Export Compliance

1. Overview

Tereda Software LLC ("Tereda Labs," "we," "us," or "our") is committed to full compliance with all applicable United States export control laws and regulations. We are a software engineering firm registered in Connecticut, USA, delivering custom platforms, AI/ML systems, and IT modernization services to federal, state, and commercial clients. Our products and services are commercial technology subject to the jurisdiction of the Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS), U.S. Department of Commerce.

This page describes our export compliance program as it applies to the software, technical data, and technology we develop and deliver. It is intended to provide transparency to our clients, partners, and prospective customers regarding how we manage export control obligations in the normal course of business.

Tereda Labs does not manufacture, export, or broker defense articles, defense services, or items on the United States Munitions List (USML). Our products and services are not subject to the International Traffic in Arms Regulations (ITAR) administered by the Directorate of Defense Trade Controls (DDTC), U.S. Department of State. We are not registered with the DDTC, and we do not hold any ITAR manufacturing or export licenses. Our export compliance obligations fall exclusively under the EAR and related Commerce Department regulations.

We build software — custom platforms, data systems, AI/ML capabilities, and enterprise applications. We do not manufacture hardware, weapons systems, munitions, or any items requiring ITAR licensing. This distinction is fundamental to our export compliance posture and informs every aspect of the program described below.

2. Regulatory Framework

Our export compliance program operates within the regulatory framework established by the Export Administration Regulations (EAR), codified at 15 CFR Parts 730–774, and administered by the Bureau of Industry and Security (BIS), U.S. Department of Commerce. The EAR governs the export, re-export, and in-country transfer of commercial and dual-use items, including software and technology.

Under the EAR, our software products are generally classified as EAR99 — items that are subject to the EAR but are not specifically listed on the Commerce Control List (CCL). EAR99 items are eligible for export to most destinations and end-users without an individual export license, subject to certain prohibitions related to sanctioned countries, embargoed destinations, and restricted end-users or end-uses.

Where our products incorporate functionality that may warrant classification under a specific Export Control Classification Number (ECCN) on the Commerce Control List, we perform the appropriate classification analysis and apply the corresponding license requirements and license exception eligibility. This is most commonly relevant for products incorporating encryption functionality, which may fall under Category 5, Part 2 of the CCL.

We also comply with the economic sanctions programs administered by the Office of Foreign Assets Control (OFAC), U.S. Department of the Treasury, and ensure that our transactions do not involve sanctioned countries, regions, entities, or individuals prohibited under OFAC regulations.

3. Classification Practices

Tereda Labs classifies all software products and technical data prior to export or transfer. Classification is performed by evaluating the technical characteristics of each product against the Commerce Control List (CCL) and applicable ECCN parameters. Our classification process follows the decision tree established in 15 CFR Part 738 (Supplement No. 4) and the product-group analysis methodology described in 15 CFR Part 774.

Most of our commercial software products are classified as EAR99. These are items subject to the EAR that do not have a specific ECCN on the Commerce Control List. EAR99 products do not require an individual export license for most destinations, end-users, and end-uses, and can generally be exported under the "No License Required" (NLR) designation.

Where products incorporate controlled encryption technology, we evaluate classification under Category 5, Part 2 of the Commerce Control List. For mass-market encryption software that meets the criteria defined in Note 3 to Category 5, Part 2 of the CCL, we utilize License Exception ENC (15 CFR § 740.17) where available. This includes submitting classification self-assessment reports and encryption registration as required under ENC provisions.

Classification determinations are documented and retained as part of our export compliance records. Where classification is uncertain, we engage with BIS through the commodity classification request (CCATS) process to obtain an official determination.

4. Screening Procedures

All transactions, customers, and end-users are screened against the U.S. government's restricted and denied party lists prior to engagement. We do not proceed with any transaction where a screening match indicates a prohibited party, destination, or end-use, unless a specific license or authorization has been obtained.

Our screening program covers the Consolidated Screening List (CSL) maintained by the U.S. government, which includes the following component lists:

• Entity List — 15 CFR Part 744, Supplement No. 4 (BIS). Parties for which a license is required for specified items due to activities contrary to U.S. national security or foreign policy interests.
• Denied Persons List — Individuals and entities denied export privileges by BIS. All transactions with denied persons are prohibited regardless of the item being exported.
• Specially Designated Nationals and Blocked Persons List (SDN) — Maintained by the Office of Foreign Assets Control (OFAC), U.S. Department of the Treasury. Includes individuals and entities owned or controlled by, or acting for or on behalf of, sanctioned countries and designated parties.
• Unverified List — 15 CFR Part 744, Supplement No. 6 (BIS). Parties for which BIS has been unable to verify the bona fides of the end-user in prior transactions, requiring additional due diligence.
• Military End-User List (MEU) — 15 CFR Part 744, Supplement No. 7 (BIS). Entities determined to be military end-users in specified countries, requiring a license for items specified in Supplement No. 2 to Part 744.

