate violation.
AI Copilot crawls your repository containing controlled data
AI agents access everything the user has permissions to - regardless of export classification. Controlled data surfaces in AI-generated responses with zero visibility or audit trail.

EAR Penalties Are No Longer "Manageable"

For years, EAR penalties were modest compared to other regulatory regimes. That era is over. BIS has removed penalty caps, hired its first Chief of Corporate Enforcement, and is applying the "high probability" knowledge standard; meaning you can be held liable even without actual knowledge of violations.

$374K
Per Violation (Civil)
$1M
Per Violation (Criminal)
Denial
Export Privilege Revocation

Enforcement Isn't Hypothetical

Real companies. Real penalties. Real consequences.

$300,000,000
Seagate Technology (2023)
Largest BIS penalty in history. Seagate continued selling hard disk drives to Huawei after the company was placed on the Entity List, despite clear knowledge of the restrictions.
$140,000,000+
Cadence Design Systems (2025)
First coordinated DOJ/BIS corporate guilty plea. Cadence's China subsidiary transferred dual-use EDA technology to Chinese military end-users developing supercomputers for nuclear weapons programs.
$3,300,000
Integra Technologies (2024)
94 violations for exporting EAR99 transistors to Russia without required licenses. Even "low-control" EAR99 items carry serious risk when exported to restricted destinations.
$2,500,000
Haas Automation (2025)
Exported CNC machine parts to Entity List parties in China and Russia over a 5-year period. First CNC manufacturer ever fined for violating U.S. export control and sanctions laws.
Why Theodosian

File-Level Enforcement for EAR-Controlled Data

Theodosian's data-centric architecture protects controlled technical data at the source. Instead of relying on network perimeters or user training to prevent violations, every file enforces its own access policy - regardless of where it travels.

Encrypt: Per-File Encryption for Controlled Data
Every controlled file is individually encrypted with FIPS 140-3 validated AES-256 encryption. Even if someone gains access to your cloud storage, downloads the file, or emails it to the wrong person by accident, it remains encrypted without proper authorization. This supports the EAR § 734.18 encryption safe harbor for cloud storage.
Learn More
Control: Deemed Export Prevention Through Context-Aware Policies
Every access request is evaluated against layered policy conditions before the file is ever decrypted: user identity, citizenship or residency status, device compliance, geographic location, time of day, etc. When a foreign national attempts to open a file that would constitute an unlicensed deemed export, access is denied and the attempt is logged. You get granular control over who can access what, under which conditions - enforced at the file level, not the network level.
Learn More
Monitor: Continuous Audit Trail with Automated Response
Theodosian logs every access event - by humans and AI - with full context: identity, nationality, application, device, location, timestamp, and policy outcome. Meet EAR Part 762's 5-year record keeping requirement with audit evidence ready on demand for BIS reviews. When anomalous access patterns are detected, Theodosian can automatically revoke file access - stopping a potential violation in progress, not just recording it after the fact.
Learn More

Policies and Training Can't Prevent Violations - Technical Enforcement Can

The "status quo" approach to EAR compliance relies on people doing the right thing. But policies don't encrypt files, and training doesn't stop an engineer from sharing a controlled design with a foreign colleague over chat. Here's what actually happens - with and without technical enforcement at the file level.

Scenario
Engineer shares controlled design files with a foreign national colleague
Controlled technical data is uploaded to a shared cloud drive
A contractor in a foreign country needs access to project files
AI tools or copilots access controlled technical data in your repositories
BIS requests evidence of your export control program
Status Quo
Access is based on IT permissions, not export classification. No technical barrier prevents the deemed export. You may never know it happened.
Cloud storage is accessible to anyone with permissions - including foreign nationals and potentially the vendor. Encryption at rest protects from outsiders, but not from unauthorized internal access.
Files are emailed or shared via a cloud link. Once transmitted, you lose all control. No way to revoke access or prove the file wasn't further distributed.
AI agents access everything the user has permissions to - regardless of export classification. Controlled data surfaces in AI-generated responses with zero visibility.
You produce policies and training records. But you can't prove who actually accessed controlled data, when, or whether access was properly authorized.
Theodosian
Context-aware policies evaluate the recipient's nationality and clearance status. If the access would constitute an unlicensed deemed export, the file remains encrypted and inaccessible.
Per-file encryption ensures that even on shared cloud drives, only authorized users meeting all policy conditions (identity, nationality, device, location, etc.) can decrypt and access the file.
Theodosian enforces access policies on the file itself. Access can be time-limited, geo-restricted, and revoked instantly. Every access attempt is logged with full context.
Theodosian enforces file-level access policies on non-human identities. Only explicitly authorized AI systems can access designated files. All others see ciphertext.
Comprehensive audit trail: every access attempt by humans and AI, with identity, application, device, location, timestamp, and policy outcome. Evidence that your controls actually work.
Regulatory Alignment

Theodosian Directly Supports Your EAR Compliance Program

The EAR contains specific provisions that demand technical controls most organizations currently lack. Theodosian provides the enforcement layer that turns your compliance policies into verifiable, auditable controls.

