Export Regulations

This page provides detailed information on the export control status of the Sufficiently Secure’s products, as well as pointers to the open source code from which those products are built.

Exporting Sufficiently Secure Apps

Sufficiently Secure (SC) is an open-source project based in Germany. All of our products are developed via online collaboration in public forums and distributed via Google Play, which is based in the U.S., and F-Droid, which is based in England. Due to distributions via Google Play, U.S. export laws and regulations apply to our distributions and remain in force as products and technology are re-exported to different parties and places around the world. Information on export control classifications and associated restrictions may be required for exporting, re-exporting, record keeping, bundling/embedding of SC products, encryption reporting, and shipping documentation. More information on U.S. Export Regulations can be found at http://www.bis.doc.gov/.

The Bureau of Industry and Security (BIS), a branch of the U.S. Department of Commerce, regulates exports through the Export Administration Regulations (EAR). The regulations describe the export rules and restrictions on a wide range of commodities, technologies, and software. This document is no substitute for understanding those regulations; the SC cannot anticipate how they might apply to third party distributions or for specific export decisions made by those parties. End-user, end-use and country of ultimate destination may affect export licensing requirements.

Below is a general listing of SC software products and their source links for which we have determined an export classification for that product as distributed by the Sufficiently Secure. The matrix is to be used in conjunction with the EAR to provide classification information in order to assist exporters in the export of SC products and to provide guidance to BIS employees that seek the source code for SC products. All export classification information contained in the matrix is subject to change without notice.

Embargoed Destinations

SC software and/or technical data may NOT be exported/reexported, either directly or indirectly, to any destination subject to U.S. embargoes or trade sanctions unless formally authorized by the U.S. Government. Note that said embargoed destinations are subject to change and the scope of what technology is included in the embargo is specific to each embargoed country. For the most current information on U.S. embargoed and sanctioned countries, see the U.S. Export Administration Regulations and Treasury Department regulations.

Denied Parties List

U.S. export regulations require that all international and domestic transactions be screened against the U.S. Government listing of prohibited end users. Shipments to certain individuals, organizations, or institutions who have violated U.S. export laws are prohibited. The United States government maintains export prohibited lists, including but not limited to the Treasury Department’s Specially Designated Nationals List and Commerce Department’s Entity and Denied Persons Lists.

SC Product Classification Matrix

The Sufficiently Secure (SC) makes NO WARRANTY or representation that the information contained in the SC Product Classification Matrix is accurate, current, or complete. It is your obligation as the exporter to comply with the current applicable requirements of United States export rules and regulations. Any use of such information by you is without recourse to the SC and is at your own risk. The SC is in no way responsible for any damages, whether direct, consequential, incidental, or otherwise, suffered by you as a result of using or relying upon such information for any purpose.

Each SC product is classified with an Export Control Classification Number (ECCN) if it is believed to correspond to an entry in the Commerce Control List (CCL) and subject to the EAR. All SC software is published in a publicly available source code form. Since publicly available software is only subject to the EAR when it is classified as ECCN 5D002 or 5D992 , all SC software product versions that do not fit those two classifications are noted as ECCN “n/a” (not applicable) or not included in the matrix.

Products classified as ECCN 5D002, are exported by the SC under the TSU exception in EAR 740.13(e), which applies to software containing or designed for use with encryption software that is publicly available as open source. Exception TSU further provides that “Posting encryption source code and corresponding object code on the Internet (e.g., FTP or World Wide Web site) where it may be downloaded by anyone neither establishes “knowledge” of a prohibited export or reexport for purposes of this paragraph, nor triggers any “red flags” necessitating the affirmative duty to inquire[…]”. Note that exporters other than the SC within the US may or may not be eligable for exception TSU, and it is each specific exporter’s responsibility to understand and comply with all export regulations applicable within their jurisdiction.

Product Name Versions ECCN Controlled Source
OpenKeychain all 5D002 OpenKeychain: https://github.com/open-keychain/open-keychain