Screening is performed at three stages: prior to engagement (during customer onboarding and proposal evaluation), at delivery (before any software, technology, or technical data is transferred), and periodically for ongoing relationships (to detect changes in a party's restricted status during the course of an engagement). Screening results are documented and retained as part of our compliance records.

5. Cloud Computing & Deemed Exports

The release of controlled technology or source code to a foreign national within the United States constitutes a "deemed export" under the EAR (15 CFR § 734.13). Similarly, the storage of or access to controlled technology on cloud infrastructure located outside the United States, or accessible by foreign nationals, may constitute an export or deemed export requiring authorization.

Tereda Labs treats cloud-hosted data and technology as exports in accordance with BIS guidance. We maintain controls to ensure that access to controlled technology via cloud platforms does not constitute an unauthorized deemed export. Our cloud computing controls include:

• US-hosted infrastructure — All production infrastructure is hosted within the continental United States. We do not process or store client data or controlled technology in data centers located outside US sovereign territory.
• Access restrictions — Where engagement terms require, access to controlled technology and source code is restricted to US persons as defined in the EAR (US citizens, lawful permanent residents, and protected individuals). Access controls are enforced through identity verification, role-based access control, and geographic access restrictions.
• End-to-end encryption — Controlled technology stored in cloud environments is encrypted at rest and in transit, with encryption keys managed within the United States and accessible only to authorized US persons where required by the nature of the data.

We evaluate deemed export risk as part of our standard engagement onboarding process and implement appropriate controls based on the classification of the technology involved and the nationality of individuals who will have access.

6. Encryption Controls

Many of our software products incorporate encryption functionality for data protection, authentication, and secure communications. Encryption items are subject to specific export controls under Category 5, Part 2 of the Commerce Control List, and we manage these controls through the following practices:

Mass-market encryption qualification — Software products that incorporate standard, widely available encryption (such as TLS 1.3, AES-256, RSA, and similar algorithms implemented through standard libraries) are evaluated for mass-market encryption classification. Products meeting the criteria defined in Note 3 to Category 5, Part 2 of the CCL qualify for export under License Exception ENC (15 CFR § 740.17), which permits export to most destinations without an individual export license.

Classification self-assessments — We perform encryption classification self-assessments for all products incorporating encryption functionality, evaluating each product against the technical parameters of Category 5, Part 2 ECCNs (including 5D002 for encryption software and 5E002 for encryption technology). These assessments determine the applicable ECCN, available license exceptions, and any reporting obligations.

ENC semi-annual reports — Where required by the terms of License Exception ENC, we file semi-annual self-classification reports with BIS and the ENC Encryption Request Coordinator, documenting the encryption products we have exported and the applicable ENC paragraph under which each export was authorized. Reports are filed in accordance with the format and schedule specified in 15 CFR § 740.17(e).

Our encryption controls are designed to ensure that the cryptographic capabilities embedded in our products are properly classified, appropriately authorized for export, and documented in compliance with all applicable BIS reporting requirements.

7. Compliance Program

Tereda Labs maintains a formal export compliance program designed to ensure systematic adherence to all applicable export control laws and regulations. Our program is structured around the following elements:

• Designated export compliance responsibility — Export compliance oversight is assigned to a designated responsible party within the organization who maintains current knowledge of EAR requirements, BIS guidance, OFAC regulations, and changes to the regulatory landscape that affect our obligations.
• Classification determination before export — No software, technical data, or technology is exported, re-exported, or transferred before a classification determination has been made and documented. This applies to all forms of export, including electronic transmission, cloud access, and physical media.
• Restricted party screening — All transactions are screened against the Consolidated Screening List and applicable denied/restricted party lists as described in Section 4 of this page. No transaction proceeds where a positive match is identified without resolution.
• Record retention — Export compliance records — including classification determinations, screening results, license exception eligibility assessments, and export transaction documentation — are retained for a minimum of five (5) years as required by 15 CFR § 762.6. Records are maintained in a manner that permits retrieval and production to BIS upon request.
• Employee training — Personnel involved in the development, delivery, or transfer of controlled technology receive training on export control obligations, including recognition of red flags indicating potential diversion, deemed export awareness, and procedures for escalating compliance questions.
• Periodic self-assessment and audit — We conduct periodic internal reviews of our export compliance program to identify gaps, assess the effectiveness of existing controls, and implement corrective actions. Self-assessments cover classification accuracy, screening completeness, record-keeping adequacy, and adherence to license exception conditions.

In the event that we identify a potential violation of export control regulations, we are committed to timely voluntary self-disclosure to the appropriate government agency (BIS or OFAC) in accordance with the procedures established in 15 CFR Part 764 (for EAR matters) or applicable OFAC guidance.

8. Contact

For questions about our export compliance program, the classification of specific products, or to request export compliance documentation in connection with a procurement or engagement, contact:

Export compliance inquiries: [email protected]

Tereda Software LLC
Connecticut, USA