The US Department of Commerce, Bureau of Industry and Security (BIS) recently released a redacted Advisory Opinion dated November 13, 2014 that confirms for cloud-based software vendors (or Software as a Service providers) that allowing access to export controlled software for use only in the cloud (or on servers) does not constitute an export of that software to the user.
This completes the picture of how SaaS providers can legally deliver cloud-based computing and storage services to parties outside the borders of the country where the servers are located without triggering export authorization requirements.
This is the third Advisory Opinion from BIS clarifying the application of the Export Administration Regulations (EAR) to SaaS providers and cloud-based service and storage solution providers. These opinions include the following:
January 13, 2009: Application of the EAR to Grid and Cloud Computing Services
– Grid and cloud computing services, including the provision of computational capacity, are not themselves subject to the EAR as long the service provider does not actually export controlled software or technology.
– The service provider is not the exporter of any transfers of technology or software that are initiated by the user of the grid and cloud computing services. This means the SaaS provider does not have to police the activity that is occurring on its servers; however, it will still be held to the “knowledge” that it does have.
January 11, 2011: Cloud Computing and Deemed Exports
– Building on the above opinion, BIS confirmed that permitting a foreign national to monitor and maintain a cloud service provider’s servers and software does not constitute a “deemed export” to the foreign national of the customer/user content present on the cloud servers.
– Access by a foreign national to controlled software or technology (“deemed export”) other than the user content would still be subject to the EAR and could require an export license.
November 13, 2014: Cloud-based Storefronts
– This opinion confirms the concept that providing user access to SaaS services, where the user of the services does not download executable software, but merely operates the software as a service “in the cloud” or on a server, does not constitute an export of the software to the user.
– BIS confirmed that “[b]ecause there is no export of software, there is no basis for a license requirement.”
These interpretations offer cloud computing and SaaS providers an effective safe harbor in which to conduct activities without export licenses for the software provided for use to customers or for the content that users may export from its servers. Cloud computing and SaaS providers still must screen the parties with which they do business and ensure that they are not making exports on their own account (“deemed” or otherwise) without a license when required.
The above summary is greatly simplified to convey a general understanding of the EAR and agency interpretations. Specific application of these interpretations to a service provider should incorporate careful analysis of the EAR and the advisory opinions in light of the specific activities contemplated.