Sending or otherwise making available, export-controlled information to a foreign national, either in or outside of the United States territory is an export.  Similarly, storing export-controlled information on a cloud computing server or other third-party server that is located in a foreign country or accessible by foreign nationals is an export.

It is the responsibility of the user to ensure that no export-controlled technology or technical data is stored on a third-party server (e.g., Amazon Web Services (AWS), Google Apps, etc.) or other cloud computer server, located in a foreign country or accessible by foreign persons (including the cloud provider's foreign IT administrators).  AWS and Google Apps have explicitly stated 

1. Data stored in their cloud products may be housed in a foreign country, and 
2. Employees with permission to the data held in these cloud services may be foreign nationals. 

The user is responsible and can be liable for violation of any U.S. export laws. To avoid this, please see the recommendations listed on the Export Control webpage and IT@Cornell’s Regulated Data Chart.

IT Cornell’s Regulated Data Chart defines Cornell’s approved software tools and whether the use of the tool is permitted, restricted, or prohibited when using regulated data.

If you have questions about whether information is export-controlled or would like clarification on a specific situation, please email the Export Control Office.