Does using auth0 for an iOS app meet "Export Compliance Information" encryption requirement

I asked support the same question a couple of weeks ago and I still don’t have a clear and justified statement, although they say using auth0 should be considered an exempt. If I receive anything I’ll update the topic.
I assume there are many iOS apps using auth0 and I could imagine all of them have been challenged against the US export laws, which is basically why the export compliance information is required. And yet - I can’t find anything straight and clear about whether using auth0 for an iOS app meet “Export Compliance Information” encryption requirement. Has anyone dealt with this challenge before and what was your approach?

Hey there @todorolev !

It’s actually the first time I think somebody is asking about it precisely but let me reach out to our Product team regarding that and see what’s their view on that. As soon as I get the information I’ll make sure to relay it here. Thank you!

Hey there @todorolev !

I discussed it with our Product Team and they are sure that we comply with these requirements as they are quite non negotiable. I’m confirming it with our Legal team now

1 Like

Thanks Konrad!
Please share if you have any further update from the legal team.

Hey there @todorolev !

Our Legal team asks if you have any additional context to help us understand your question because apart from what I already shared from our Product team I also talked with our Engineering teams and they said that all SDKs that we release are compliant with such laws

Thanks, Konrad!

All iOS apps must provide export compliance information because of the US export laws. This information is provided by answering few questions regarding the use of encryption in the app, including any third parties and, if necessary, uploading some relevant documentation regarding the particular case of encryption. Providing the export compliance information could be skipped if no encryption is used or if the use of encryption can be considered an exempt (e.g. HTTPS calls). Here is some more information from Apple: Apple Developer Documentation
Taking this into account, I need to either state that using auth0 is an exempt from the export compliance documentation requirements or to provide the necessary documentation. Since this is a mandatory step for each iOS app, it would be helpful if there was an official statement from auth0 regarding the cases where using it as a third party can be considered an exempt as well as the cases where documentation needs to be provided, ideally with some guidance about how to prepare this documentation. This statement or guide could be placed in a convenient and easy to access place, e.g. in Get Started with iOS Authentication using Swift and UIKit.
For my particular case, I don’t think there is any encryption in the app coming from auth0, other than the communication via HTTPS, because I expect that if there was some, I would have had to deal with encryption keys (and I don’t have to).

Regards,
Todor

Gotchya thank you for all that context! Let me circle back again with the team on that!

I just got told by the team that they already shared with you the newest update from compliance team in the salesforce ticket they have with you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.