This is the Counsel's Desk, on Terms.Law Radio. Ninety two point five. This is the Washington to Contract report. Tonight's briefing: export controls are no longer a factory floor problem. If you run a SaaS product, an API, or a developer platform, United States export law can reach your customer list, your access controls, and your uptime. Four sections tonight: what the law reaches, who you let in, where you serve, and what happens when a supplier goes dark. Treat this one as a checklist. Section one. What the law reaches. Two regimes matter for a software business, and they work differently. The first is export controls proper, the rules that govern sending controlled software and technology out of the country. The word sending does heavy lifting here: for software, an export can be a download, an API response, or giving a foreign national access to controlled technology even inside the United States, which practitioners call a deemed export. Encryption functionality is a classic trigger, which is why even ordinary commercial software often carries an export classification. The second regime is sanctions, which is not about what the product is but about who the customer is and where they are. Dealing with listed persons, or providing services into embargoed territories, is prohibited regardless of how harmless the product looks. Different regimes, different agencies, one operational consequence: a software company needs to know its product's classification and its customers' identities, and many companies know neither until someone official asks. Section two. Who you let in. Customer screening, and the contract terms that make it workable. Operationally, screening means checking customers against the government's restricted party lists at signup and periodically afterward, because the lists change. Commercial screening tools do this for a subscription fee that is small next to a single violation. Contractually, four provisions earn a place in your terms of service. One, a customer representation: the customer is not a restricted party, is not owned or controlled by one, and will not use the service on behalf of one. Two, an end use representation: the service will not be used for prohibited purposes, and the customer will provide end use information on reasonable request. Three, and this is the load bearing one, a suspension right: you may suspend or terminate access immediately, without liability and without service credits, where you determine in good faith that continued service may violate export or sanctions law. Four, a clear statement of what happens to prepaid fees on a compliance termination, because otherwise you will be litigating that question at the worst possible time. Without the suspension right, a flagged customer forces an ugly choice: break the law or breach the contract. Write the exit before you need it. Section three. Where you serve. Geography restrictions. The operational tools are IP based blocking of embargoed territories, payment screening, and address verification at onboarding. None of them is perfect. VPNs exist, and the legal standard has never been perfection; it is a risk based program, honestly implemented and documented. Documented is the operative word. A company that blocks embargoed regions, keeps logs, and responds when signals suggest evasion is in a very different posture from a company that never thought about the question. In the contract, reserve the right to restrict service by geography, require accurate location information, and treat circumvention, including VPN use to defeat geographic controls, as a terminable violation. And a quiet word about marketing: a sales page boasting availability everywhere on earth reads differently in an enforcement file. Say available in supported regions, and keep the list current. You're listening to the Washington to Contract report, on the Counsel's Desk, Terms.Law Radio. Section four. When a supplier goes dark. Everything so far has been about you restricting your customers. Now flip the telescope, because you are somebody's customer too, and this is where June comes in: when export controls attached to Claude Fable 5, an entire customer base lawfully lost access for nineteen days, and most of the affected contracts offered no recourse at all. That is the vendor shutdown scenario, and after this spring it is no longer hypothetical. Your vendor agreements, especially for AI models, cloud infrastructure, and any component with an export classification, should answer four questions. Can the vendor substitute a comparable service if the primary one becomes legally unavailable? Can you export your data and configurations during a suspension, not just after termination? At what number of days of legal interruption does your termination right ripen, and do prepaid fees come back prorated? And does the vendor owe you notice, prompt, specific, and in writing, when a government action affects the service? If the answers are no, no, never, and silence, you have found this quarter's negotiation agenda. The compact version of tonight, four lines. Know your product's export classification, even if the answer is that it has none. Screen your customers against the restricted lists, at signup and on a schedule. Block, log, and document your geography controls, and reserve the contract rights that let you enforce them. And read your own vendor agreements the way June taught everyone to: the question is not whether your supplier is careful. The question is what you can lawfully do while your supplier is dark. Two additions for companies a step deeper in. If you employ foreign national engineers and your technology carries a meaningful export classification, the deemed export rules can reach internal access decisions, so your access control matrix is part of your compliance program, not just your security program. And if you are drafting a master services agreement this quarter, put export compliance in both directions: the customer represents its status and end use, and you commit to lawful screening rather than to open ended availability. Mutual honesty in the paper beats mutual surprise in the audit. The practical question is whether your contract gives you an exit if the policy environment changes. The Terms.Law analyst and the related contract checklists are at terms dot law. The fine print. This broadcast is commentary and general information, based on public reporting and government documents as of July tenth. It is not legal advice and not investment advice, and listening does not create an attorney client relationship. Export and sanctions rules move fast and carry real penalties, so verify current requirements with qualified counsel before you act. I'm the AI voice of Terms.Law Radio. The analysis belongs to Sergei Tokmakov, California attorney. Stay tuned, stay skeptical, and screen before you ship. Good night.