LET'S TALK
← All work
EAR 15 CFR §730-774ITAR 22 CFR §120-130EU 2021/821BIS AI rulesDeep Prototype

ExportControl — EAR/ITAR Classification

22 product features classified against US EAR (15 CFR §730-774) + ITAR (22 CFR §120-130) + EU Dual-Use Regulation 2021/821. Per-feature: ECCN (EAR99 / 5A002 / 5D002 / 5E002 / 3A090 / 4D090 / USML), license exception (ENC §740.17 / publicly-available §734.7), country deny list (E:1 + OFAC SDN), deemed-export risk.

ExportControl — EAR/ITAR Classification preview
Open live →

What it is

The shape behind every export-compliance program — Lockheed-Martin, Stripe, Anthropic, OpenAI. ECCN classification + license-exception eligibility + country deny list on one screen. The artifact the compliance officer pulls before shipping anything to a regulated jurisdiction or onboarding a foreign-national engineer.

What’s in it

  • 22 product features spanning the realistic SaaS surface:
    • EAR99 (default) — UI shell, sanctioned-party screening, OSS SDK on GitHub
    • 5D002 (encryption software) — REST API TLS, CMK, AES-256-GCM at rest, OAuth JWT, mobile SDK, mTLS, SAML, payment tokenization, custom AES key-wrap, PQC ML-DSA
    • 5D002.a (mass-market w/ notification) — end-to-end encrypted messaging
    • §734.7 publicly available — argon2id password hashing, TOTP/WebAuthn, HMAC webhook signing
    • 3A090 / 4D090 (BIS Oct 2023 + Jan 2025 AI/compute rule) — GPU-backed inference, foundation-model fine-tuning compute >1e23 ops
    • ITAR USML cat XI — defense-customer module with military training data
  • Per-feature breakdown:
    • ECCN + EU dual-use category
    • License exception (ENC §740.17(b)(1), §734.7, §734.3(b)(3), §734.13 deemed-export)
    • Country deny list (E:1: Crimea/DPRK/Cuba/Iran/Syria + Russia post-2022) + review list (China, UAE, Tier-2)
    • Deemed-export risk (foreign-national access to controlled tech)
    • Real classification rationale
  • Deemed-export flagging — 6 features carry foreign-national-access concerns under §734.13 (PQC research, ITAR module, advanced compute, custom crypto). Surfaced because this is the audit finding everyone forgets.

Why this shape

US EAR + ITAR + EU 2021/821 require every export-controlled feature to have a documented classification and license-exception eligibility. The BIS Oct 2023 + Mar 2024 + Jan 2025 advanced-compute / AI rules introduced 3A090 + 4D090 / 4E090 — new ECCNs that most SaaS compliance teams have not yet integrated. ExportControl prototypes that integration directly, with deemed-export risk surfaced for every row.

How it ships

Single HTML file, ~20KB. Zero dependencies. 22 features × ECCN × license-exception × deny-list math in 240 lines of vanilla JavaScript.

Open the tool →