ITAR Compliance Software
ITAR compliance software for defense manufacturers. US-only data residency, US-persons access controls, and audit trails for controlled technical data.
ITAR technical data sits in your ERP right now, and one foreign national viewing a controlled drawing is a deemed export with penalties up to $1.1M per access. WorkCell is ITAR compliance software built for defense manufacturers — US-only data residency, US-persons-only support, USML-aware document controls, and the audit trail DDTC expects when they ask. Treat it as the ITAR software compliance layer under your existing quality, engineering, and shop floor work.
Cloud ERP With Foreign Support Staff
Your SaaS vendor's support and infra teams sit in India, Ireland, or the Philippines, which means every time they touch the database on your behalf they're a foreign person accessing ITAR technical data.
No Way to Enforce US Persons Only
Your ERP has user accounts but no concept of citizenship, so a single onboarding mistake puts a foreign national inside controlled technical data without any export control catching it.
Data Residency Audits You Can't Pass
A prime asks where your drawings, backups, and DR copies physically live and who can reach them, and your current vendor can't produce a clean US-only answer in writing.
Losing A DoD Program Over The Stack
Security reviews from primes now reject non-compliant SaaS outright, and an ITAR-ineligible ERP is enough to disqualify you from the flowdown on a $10M subcontract.
US-Only Data Residency
ITAR workloads run in a dedicated US-region environment with no replication, backup, or foreign support access, which is the baseline any ITAR ERP has to meet.
US Persons Access Enforcement
Every user carries a citizenship status tied to documented I-9 or green card verification, and ITAR-restricted records are blocked for anyone not flagged as a US person.
USML-Aware Document Marking
Mark drawings, specs, BOMs, and routings as ITAR or EAR controlled with the USML category or ECCN at the document level, so this ITAR compliance software hides and labels them consistently across search, export, and print.
Deemed Export Audit Logs
Every view, download, print, and edit against a controlled document is logged with user, citizenship status at time of access, timestamp, and IP, ready to hand to DDTC or a prime.
Controlled Backups And Disaster Recovery
Snapshots, backups, and DR copies of ITAR data stay inside the US-only boundary with the same access controls as production, so an outage never becomes an unauthorized export.
US-Staffed Support And Administration
Every engineer, support rep, and database administrator with access to your tenant is a US person on US soil, which removes the deemed export exposure most cloud ERPs carry by default.
Maximum DDTC civil penalty per ITAR violation, adjusted annually for inflation and counted per document, per access, per day
22 CFR 127.10, DDTC Civil Monetary Penalty Adjustments
Honeywell consent agreement with DDTC in 2021 for unauthorized exports of technical drawings covering F-35, F-22, B-1B, and Apache parts to China, Taiwan, Canada, Ireland, and Mexico
US State Department DDTC Consent Agreement
Maximum criminal prison sentence per willful ITAR violation under the Arms Export Control Act, plus criminal fines up to $1M per violation
22 USC 2778(c)
Engineering
Drawings, CAD files, specs, and ECOs inherit the ITAR flag on release and propagate controlled status to every BOM, routing, and work order that references them.
Quality
Inspection plans, first articles, and nonconformance records for ITAR parts stay inside the controlled partition so quality engineers see only the work they're cleared for.
Shop Floor
Operators running ITAR work orders are verified as US persons before the router opens, and every view is logged against the operator badge.
What is ITAR compliance software?
ITAR compliance software is any system that stores, transmits, or provides access to ITAR-controlled technical data and enforces the State Department's export control rules around it. In practice that means US-only data residency, US-persons-only access and support, document-level controlled data marking against the US Munitions List, and deemed export audit logs that let you prove who saw what and when.
Do I need ITAR compliance if I'm a sub-tier defense manufacturer?
If you manufacture, handle drawings for, or furnish services related to anything on the US Munitions List, yes. DDTC registration and ITAR obligations flow down from the prime to every sub-tier that touches the technical data, regardless of company size, and your customer will require written confirmation before they release drawings.
Is a generic SaaS ERP ITAR compliant out of the box?
Almost never. Most cloud ERPs replicate data to non-US regions, use foreign support staff who can touch production data, and have no concept of US-persons access at the record level. Unless the vendor has a dedicated ITAR tenant with US-only infrastructure, US-person support, and citizenship-aware access controls, assume it's not ITAR compliant.
What is US persons access under ITAR?
A US person under ITAR is a US citizen, lawful permanent resident (green card holder), or protected individual under 8 USC 1324b(a)(3). US persons access means only those users can view, download, or otherwise touch ITAR technical data — and any release to a foreign person, even one standing in your US office, is a deemed export requiring a DDTC license.
What counts as technical data under ITAR?
Technical data is any information required to design, produce, repair, or modify a defense article on the US Munitions List. That includes drawings, 3D models, CAD files, specs, work instructions, inspection plans, process data, and source code. If it describes how to build or maintain the controlled item, ITAR covers it.
How does ITAR differ from EAR compliance?
ITAR is administered by the State Department's DDTC and covers defense articles and services on the US Munitions List. EAR — the Export Administration Regulations — is administered by the Commerce Department's BIS and covers dual-use items on the Commerce Control List, tagged with ECCNs. Many defense manufacturers handle both, and a single ERP has to mark, segregate, and log access for each.
ITAR Compliance Software
Run ITAR workloads without betting the company on your ERP.