Technology Export Control & Trade Compliance

Most trade compliance data providers aggregate public government lists, organize broadly available trade records, or scrape publicly available corporate registries. The result is screening data that covers published lists but misses the corporate relationships, affiliates, and end-use risk that regulators increasingly expect companies to identify. Kharon takes a fundamentally different approach: expert-led investigations that identify primary actors involved in restricted activities, map corporate relationships, source ownership linkages from primary documents, and verify entity data with subject matter expertise, not blind automation. Kharon’s data integrates directly into existing screening platforms — including e2open, Descartes Visual Compliance, and other trade compliance infrastructure — as the intelligence layer that makes screening decisions more defensible. Kharon's methodology aligns to regulatory red flag indicators — identifying risk entities and their networks before they appear on any published list. Where other providers tell you whether a name appears on a list, Kharon tells you whether an entity is connected to restricted parties, subject to end-use restrictions, or operating within a network that presents export control risk. All data is structured for machine readability, enabling AI and LLM-powered compliance systems to produce verifiable, source-grounded results rather than unattributed outputs.

The Bureau of Industry and Security (BIS) Entity List identifies foreign persons — including companies, research institutions, government organizations, and individuals — that are subject to specific license requirements for the export, reexport, or transfer of specified items. For technology companies, the Entity List is one of the most consequential compliance obligations: it restricts the sale of software, hardware, cloud services, AI tools, and other controlled technology to listed entities without a license. The list is updated frequently, with dozens of new additions in a typical cycle, and enforcement actions for violations can include denial orders, substantial civil penalties, and criminal prosecution. Kharon provides expert-verified data on Entity List parties, their affiliates, and their corporate networks — going beyond the published list to identify related parties that may present the same level of risk.

The BIS Affiliates Rule, finalized in 2025, extends Entity List and Military End-User List restrictions to entities that are 50% or more owned, in the aggregate, by one or more listed parties. This follows the same ownership calculation framework as OFAC’s longstanding 50 Percent Rule: direct and indirect ownership both count, and if multiple listed parents hold stakes in the same entity, their ownership percentages are aggregated. For technology companies, the practical effect is significant: screening against the published Entity List alone no longer captures the full scope of restricted parties. Companies must now understand the corporate family trees of listed entities to identify affiliates that may not be individually named but are subject to the same restrictions. The rule’s implementation was suspended for one year beginning November 10, 2025, following U.S.-China trade negotiations, with the suspension scheduled to end November 9, 2026. However, even during the suspension, BIS enforcement against diversion, shell structures, and front company schemes continues, and underlying export control obligations remain in effect. Kharon maps these affiliate relationships through expert investigation, providing the corporate hierarchy intelligence that standard screening tools do not cover.

A deemed export occurs when controlled technology or source code is released to a foreign national within the United States, effectively “exporting” it to that individual’s home country under Export Administration Regulations. For technology companies with multinational R&D teams — which describes most large technology firms — deemed export compliance is a significant operational consideration. Companies must determine whether the technology their foreign national employees access is controlled under the EAR, and if so, whether a license is required based on the employee’s country of citizenship. Kharon’s intelligence on entities, affiliations, and risk networks supports the due diligence that deemed export compliance programs require, particularly when assessing whether employees or collaborators have connections to restricted entities, military end users, or other parties of concern.

Cloud computing and SaaS products can fall under EAR export controls when they provide access to controlled technology, software, or technical data. The compliance challenge for cloud providers is that the “export” may not involve shipping a physical product — it occurs when a foreign person or entity accesses controlled functionality through a cloud service. This creates screening obligations at the point of access, not just at the point of sale. Technology companies offering cloud-based services must assess whether their platforms provide controlled capabilities, who their users are, and whether those users are connected to restricted entities or end uses. Kharon supports this assessment by providing verified intelligence on entities that may access cloud services across jurisdictions, including their corporate affiliations, end-use risk profiles, and connections to listed parties.

The Foreign Direct Product Rule extends U.S. export control jurisdiction to items produced outside the United States when those items are the direct product of specified U.S.-origin technology or software, or are produced by a plant or major component that is itself the direct product of U.S. technology. For technology companies, the FDPR has expanded significantly in recent years — particularly with respect to semiconductor manufacturing equipment, advanced computing, and AI-related technologies. The rule means that even non-U.S. subsidiaries or partners may face U.S. export control restrictions on items they produce if those items trace back to U.S.-origin technology. Compliance requires understanding not just your own supply chain and technology flows, but the broader network of entities that interact with your products downstream.

