Security & Data Privacy

All ITAR Screen data is hosted on Railway infrastructure in the United States. We do not use servers outside the US, and we do not replicate classification records to international regions.

Data at rest is encrypted using AES-256. All data in transit is protected by TLS 1.3. Database credentials and API keys are stored as environment secrets — never in source code or logs.

Railway operates on AWS US infrastructure, providing enterprise-grade availability with managed failover and automated daily backups.

Every classification is stored as an immutable record. Once created, a classification record cannot be edited or deleted — not by you, not by us. This write-once model ensures that your screening record is tamper-evident and reflects exactly what was screened, when, and what the screening result was.

Records are retained for a minimum of 10 years, consistent with ITAR recordkeeping obligations under 22 CFR §122.5, which requires U.S. persons to maintain records of exports for five years (with best-practice guidance often citing 10 years for covered transactions).

Each record includes: full product description, USML screening result, USML category citation, risk level, EAR cross-check, AI reasoning narrative, and the version of the USML reference text in use at the time of classification.

Classification records are strictly isolated by account. No data from your account is visible to or accessible by any other customer — at the database level, API level, or application level.

We do not use your classification data to train or fine-tune AI models. Your product descriptions and the results associated with them are used solely to provide the service to your account.

ITAR Screen employees do not have routine access to your classification records. Support staff can access records only with explicit customer permission and a logged support ticket.

A SOC 2 Type II assessment is planned and in progress. Upon completion, the report will be available under NDA for enterprise customers and prospects conducting vendor security reviews.

In the interim, enterprise customers can request our security questionnaire response and infrastructure documentation directly at security@itarscreen.com.

If you discover a potential security vulnerability or suspect unauthorized access to your ITAR Screen account, contact our security team immediately at security@itarscreen.com. We respond to security reports within 24 hours and to confirmed incidents within 4 hours.

In the event of a confirmed breach affecting customer data, affected customers will be notified within 72 hours, consistent with applicable data protection regulations.