15 CFR § 734.18 (Cloud Storage Encryption Safe Harbor)
The EAR provides that storing encrypted data in the cloud is not an "export" if the encryption meets certain standards and decryption keys aren't provided to foreign persons. Theodosian's FIPS 140-3 validated, per-file encryption with zero-knowledge key management directly supports this safe harbor letting you use commercial cloud storage for controlled data.
15 CFR § 734.13 (Deemed Export Controls)
The release of controlled technology to a foreign person in the U.S. is a "deemed export." Theodosian enforces file-level access policies that evaluate user nationality and authorization status before granting access, preventing unlicensed deemed exports before they occur.
15 CFR § 762 (Recordkeeping Requirements)
EAR requires 5-year retention of export records, including deemed export documentation. Theodosian automatically logs every access event with user identity, nationality, device, location, timestamp, and policy outcome - creating the audit evidence BIS demands.
15 CFR § 744 (End-User & End-Use Controls)
The EAR prohibits exports to certain end-users (Entity List, Denied Persons List) and end-uses (weapons proliferation, military intelligence). Theodosian's context-aware policies can incorporate these restrictions, blocking file access by prohibited entities even when they have valid network credentials.

EAR Compliance That Deploys in Weeks, Not Months

While other organizations spend months assembling separate encryption, access control, and audit tools to build an export control program, Theodosian deploys in days with no data migration and no workflow disruption.

2–3 Days / Weeks to Deploy
Connect to your existing cloud storage and endpoints via API. No data migration, no workflow disruption. EAR controls start immediately.
70%+ Lower Cost
One platform replaces separate encryption, access control, and audit tools. No specialized export-compliant cloud infrastructure required.
100% File-Level Visibility
Every access event - by humans and AI - is logged with full context. Meet EAR Part 762 recordkeeping requirements automatically.
0 Workflow Disruption
Works with your existing SharePoint, Google Drive, Dropbox, and endpoints. Authorized users access files normally. Unauthorized access is blocked silently.

Also Subject to ITAR?

Many organizations handle both EAR-controlled dual-use items and ITAR-controlled defense articles. Theodosian enforces both regimes from a single platform - same encryption, same access policies, same audit trail. One solution for your entire export control program.

See our ITAR Compliance Solution

See How Theodosian Makes EAR Compliance Enforceable

Book a technical deep-dive to see file-level export control enforcement in action, or start a 2-week proof of concept in your environment.

Talk to SalesBook a Demo
Frequently Asked Questions
EAR Compliance Questions, Answered.

If your company develops, manufactures, or distributes technology, software, or products that have both commercial and potential military or national security applications, the EAR likely applies to you.

This includes semiconductors, encryption software, advanced sensors, telecommunications equipment, AI/ML models, specialty chemicals, and much more.

The Commerce Control List (CCL) covers 10 broad categories. Even items not on the CCL (classified as EAR99) are still subject to the EAR and may require a license depending on the destination, end-user, or end-use. When in doubt, consult with an export compliance professional or contact BIS directly.

A "deemed export" occurs when controlled technology or source code is released to a foreign national in the United States. Under the EAR, this is legally treated the same as physically shipping the item to that person's home country. If your engineering team includes foreign nationals who have access to controlled technical data - through shared drives, repositories, email, or even verbal discussions - you may be making unlicensed deemed exports without realizing it. Theodosian helps prevent this by enforcing access policies that evaluate the user's citizenship and authorization status before granting access to controlled files.

EAR § 734.18 provides that storing encrypted technical data in the cloud is not an "export" if the encryption meets certain standards and decryption keys aren't shared with foreign persons. Theodosian uses FIPS 140-3 validated AES-256 encryption on a per-file basis, with a zero-knowledge key management architecture. This means your cloud provider cannot decrypt your files, and decryption keys are never shared with unauthorized parties. This directly supports the encryption safe harbor, allowing you to use commercial cloud storage (SharePoint, Google Drive, Dropbox, etc.) for EAR-controlled data with confidence.

Absolutely! In fact, this is one of Theodosian's most valuable capabilities for EAR compliance. You can define file-level access policies that evaluate user attributes, including citizenship, residency status, and export license status. Authorized employees access files normally. When a foreign national attempts to access a file that would require an export license they don't have, the file remains encrypted and access is denied automatically. The attempt is logged for your records. This lets you maintain a diverse, global workforce while ensuring compliance at every file interaction.

ITAR (International Traffic in Arms Regulations) covers defense articles and services on the U.S. Munitions List, administered by the State Department. EAR covers commercial and dual-use items on the Commerce Control List, administered by the Commerce Department's Bureau of Industry and Security (BIS). Items can't fall under both simultaneously, but many organizations - especially in aerospace, technology, and advanced manufacturing - handle items subject to both regimes. Theodosian enforces both from a single platform: same encryption, same policy engine, same audit trail. You don't need separate tools for each regulation.

No. Theodosian connects to your existing SharePoint, Google Drive, Dropbox, network drives, and endpoints via API. There's no data migration required, no cloud platform change, and no workflow disruption. Protection is applied where your data already lives. Most organizations are operational within 2–3 weeks.

Yes. Theodosian logs access attempts with full context: user identity, nationality, application, device, location, timestamp, and policy outcome. You can generate compliance reports showing exactly who accessed controlled data, when, from where, and whether the access was properly authorized. This meets EAR Part 762 recordkeeping requirements (5-year retention) and provides the kind of evidence that demonstrates a robust, functioning export control program - not just a paper policy.

Theodosian treats AI systems as non-human identities subject to the same access policies as human users. You can block all AI tools from accessing controlled files, or selectively authorize trusted AI providers (such as an on-premises model or approved enterprise copilot) to access specific, non-controlled datasets. This is increasingly important as AI copilots and agents gain access to corporate repositories where controlled data may reside.