Military end use refers to the use of items in the development, production, operation, installation, maintenance, repair, overhaul, or refurbishment of military items — or the incorporation of items into military items. BIS maintains a Military End-User List identifying entities for which a license is required before exporting specified items. For technology companies, military end-use risk is particularly relevant for dual-use products — enterprise software, AI tools, semiconductor IP, and cloud services that have both civilian and military applications. Screening for MEU risk requires more than checking an entity against the MEU List; it requires understanding what the entity does, who it serves, and whether its operations involve military applications. Kharon provides expert-verified military end-use data and entity research that supports these determinations, going beyond list-based screening to assess end-use risk based on investigative intelligence.

Yes. Kharon is designed as the intelligence layer that enhances existing trade compliance infrastructure — not a replacement for it. GraphCast datasets integrate directly into screening platforms including e2open, Descartes Visual Compliance, and other compliance automation tools through standard data feed formats. The Kharon API enables deeper integrations for organizations that want to embed Kharon intelligence into custom workflows, case management systems, or automated decision engines. ClearView provides a standalone investigation interface for when screening hits require deeper assessment. Kharon’s Activation Network — a partner ecosystem that includes leading trade compliance and supply chain platforms — ensures that Kharon intelligence reaches compliance teams wherever they work.

The International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) represent two distinct U.S. export control regimes. ITAR, administered by the State Department’s Directorate of Defense Trade Controls (DDTC), governs defense articles and services on the U.S. Munitions List. EAR, administered by BIS, governs commercial and dual-use items on the Commerce Control List. For technology companies, the distinction matters because classification determines which regime applies, what license requirements exist, and what penalties apply for violations. Most enterprise technology falls under EAR, but technology companies that develop products with defense applications — or that incorporate defense-related technology — may also have ITAR obligations. The regulatory requirements, compliance programs, and penalties differ significantly between the two regimes. Kharon’s primary strength is EAR-related entity intelligence — BIS Entity List parties, their affiliates, military end users, and restricted entities that technology companies encounter most frequently. ITAR-relevant entity coverage is available and growing, though EAR is the core focus for technology sector workflows.

Export control violations carry severe consequences. BIS can impose civil penalties of up to $374,474 per violation or twice the value of the transaction, whichever is greater, as well as denial of export privileges. Criminal penalties can include fines of up to $1 million per violation and imprisonment of up to 20 years. Recent enforcement demonstrates that BIS actively pursues technology companies: in July 2025, Cadence Design Systems agreed to pay over $140 million to resolve charges for providing access to chip design software to a restricted Chinese military university. For technology companies, the risk extends beyond financial penalties — a denial order effectively prevents a company from exporting controlled technology, which for a global software or cloud company can constitute an existential business threat. Kharon helps technology companies reduce this exposure by providing the verified intelligence that supports defensible compliance decisions.

Technology companies are increasingly applying AI and automation to export compliance workflows — from automated screening and classification to AI-assisted investigations and risk scoring. The challenge is that AI systems are only as reliable as the data they consume. Models trained on algorithmically generated or unverified compliance data can amplify errors at scale. Kharon’s data is designed for this environment: expert-verified, structured for machine consumption, and readable by AI and LLM-powered systems to ground results in a reliable source of truth. As compliance teams adopt AI tools for screening automation, investigation support, and regulatory monitoring, the quality and verifiability of the underlying intelligence becomes the critical differentiator between AI that reduces risk and AI that creates new exposure.

Yes. Technology companies that manufacture hardware or source components — including semiconductors, printed circuit boards, rare earth elements, and electronic assemblies — face supply chain forced labor risk under the Uyghur Forced Labor Prevention Act (UFLPA) and the EU Forced Labour Regulation. UFLPA creates a rebuttable presumption that goods mined, produced, or manufactured in whole or in part in the Xinjiang Uyghur Autonomous Region are made with forced labor and are prohibited from U.S. import. For technology companies, this risk often exists at the sub-tier level — in the suppliers of their suppliers — making visibility into the full supply chain essential. Kharon provides verified intelligence on supply chain entities and their connections to forced labor risk, supporting the due diligence that CBP and EU enforcement agencies require.